Heard of Cochin Port? You should.
An alleged attack from Chinese state-sponsored hackers (although they point to Pakistan origins) left the Indian port infrastructure vulnerable. But it was not the port itself that was the target, said U.S. firm Recorded Future, which supposedly uncovered the attack. Instead, it was India’s electrical grid.
Questions began swirling around tech circles whether the recent Mumbai blackouts showed the hackers’ success. And because these attacks started right about the time China and India had fistfights over the Himalayas, many observers concluded that these types of attacks will be the new norm.
Cochin, also called Kochi, is a major port city next to the busy Laccadive Sea. As an essential berthing point for the spice trade route, it changed hands between the Portuguese, Dutch, and the British when they were seafaring colonists.
Today, it is the topmost emerging future megacity in India, according to JLL, and is the financial, commercial, and industrial heart of Kerala.
So, cyber espionage shouldn’t be a big surprise. After all, part of the Indian Navy is housed there, and nearby is the Cochin Shipyard building India’s new aircraft carriers.
Yet, Cochin Port was caught unawares. Recorded Future, the privately-held U.S. cybersecurity company that told on the attack, reported an all-out hack that looked to penetrate the electricity grid. It was done by a group called RedEcho and has links with the Chinese government. A Bloomberg report noted that the Cochin attack was part of a broader offensive that targeted two maritime ports and 10 entities “under India’s power grid.”
Indian federal authorities downplayed the attack, saying it instead found a cache of trojan horses and foreign data (which itself is troubling). China vehemently denied the accusation, but Record Future is still recording “handshakes” with the Chinese hackers and the port infrastructure. And there is fear that the malware could be sleepers.
While the mudslinging and blame games continue, the underlying worry is that utility infrastructure is rapidly becoming targets as they become more digitalized.
The tactic is ancient, even though the methods may be modern. Military strategists have long understood the advantage of crippling critical infrastructure. The Cochin Port attack may be severe, but it looks more like hackers were probing weaknesses.
What is particularly worrying is not that such an attack occurred but rather how far the hackers got in disrupting infrastructure and hacking into the electrical grid. And Cochin Port is not alone in this. Read the Forrester blog on the attack on the U.S. water facility.
Part of the problem is that we remained so focused on IT that we seem to forget operational technology (OT) security is equally important. And as we embrace smart city concepts, we are only creating more problems if we do not tackle the OT-side of the cybersecurity equation.
“Critical infrastructure owners and operators have to recognize that as they continue to connect and converge traditional IT networks with their operational technology environments, they’re also increasing the attack surface and threat vectors available to any attacker seeing to disrupt their operations,” explains Richard Addiscott, senior director analyst at Gartner.
Lives at stake
The main difference between IT and OT attacks is the victims. While most IT attacks result in reputational and financial loss, OT attacks can cause inconvenience, nationwide panic, and even death.
To combat this, utility companies need to answer some hard questions. “This means taking a focused approach in ensuring their security hygiene is up to scratch, and if needs be, getting back to basics to prioritize security practices,” says Addiscott
“Core practices include, but aren’t limited to: asset discovery and management, strong network security and segmentation, malware protection, and maintaining strict access control policies, especially with third parties such as original equipment manufacturers responsible for the maintenance of their critical infrastructure assets,” he adds.
Michael Gazeley, managing director and co-founder of Hong Kong-headquartered Network Box, goes further. He believes “it makes absolutely no sense that any critical infrastructure or indeed any organization’s infrastructure, should be accessible from the public internet in the first place.”
He explained that companies need to firewall off all access from anywhere except specific locations and specific devices using a highly secure VPN.
Part of the blame for such OT attacks lies with cybersecurity vendors themselves. We all have heard about SolarWinds, but we also saw ATM malware and compiler attacks.
Some of these security threats may even be made at the request of countries. “There is also a large number of cyber-security vendors, who have been found to include backdoors and known vulnerabilities in their products and services, again, and again, and again. It is not hard to believe this is at the behest of the governments of their originating countries,” says Gazeley, who claims his company never includes backdoors.
“There’s not even a need for ‘hacking,’ if the victim’s firewalls come ‘pre-hacked,’” he adds.
There are also worms and malware created as digital nuclear weapons, like the dreaded Stuxnet designed to target Iran’s uranium enrichment programs becoming threats.
Focusing on CSPs
The calls for a more holistic approach to IT and OT security are getting louder.
“Security leaders in critical infrastructure environments need to start thinking beyond traditional IT-centric security concerns; and start to factor in previously unconsidered threats like tampering, jamming, spoofing or unauthorized access in the physical plane as just some examples when developing risk management strategies for critical infrastructure environments,” Addiscott explains.
Gartner calls it Cyber-Physical Security (CPS), defining it “as systems that are engineered to orchestrate sensing, computation, control, networking, and analytics to interact with the physical world (including humans).”
To make CPS work, chief digital officers, DevOps team leaders, and chief data officers need to take ownership of security; it is no longer a “CISO matter.” If they fail, then they will lose over USD 50 billion by 2023, says Gartner’s research vice president, Katell Thielemann. research vice president at Gartner. This amount does not even take into consideration the human toll.
The problem is that many companies are still unaware of CSPs in their environments, “either due to legacy systems connected to enterprise networks by teams outside of IT or because of new business-driven automation and modernization efforts,” said a Gartner press release.
“A focus on ORM — or operational resilience management — beyond information-centric cybersecurity is sorely needed,” advises Thielemann.
The controls — endpoint protection, network security, identity, and access management — are still the same. “However, the ways these controls are applied in an operational technology environment will be different to the way they may be executed in a traditional or corporate IT environment,” adds Thielemann.
As companies rethink ORM and CSP, the threat to critical infrastructure continues.
The latest victim is the European Banking Authority, which is no stranger to cyber-attacks. A Washington Post article reported that the access to personal data held on the Microsoft email server may be compromised. Other banks, power companies, and an ice-cream company are part of the 60,000 identified victims of Microsoft.
Guess which country is blamed for backing the hackers responsible for it?
Winston Thomas is the editor-in-chief of CDOTrends and HR&DigitalTrends. He is always curious about all things digital, including new digital business models, the widening impact of AI/ML, unproven singularity theories, proven data science success stories, lurking cybersecurity dangers, and reimagining the digital experience. You can reach him at [email protected].
Image credit: iStockphoto/vicnt