University of Queensland cybersecurity expert, Professor Ryan Ko, discusses some of the security issues unique to critical industries
In May of this year, the United States’ Colonial Pipeline, a conduit that carries gasoline and jet fuel along 8850km servicing states between New York and Texas, suffered a ransomware attack that resulted in its operations being suspended for several days.
The sudden halt in fuel supply caused upheaval around local flights, shortages at fuel stations, panic buying, and a spike in prices.
In early June, Reuters reported that Colonial Pipeline CEO Joseph Blount revealed the hack was facilitated via the exposure of a single password.
The news has shone a fresh spotlight on the ramifications of neglecting to implement a robust security strategy around industrial control systems, and the necessity of modern cybersecurity protocols to critical infrastructure.
It’s a topic of particular importance to University of Queensland Professor Ryan Ko, Chair and Director of UQ Cyber Security, a center of cybersecurity knowledge concerned with the ideation of policy, technology, criminology and cryptography.
In the lead up to his appearance at CISO Critical Infrastructure Online ANZ in July, Ko discussed some important learnings from the US pipeline attack and its broader implications concerning cybersecurity within critical industry.
Opportunism and Cost
“The criminals that attacked the Colonial Pipeline probably went for the sector which was least prepared,” he says. “They were opportunistic. They view their conduct as a business. They even released press releases saying they just do this for the money and are not political.
“So, they knew the sector they were targeting. They probably had done some homework to suss out the security of the systems.”
This simple financial motivation and opportunism has the potential to cause chaos across an entire industry once the first victim falls, Ko says, as operational conventions are typically the same across all organizations in a given sector.
“What we see commonly happening is, once one organisation within a single sector is affected, it is likely that the attack will then start to propagate one by one to other organisations within the same sectors,” he says. “For example, hospitals or utilities or energy providers.
“Because all these different organizations in the same sector are configured roughly the same way, the attacking model can be replicated easily and scaled.”
Ko says the cost of downtime in critical industries, be it financial, social or political, is another key factor to take into account when considering the movements of cybercriminals.
“Cybercriminals have an ability to extort money in a way that has never occurred before,” he says. “By using cryptographic locking mechanisms on systems, criminals are banking on the fact that organizations want to get back up to speed or business continuity as soon as possible.”
“Some will succumb to that kind of demand and pay the ransom. For this reason, the hackers wouldn’t lock up a small organization. They purposely go for such critical infrastructure.”
While it’s concerning to hear about organizations giving in to the demands of ransomware, Ko is optimistic about the increasing capability of authorities to respond.
“We recently saw news about how the FBI was tracking those responsible for the Colonial Pipeline hack,” he says. “The FBI was able to track the cryptocurrency payments and then start to zone in on where and whom the payments were going to. So the criminals kind of freaked out and took a bit of a step back.
“The learning from there is that if we are able to come up with a response that is on par with the attack or the ransomware impact, criminals may see this as something that’s too hard for them to do.”
Simple Steps to Better Security
The sophistication of cybercrime has increased, and new methods of attack are often emerging. However, Ko says critical industries can make things considerably harder for bad actors by protecting themselves with readily available tools and processes.
“Hackers might be using login credentials that have been exposed by previous data breaches,” Ko says. “They will use login and password combinations from a previous breach and enumerate through them testing their luck. As long as there’s one password combination that works, they can get into the organization.
“So, we need to make sure that, even though there might be breaches or leakages of all these passwords and logins out there, organizations have to improve their authentication and access control.
“They should seriously consider implementing two-factor authentication, for example, and do regular backups. That’s basic cyber hygiene that most organizations should do.”
Cybersecurity literacy plays a big role in Ko and his team’s work at UQ, but beyond education and understanding, he says critical industries have a good opportunity to grow in terms of defining sector-specific cyber regulation and guidelines.
“There is a lack of literacy, most people don’t think these things will happen to them. The other thing is the lack of sector-wide guidelines on how to improve cybersecurity,” he says.
“For example, in the financial services sector there are a lot of regulations and checks and balances to make sure that fraudulent transactions don’t occur, and that the integrity of data is maintained. Whereas in these other critical infrastructure industries, they may just be at the beginning of that journey.
“There’s also considerations to make in the areas of legal reform and having laws that promote a more proactive stance towards improving cybersecurity.”