Cyber security in the crosshairs

Why cyber operations against the critical infrastructure of CIS countries have intensified

Director of Russia’s Federal Security Service (FSB) Alexander Bortnikov has recently stated that actions from abroad aimed at paralysing the operation of computer systems in the public, industrial, energy, transportation and banking sectors are of great concern. What should be done in order to resist this?

Cinema and hackers

Most people’s ideas about cyber attacks are formed by cinematography, while the techniques it shows are mostly extremely remote from reality. The lack of understanding of basic things can lead to panic in society — for example, after reading an a priori unrealistic message that hackers have seized a chemical plant and are going to blow it up along with half the city.  
Let us try to figure out what tangible threat cyber attacks can pose, what statements can be immediately dismissed as laughable, and what signals should be treated with caution.  
The axiom has it that any critical infrastructure completely everywhere, where possible, and even more so hazardous production facilities, does not have physical access to the Internet. In other words, it is not just disabled, but there are no devices capable of providing Internet connection. Moreover, specific custom software is often used at such facilities, making external interaction with them simply impossible. The computer controlling the processes in the distillation column does not even ‘know’ about the existence of the Internet, hackers and all this worldly fuss. It was created exclusively for one task, which it performs. Therefore, hacking of such systems is physically impossible, by definition.  
In theory, of course, there can be extremely exotic methods of remote interaction with isolated systems. Thus, a special virus or malware might be installed on the computer that will take control of a LED on the PC case, enabling it to transmit information about the system using Morse code, while a hacker will be sitting in a tree a few kilometres away with a telescope and decrypt messages. In practice, though, such scenarios are only suitable for spy films. In fact, factory production can only be hacked with an axe, but then the guards will intervene. Therefore, if you happen to read a message that cyber criminals have managed to hack a factory and stop production there, you can immediately start laughing. 
However, the situation can be a little more complicated with distributed infrastructure, like a railway. There is no way to get into train control via the Internet, but it is possible to damage parts of the system. That was exactly the case in Belarus a couple of years ago, when several attempts were made to set fire to relay cabinets. The arson ‘epidemic’ finished soon after a few arsonists had been shot in the knees and other criminals had been promised to shoot to kill. That was an attempt to disrupt a closed distributed system. This whole story has nothing to do with hackers at all, though, being an act of plain terrorism. 

Subtle moments

Let us consider some subtle aspects now. Any production, even the most closed one, has a lot of departments that ensure its operation — management, accounting, logistics, personnel, and so on. This involves a lot of people who need Internet access to work. Here is where the notorious human factor gives cyber attackers a huge room for manoeuvre. 
Ninety-seven percent of cyber breaches occur according to approximately the following scenario: an accountant receives an email from the boss urging to run an attached file and remember about the quarterly report. So the accountant follows the instructions and quickly forgets about the case. It usually comes under the accountant’s radar that the boss’s email address differs by one letter from the real one. The details may vary, but it is almost always employees themselves who open the door to hackers. 
Most often, system penetration does not end well. Cyber criminals steal everything they can in order to encrypt important data and later offer the company management to buy the decryption keys. After all, information deleted from the computer in the usual way can always be restored, whereas encrypted data cannot be extracted without a key. However, in case of a politically motivated cyber attack, criminals do not even offer to buy the decryption key.   
If technical services work correctly, they normally have a fresh data backup, in which case the issue is closed relatively painlessly. Yet, in some cases a backup is not available and data cannot be restored quickly — this is where a production hell begins. 
Hacker groups obviously make loud statements that they have hacked into the plant and halted production, posting stolen documents as confirmation. This is, of course, far from the truth, although the administrative work may indeed be extremely hampered for a while.

Human factor

For any indestructible shield, there is always an all-destroying sword. If a system has vulnerabilities, they will always be targeted. This no longer refers to random enthusiastic individuals but to purposeful actions of specially trained people. After all, there is no fundamental difference as to the means of causing damage, be it by a drone attack or a hacker attack. It is only a matter of scale and severity of the consequences. It is precisely the low probability of identifying a cyber criminal that makes this ‘business’ so alluring for some. After all, launching a drone is fraught with a retaliatory rocket strike, whereas identifying a cyber intruder is a very non-trivial task. Therefore, it does not take a fortune teller to predict that attempts to inflict damage by such methods will persist and become more frequent in the future. So what should be done to safeguard yourself from cyber attacks? 
First of all, it is necessary to adequately assess the threats, bearing in mind that no hackers will be able to get to a critical facility that can, for example, cause a man-made disaster — it is simply not their domain. Yet, they can inflict a painful blow on the associated infrastructure. The most serious vulnerability is almost always a human being. Just think about bank card fraud — people themselves give away their data, transfer money, launch weird applications, click on suspicious links and end up without money.… It is only in fantasy films that we see a device that can be connected to an ATM, after which it starts scattering banknotes. The system is reliable, the person is not. 
In this regard, the most evident steps to prevent cyber threats suggest increasing cyber security knowledge and awareness among the personnel of enterprises. After all, children are taught not to open doors to strangers, whereas adults are not always instructed not to do the same in a work environment. It goes without saying that regular backups and proper security software configuration are imperative for an organisation’s data protection strategy. 

In fact, any hacker is primarily engaged in social engineering, their main task being to elicit information from a person and get into the system using it. Few people realise that since the consciousness of a significant part of people is littered with film plots where cyber attackers skilfully hack any computer at the blink of an eye. In reality, modern systems are very reliable, and the weak link has already been exposed. Protecting yourself from hackers is no rocket science — all it takes is teaching people not to open the door to them.

By Yury Terekh