We’re living through a transitional and uncertain time when countries retaliate in the physical and virtual worlds to cause an impact. The pursuit of nuclear weapons (followed by sanctions,) oil tanker explosions in the Gulf of Oman, $180 million-dollar drones being shot down, cyber attacks disabling military weapons systems and counterattacks against critical infrastructure all converged the past few weeks. Mission Secure began five years ago specifically to protect military weapon systems and critical infrastructure from cyber attacks. We stopped to ask the following question: Has the next era of geopolitical warfare arrived and what now?
A Timeline of Recent Events follows:
- Iran's Quest for Nuclear Weapons: For many years, Iran pursued the goal of obtaining nuclear weapons. In 2015, Iran agreed to a long-term deal with a group of six world powers – the U.S., U.K., France, China, Russia and Germany. Under the accord, Iran agreed to limit its sensitive nuclear activities in exchange for the lifting of sanctions and gaining access to over $100 billion dollars in assets frozen overseas, plus the resumption of selling Iranian oil on international markets. Things seemed to be working for a few years - until they didn’t.
- Sanctions: The U.S. felt the treaty would not limit Iran’s ability to obtain nuclear weapons and withdrew in May 2018 with the goal of pursuing a new, more stringent deal with Iran. In November 2018, the U.S. reinstated sanctions targeting Iran and its trading partners. The Iranian economy slowed, its currency plunged, inflation surged, foreign investors fled and protests flared in Iran. In May 2019, Iran suspended commitments under the accord and told the other countries to protect it from sanctions or Iran would resume production of highly-enriched uranium.
- Exploding Tankers: On May 12, 2019, four oil tankers were damaged by explosions near the Strait of Hormuz just off the coast of the United Arab Emirates. In June the UAE concluded it was highly likely that limpet mines used by an undisclosed state actor caused the explosions. The U.S. and others pointed to Iran. While incidents had been reported of spoofed and jammed GPS signals in the region causing issues with navigation systems, trying to blow up a ship was something new. On June 13th, two more oil tankers were attacked leaving one ablaze and the other abandoned and adrift in the Gulf of Oman. The U.S. military implicated Iran in the attack and released drone video footage showing an Iranian military patrol boat pulling up to one of the tankers to remove an object from the hull. Iranian cyber forces have also tried to hack U.S. naval vessels and navigation systems in the Persian Gulf over the past several years. In May, the U.S. Coast Guard warned the maritime community about cyber attacks looking to disrupt shipboard computer systems on merchant ships. MSi works with a number of oil and gas shipping companies operating across the globe and their leadership has been taking notice.
- Exploding Drones: On June 20th, a week after the attack on the tankers, Iran shot down an unarmed U.S. military drone. The drone, with an estimated worth of $180 million dollars, was performing reconnaissance over international waters in the same region as the oil tanker attacks. Iran attempted to shoot down another drone a week prior but missed. Back in 2011, Iran was touting to the world it captured an American drone in Northeastern Iran. Some experts suggest the GPS system was spoofed or jammed. Over the last several years, MSi has been working with the U.S. military on detecting GPS jamming and spoofing, identifying cyber attacks against drones and safeguarding the military system against these threats.
- Cyber retaliation against weapons systems for kinetic attacks: Exploding tankers and drones provide clear, physical impacts from kinetic attacks. However, the impact of a cyber attack can be more nebulous. As reported by the Washington Post and others on June 20th, the U.S. Cyber Command launched a cyber attack disabling Iranian weapons systems used to control rocket and missile launches. The attack against the Islamic Revolutionary Guard Corps appears to be the first offensive cyber mission officially to be carried out by Cyber Command since its elevation to a full combatant command in May 2019. The U.S. sent a signal to Iran and other adversaries saying it has cyber weapons that can neutralize their capabilities and plans to use them.
- Cyber attacks on U.S. critical infrastructure: Two days later, on June 22nd, the U.S. Department of Homeland Security (DHS) warned U.S. industry officials to be alert for cyber attacks originating from Iran. It warned Iran has increased its cyber-targeting of critical industries, including oil and gas, other energy sectors, and government agencies and has the potential to disrupt or destroy systems. DHS Cybersecurity Director Christopher Krebs stated “Iranian actors and their proxies are not just your garden variety run of the mill data thieves. These are the guys that come in and they burn the house down.” In addition to Iran, the U.S. critical infrastructure has been under constant attack from other foreign nations, such as Russia. On June 14, 2019, Wired magazine covered various cybersecurity firms reporting the Russian-backed group behind the 2017 Triton attack on Saudi chemical facilities are now probing the networks of more than twenty U.S. electric system targets ranging from power generation to transmission to distribution stations. MSi works with a number of leading energy companies in upstream (on and offshore), midstream and downstream and has seen probing activity emanating from foreign countries, including Russia, aimed at customers’ control systems. Foreign campaigns aimed at critical infrastructure have been underway for several years, and only getting more sophisticated.
- Will insurance cover it? Some ask why do they need to worry about nation-states attacking them; won’t the government protect them and insurance cover any consequences? Unfortunately, two years ago when the NotPetya malware campaign exploded around the world as a result of Russia trying to interfere with Ukraine, the malware resulted in collateral damages spread across the globe. Maersk shipping lost over $300 million dollars. Food industry giant Mondelez suffered losses from NotPetya estimated to be $188 million. When Mondelez sought to recoup losses from the NotPetya attack from its insurance provider, the company claimed a “wartime exclusion” in the policy where losses resulting from collateral damage caused by an act of war would not be covered. Mondelez is now in the middle of a $100 million-plus lawsuit against the insurance carrier. MSi’s work with energy clients reveals most insurance coverage does not cover losses due to a cyber attack on the industrial control systems resulting in physical damage.
Using cyber attacks as offensive, and retaliatory, measures in conjunction with kinetic attacks appears to be the new normal. We feared military weapons systems and critical infrastructure could be severely compromised when we started MSi back in 2014. Back then, people thought the idea of hacking cars and drones and protecting them from cyber attacks seemed far-fetched. Now we are watching these events unfold. Here is what every company operating critical infrastructure needs to be doing today:
- Assess: In working with our industrial and military customers we learned a lot about cyber risks and ways to mitigate them. Every critical infrastructure provider and weapons system program manager should start by conducting a cyber risk assessment of the operational technology (OT) controlling the most important industrial assets, or weapons systems and platforms. The goal of the assessment is to identify the most critical OT cyber risks and close any immediate gaps. Over the years MSi has performed a multitude of OT cyber assessments at offshore platforms, onshore oil and gas production sites, pipelines, cryogenic plants, refineries, LNG vessels, water treatment facilities, transportation systems, military weapons platforms and more.
- Design: Following an assessment, companies should work with IT and operations team members in conjunction with their cybersecurity advisors to develop a secure cybersecurity architecture to protect against cyber attacks. A layered, defense-in-depth approach is recommended. Companies should follow industry guidelines such as NIST, IEC 62443, U.S. DHS' Industrial Control System Cybersecurity guidelines and other industry cybersecurity guidance. A robust cyber architecture will involve people, process and technology and take time to implement. That being said, it does not have to be cost prohibitive to protect against cyber attacks. However, the costs of not taking proactive measures could be substantial should an attack occur.
- Deploy: IT and OT team members need to work together to deploy a cyber architecture that provides visibility into the OT environment, as well as protection for OT assets. This involves both hardware and software-based solutions. While monitoring your network and keeping accurate asset inventories of systems on your network is a major step in the right direction, it won’t actually stop an attack (like Stuxnet, Triton, NotPetya or something new) from having a negative impact on your critical systems and controllers. Actual protection requires hardware to be embedded into the control network, monitoring control system activity and being able to block unwanted or abnormal actions. The patented MSi Platform provides both visibility and protection for industrial control systems and weapons systems/platforms.
- Manage: Once systems have been deployed, it is important to monitor alerts and be proactive in following up. Software on workstations, servers, controllers and OT equipment should be updated. Unpatched systems make it easy for malware to spread and for attackers to use as a foothold in the OT network. Third party access to your OT network should also be controlled and monitored. Third parties offer adversaries a back door to your operations. Back-up and recovery procedures should also be freshened and practiced. The faster you can recover from an attack the lower your downtime and losses.
The downside of our connected world is massive disruption from cyber attacks. NotPetya impacted shipping, trade and commerce around the world. What can impact one industry has the potential to harm others. It is important to work with your cybersecurity and industry partners to make sure your critical systems are protected. MSi partnered with a global maritime industry leader, ABS, to bring the best maritime subject matter expertise, cybersecurity services, solutions and industry best practices to the maritime and offshore markets. Listen to Dennis Hackney, Senior Technical Advisor for Cybersecurity at ABS, talk about the partnership with Mission Secure with Offshore Engineer.
Learn more about securing your critical infrastructure from cyber attacks. Mission Secure’s team of experts are here to help.