Since Russia invaded Ukraine, adversaries have been using both cyberattacks and physical warfare to take down energy infrastructure, with some success.

Outside of the conflict, critical national infrastructure (CNI) is being exploited more broadly across the world in attacks intended to stoke fear and unrest. In April, adversaries exploited weak credentials to penetrate a water dam in Norway, allowing them to take control of one of the valves and open it to increase the flow of water.

The Norwegian dam attack was “remarkably simple”, says Tommy Evensen, CISO at Omny, a Norwegian cybersecurity company that protects critical infrastructure. “It utilised a public-facing system and weak credentials that were easily hijacked by threat actors to gain unauthorised access."

As the risk of attacks such as these grows, global leaders are shoring up defences. The UK’s National Cyber Security Centre (NCSC) has issued a new version of its flagship security guidance, the Cyber Assessment Framework designed to help CNI providers keep pace with the threat landscape.

In August, the US partnered with three other Five Eyes countries to develop a common asset inventory and taxonomy guide for operational technology (OT) and industrial control systems (ICS).

Legacy Systems

One of the biggest challenges facing CNI is the fact it is inherently insecure. This is in part because it relies on supervisory control and data acquisition (SCADA) based systems that were never meant to be connected to the internet.

Many of the existing SCADA systems are “decades old” and therefore produced before the world had become cybersecurity-conscious, says Mihoko Matsubara, chief cybersecurity strategist at NTT.

The systems often run on “outdated and unsupported operating systems” such as Windows XP, he points out. Adding to this, critical infrastructure services are required 24/7, which makes timely patching challenging.

Because availability is key, downtime often needs to be scheduled so can take much longer to happen, says Simon Hodgkinson, strategic adviser at Semperis. “Patches can take weeks to approve and can only be applied during a maintenance window that would be months, or even years away.”

This is attractive to adversaries, who are “are all too aware that mission-critical operations may have overlooked simple patch updates”, according to Matsubara.

Adding to this, OT and IT systems are not well segmented. “Many SCADA systems allow remote access for monitoring and this means adversaries can use commercially available tools, such as Shodan, to find exposed systems,” says Matsubara.

Worse still, SCADA systems tend to use default passwords, he adds.

Targeting CNI 

CNI is targeted by many types of attackers, but it’s of particular interest to nation state adversaries seeking to cause maximum damage. According to The US Cybersecurity and Infrastructure Security Agency (CISA), Iran-linked hacking group, CyberAv3engers has targeted U.S. water and wastewater facilities, compromising the Vision series of industrial programmable logic controllers (PLCs) produced by Unitronics.

In January 2024, Russia-linked group the Cyber Army of RussiaReborn launched a cyberattack against a town in Texas, Panhandle, that led to its water system overflowing.

Another known adversary targeting CNI is China-linked Volt Typhoon. The group has targeted energy, telecommunications, transportation and water to “use network access for disruptive effects in the event of potential geopolitical tensions and military conflicts”, Matsubara points out.

Nation state objectives typically include strategic deterrence, influence operations, or preparing cyber options for potential conflict or coercion. Groups linked to nation states remain among the “most capable and persistent adversaries”, says Denrich Sananda, managing partner and senior consultant at Arista Cyber.

However, many others are targeting CNI, including financially motivated ransomware operators. These adversaries continue to escalate attacks on manufacturing and utility sectors, banking on the urgency of restoring physical operations to pressure victims into payment, says Sananda.

He cites the example of groups such as LockBit and BlackCat, which have “repeatedly targeted energy and industrial firms, exploiting downtime sensitivity and weak segmentation between IT and OT systems”.

CISO Strategies 

Defending against attacks on CNI is certainly not easy, but there are steps organisations and their suppliers can take to boost security. One useful resource is NCSC’s Cyber Assessment Framework (CAF) 4.0.

This has just been updated is “the best baseline the UK has” for essential functions: Governance, risk, architecture, detection and response, says Pedro Umbelino, principal security researcher at Bitsight.

Version 4.0 also sharpens board accountability and measurement, he says. With this in mind, he advises firms “map controls to [the NCSC’s] CAF outcomes and insist vendors show how they meet them”.

Aside from this, he recommends CNI firms remove internet exposure as much as possible. “Anything that speaks Modbus, BACnet, S7, EtherNet or IP, KNX, ATG, or legacy vendor stacks does not usually need a public IP. If a service integrator needs it, they should get a jump host with multi factor authentication (MFA) and time‑bound access. Keep an eye out on shadow IT that opens unknown doors into your network.”

CISOs must have better visibility of their network environment by updating an inventory of IT and OT assets and protocols, as well as network mapping, says Matsubara.

He advises CISOs to consider zero trust architecture (ZTA) for the protection of critical infrastructure. “Adopt network segmentation between IT and OT networks, enforce least privilege access for SCADA systems and change default passwords,” adds Matsubara.

At the same time, practicing incidents will help, Umbelino says: “Tabletop what happens when a gate opens by itself or a pump ‘fails safe’ every hour. Industrial control systems and OT incidents are kinetic: Have the manual runbooks and spares ready before someone tests you. Can you reach the necessary technicians if the power runs out? How long does it take to have hands on premises if need be?”

As attacks on CNI continue and adversaries become more capable, governance is equally critical, says Sananda. “CISOs must engage boards with clear language on operational risk, demonstrating how cyber events could affect public safety or service delivery. This will help to secure budget and accountability.”

Kate O'Flaherty Cybersecurity and privacy journalist