With Queensland’s CS Energy yesterday confirming its corporate network had suffered a ransomware attack, industrial cybersecurity company Claroty highlighted the growing cyber risk to critical infrastructure and the energy sector specifically.
“Over the past couple of years, ransomware gangs have increasingly targeted critical infrastructure organisations because they know that they can’t afford to have any operational interruptions or downtime,” Claroty ANZ regional director Lani Refiti said.
Related article: Ex-ASIO chief warns on energy cyber attacks
“Downtime could lead to a catastrophic situation in the case of the energy sector, making energy providers more likely to pay the ransom. Similar to the Colonial Pipeline attack which targeted a major US pipeline, the ransomware group responsible for the CS Energy attack likely expected the payment of a large ransom.”
The Australian Government’s Security of Critical Infrastructure Act (amendments) was passed into law only a fortnight ago and the upcoming Ransomware Action Plan will also strengthen the critical infrastructure sector, encouraging operators like CS Energy to uplift or upgrade their cybersecurity programs to better deal with ransomware.
“The usual vector for ransomware is via corporate systems/networks and most organisations in the power sector will segment their Operational Technology systems from their corporate networks to avoid an attack via this route. Hopefully this is the case for CS Energy, which is one of Queensland’s three main power generation companies along with Stanwell Corporation and Cleanco,” Refiti said.
“The vast majority of attacks come via traditional routes—email phishing or waterhole attacks (attackers infecting sites that employees or contractors frequent). Once an attacker gets a foothold in the corporate systems they will expand laterally, looking to infect and encrypt as many computers as possible to then hold up for ransom.
Related article: Why zero trust must form a key pillar of any cybersecurity strategy
“The challenge for critical infrastructure organisations are that some of their systems that are traditionally in segmented networks (operational technology networks) are now being placed into corporate IT and in some cases cloud for easier access, scalability, data analysis etc and if these systems are infected/encrypted they will impact the running of critical operations. Some ransomware as a service operators will also steal sensitive data and post them publicly to try and leverage more ransom out of the victim.
“Ransomware is still primarily the tool of cyber criminals who’s motive is financial gain. They are going after more high-profile targets these days because they know these organisations are critical and will pay a higher ransom. However this has backfired recently, with the FBI arresting some of the individuals behind the Sodinokibi/REvil syndicate.”