Exposed and Vulnerable Critical Infrastructure – Energy & Water Industries

Numaan Huq

The Energy & Water (E&W) sectors are critical to the economy of every nation and need to be secured. During our investigations we found a certain amount of exposed and unprotected E&W systems online, bringing with them a danger to these Critical Infrastructure (CI). We wish to stress that contrary to many sensationalized stories on the vulnerability of Internet connected CI, our findings were limited to small-to-medium sized organizations within these sectors. Large CI organizations have security firmly in mind, but they still consider their ICS infrastructure susceptible to cyberattacks. However, the exposure of these more mid-tier organizations is still cause for concern for two reasons. Firstly, because of CI interdependencies and the distribution network setups, failures in these mid-tier organizations will have cascading and far-reaching after-effects further up the Supply Chain. Secondly, for would-be attackers these mid-tier players act as the perfect testbed for attack strategies to try out their effects in less risky ways. In this talk we present the following:

  • Using OSINT techniques we probe the E&W sectors to see what types of exploitable cyber assets are accessible to would-be attackers
  •  We present findings from past ICS security research papers to highlight the potential threats faced by exposed cyber assets
  • We attempt to identify likely attackers, probe their motives and assess damage potentials. We present real-life cyber attack scenarios that we identified and discuss how they can affect cities/nations
  •  Finally, we provide defensive strategies for protecting the main ICS equipment and the supply chain of E&W sectors