During the past two pandemic-disrupted years, the world grew more reliant on cybernetworks. Criminals, some of them backed by sovereign states, had time and motive on their hands. Cyberattacks ramped up significantly both in number and scope.
Cybervictims paid ransoms worth more than $400 million in 2020, according to the U.S. Treasury, four times the amount paid the year before. The incentives for cybercrime are clear and increasing. However, that figure represents a fraction of the economic harm produced through business disruption, wasted work hours, not to mention activities, sometimes critical, put on hold.
Infrastructure represents a compelling target. Often critical in nature to a city or economy, always important, the asset class presents huge projects that are central to the way we live and work. Asset and fund managers say they are getting an increasing number of calls concerning the topic from investors.
“As an investor, this is something we have to take very seriously,” says Minesh Mashru, head of infrastructure with Cambridge Associates. “It can have severe reputational risks for everybody involved.”
The infrastructure sector is addressing the issue, but perhaps not quickly enough. There is a cyberarms race between a criminal offense and a potentially underfunded defense. Lapses can be extremely costly, and highly visible in their failure.
“When things are going great no one ever says anything,” Mashru notes. “But the moment something goes wrong, it becomes a huge issue.”
Who holds the bag?
Private companies may well have the onus of vigilance on themselves — protect yourself, your data and your customers, or else. But the issue is more complex when discussing critical infrastructure, which has public importance. A complex network of service providers often supports power lines, gas pipelines, telecom towers, introducing third-party risk to the cybersystem.
The more fragmented an industry becomes, the more entry points there are for hackers and malware. Certain segments of the infrastructure sector such as the power-supply network are incredibly well-protected, with the potential for disruption obvious to all, heavy regulation in place, and physical security of the assets already well-monitored. But for other semi-privatized infrastructure segments, the dangers are not quite so clear and present, and it is not even always obvious who should be ensuring that the cybersystem is secure.
“The easy rule of thumb answer is the more you digitize, the higher your threat of hacking,” says Jason Lund, the leader of technology infrastructure at JLL. While tech promises greater speed, efficiency, environmental benefit and user functionality, “all technology brings with it the threat of being used by bad actors against the beneficiaries of the technology,” he adds.
Technological capability, therefore, needs to expand at the same pace as cybersecurity. Lund says that technology is typically only evaluated from the point of view of the benefit that it will provide to infrastructure, buildings or the occupants. That is certainly very valuable, he admits, but technology and its supporting architecture also needs to be assessed from the potential for hacking and the physical vulnerability that it presents. Whether occupants of the building may inadvertently use the technology in a way that creates cyber risk is also a concern.
Infrastructure asset owners, managers and investors should act in three ways, Lund believes. First, they must properly understand the existing technology infrastructure in their assets, and how it is being improved, which is often not the case. Second, once the technology in their existing assets is mapped, they need to create a strategy that allows for future technological improvement, as well as planning future cybersecurity precautions. Third, they must establish how to maintain cybersecurity across existing technology in their existing portfolios, a roadmap for future technology, as well as establishing a protocol for how technology is taken on board for future purchases and offloaded for assets that are sold.
Investors must start asking tough questions of infrastructure operators, Mashru at Cambridge Associates says. “We need to make sure adequate controls are in place,” he says. Have the operators run a ransomware fire drill? What are the redundancies? Whom do they call first? “Are there plans for when something does happen? What’s your normal course of action should this occur?”
INDUSTRIAL TARGETS FACE WAVE OF ATTACKS
It is the finance industry that suffers the most cyberattacks, according to IBM’s X-Force Threat Intelligence Index report for 2021, followed by manufacturing and then the energy sector. While finance has consistently topped the ranking, heavy industry has risen higher on the list of targets than the retail sector, the media, and transportation, which used to rank just behind banking. Professional services firms, government, healthcare and education round out the roster of the sectors that face the most cyberattacks.
In the past, industrial targets have normally faced an assault on their IT networks, rather than the control of their operations. “Though inconvenient, attacks on IT networks do not typically result in operational disruptions, with the recent cyberattack on Colonial Pipeline being an obvious outlier,” Moody’s writes in its June report, Cyber Risk – Global. “However, attackers are honing their skills and reaching deeper into the networks of industrial companies.”
So far, 46 percent of the vulnerabilities in the industrial-control systems at industrial targets affect the basic control or supervisory control of the network, the industrial cybersecurity specialist Claroty notes in its most-recent Biannual ICS Risk & Vulnerability Report. That is one or two steps away from the actual hardware of physical production. However, if exploited, the vulnerabilities bring attackers closer and closer to critical operations.
Even when companies believe their own networks are highly secure, they are liable to penetration through third-party vendors. In June, the administration office of the U.S. House of Representatives said the private company iConstituent had suffered a ransomware attack. Its e-newsletter software is used by the U.S. Congress as well as the states of Illinois, Georgia and Hawaii and the City of Los Angeles to send digital newsletters to constituents.
Critical-infrastructure companies are attractive as ransomware targets because the companies have a significant incentive to pay the ransom. Any operational disruption at all exposes the company to financial losses, reputational damage and increased regulatory scrutiny, Moody’s notes, motivating the target to restore operations as quickly as possible.
ONE ENTRY POINT SHUTS DOWN COLONIAL
The Colonial Pipeline attack in May illustrates that point. A ransomware breach of Colonial Pipeline Co.’s billing system caused the company to shut down the utility’s entire operations in a bid to contain the attack. That halted the pipeline, which runs from Houston to New York City and supplies around 45 percent of the fuel and gasoline to the U.S. East Coast. The company paid $4.4 million in Bitcoin within a few hours to the hostage takers, but the decryption software the criminals supplied to restore the network worked slowly. The pipeline was shut down for six full days and took another three days to get back to full capacity.
Meanwhile, U.S. President Joe Biden declared a state of emergency as fuel supplies in 17 states dried up. It constituted the largest cyberattack in U.S. history on oil infrastructure. The U.S. Justice Department said a month later that it had recovered around $2.3 million of the missing money. The FBI said the commercial hacking group DarkSide, thought to be based in Russia and specializing in ransomware and extortion, was responsible.
While the recovery of most of the ransom money was lauded as an unusual success, it was not all recouped. What is more, the major damage stemmed from the operational chaos that ensued. The entire commodities market was disrupted, with U.S. oil prices climbing suddenly to their highest levels in six years.
Besides Colonial Pipeline, the Portuguese electric utility EDP, the Italian electricity-and-gas utility Enel, and the Brazilian electricity network Electrobras have all been attacked over the course of the past two years. A little further back, a 2019 attack breached the IT network of India’s largest nuclear facility.
The entire Colonial Pipeline ransomware attack seems to have developed from just one penetration of a virtual private network or VPN account, notes Kabir Singh, a partner with the law firm Clifford Chance Asia, where the login and password were compromised. Through that loophole, the cybercriminals gained entry to the company’s servers.
An attack on the U.S. power grid could cause losses of $240 billion, a figure that could rise above $1 trillion, according to the University of Cambridge’s Center for Risk Studies. The interconnected grid could allow infiltrators to damage 50 power generators supplying the most populous parts of the country.
That is the direct cost. Singh notes that a string of lawsuits will likely ensue as litigants pursue financial losses caused by commercial disruptions. There is a Colonial Pipeline class-action lawsuit under way, launched by gas stations that are claiming the company failed to take adequate and reasonable measures to safeguard the pipeline’s critical infrastructure.
The interests of investors and cybercriminals converge in the infrastructure sector. Both are targeting large, crucial assets that are central to our lives. It is their dependability that makes them essential, and that puts them at risk.
“Ransomware operators are targeting bigger, more high-profile businesses that operate services and make products that are key to everyday lives, such as infrastructure, to obtain a higher ransom pay out,” Singh says. “These businesses tend to be more attractive to investors given their scale and market share, and investors who are interested in investing in infrastructure should be aware of this growing risk.”
There is reputational risk both for companies and for entire industries. After all, investors have typically put money to work in the infrastructure sector precisely because such positions are supposed to be defensive holdings that carry less risk.
“A cyberattack on infrastructure assets can also diminish investor confidence in infrastructure investments, and disrupt the very stability that made such investments attractive to investors in the first place,” Singh points out.
A DOLLAR VALUE ON AN ATTACK
Looking specifically at denial-of-service attacks, 87 percent of companies and organizations report coming under attack in 2021, according to the 2021 Global DNS Threat Report from IDC and Efficient iP. They face an average of 7.6 attacks per year, the study shows, costing an average $950,000 each time.
Telecom infrastructure faces the highest level of DNS attacks, according to that report, with 8.6 attacks per year. Telecoms were the most-likely companies to have customer data stolen, afflicting 29 percent of companies, and leading both to brand damage and customer churn.
The health sector tends to be highly decentralized and particularly open to attack. Healthcare companies faced the most downtime, hitting 53 percent of healthcare apps, while 36 percent of healthcare operators had to shut down part or all of their infrastructure when they came under attack.
Doctor-patient-company communication means reams of confidential customer information are stored and shared via a rapidly rising number of smart, network-linked devices and pieces of equipment. Much of the data ends up in cloud-computing systems. Ultimately, of course, critical hospital infrastructure, such as ventilators, robotic surgical equipment, vital-signs monitors, ultrasound machines and MRIs, is at risk if a network is fully breached.
Healthcare equipment and facilities are extremely expensive, and not surprisingly they command the lion’s share of the capital-expenditure budget. Chances are that healthcare providers have legacy older equipment that is unpatched, multiple software providers for different systems, a complex method of interacting with a hospital and healthcare network, which all present weak links for cyberbreaches. Health networks are also extending their reach directly into patient homes, with remote monitors, connected cameras, smart speakers and microphones.
PHYSICAL DAMAGE A THREAT
Although IT disruption and denial of service attacks can freeze up the systems of a business, they do not do physical damage. But software such as BlackEnergy, created in the Russian underworld to plunder Russian and Ukrainian banks, has been used to attack physical infrastructure.
“Hackers have been developing and defining new malware to launch new creative attacks and catch businesses off guard,” Singh notes. “Cyberthreat levels are rising much faster than defense capabilities.”
A BlackEnergy Trojan was the entry point just before Christmas 2015 for Russian state-linked forces to create power outages for six hours in Ukraine at three energy companies. It knocked out power for 230,000 people, thought to be a deliberate attempt to scare Ukrainians by the Russian government, and the first known cyberwarfare to impact civilians. Stuxnet, a malicious computer worm likely created by the United States and Israel, has been used in repeat attacks to damage the Iranian nuclear program, reportedly ruining one-fifth of Iran’s nuclear centrifuges by causing them to spin out of control.
The massive WannaCry ransomware attack in 2017, which U.S. and U.K. intelligence says stemmed from North Korea, locked up 230,000 computers including the Spanish phone company Telefonica and the British National Health Service hospitals. It crippled computer systems in 150 countries and caused $4 billion in losses, according to the data-security company Kaspersky Lab. Shortly afterward, the NotPetya program caused the radiation-monitoring system at the Chernobyl nuclear power station to shut down. Both WannaCry and NotPetya are based on the EternalBlue exploit developed by the U.S. National Security Agency to target Microsoft Windows.
The confluence of commercial hackers with state-supported hacking groups as well as government agencies creates a powerful blend of technological prowess. It is a battle to keep up for infrastructure operators and investors alike.
“The reality is, you don’t know what you don’t know because the threats are developing in real time,” Mashru says. “As an investor, you are in the same situation. You don’t have perfect knowledge. You just need to be really vigilant.”
Alex Frew McMillan is a freelance writer based in Hong Kong.