5 Critical Infrastructure Cyber Attacks and Key Lessons Learned from Them

Threat actors continue to target critical infrastructure in their cyber attacks. With hacktivists, state-sponsored actors, profit-motivated groups, and terrorists all on the scene, many factors motivate the potential for malice against the assets essential to functioning societies. The consequences of these attacks raise ongoing concerns for those that operate critical infrastructure and the governments tasked with protecting the security and stability of nations. 

In the same way aviation safety improves with each accident investigation, examining previous cyber attacks on critical infrastructure provides valuable lessons to improve security. With this in mind, here are five high-profile critical infrastructure cyber attacks and a key cybersecurity takeaway from each. 

1. Toyota, February 2022

February 2022 saw the Japanese car manufacturer Toyota affected by a ransomware attack that disrupted operations at 14 plants. CISA defines the critical manufacturing sector, which includes automobile manufacturing, as one of 16 critical infrastructure sectors pivotal for the economic prosperity and continuity of the United States. Brands like Ford, Chevrolet, and Tesla face a similar threat landscape to Toyota. 

The ransomware attack that halted the production of Toyota vehicles didn’t even directly hit the company’s network. The culprit was an attack on Kojima Industries, which supplies various interior and exterior components for Toyota vehicles. 

Complex supply chains in sectors like the automotive industry make manufacturers particularly susceptible to supply chain security risks. A demonstrable lack of visibility into supply chain risks and preparedness for disruptions worsened this incident’s impact.

Lesson Learned: Organizations operating in critical infrastructure sectors require comprehensive supply chain risk management, including stress testing production capacity when key suppliers get taken down by cyber attacks. 

2. California and Florida Water Supply, January 2021

A worrying attempt to poison the Californian water supply occurred in early 2021 when a threat actor accessed a water treatment plant’s network in the San Francisco Bay Area. Once inside the network, the hacker deleted various software that the treatment plant’s operators use to remove harmful chemicals from drinking water. 

The method of gaining entry to the plant’s network was worryingly simple—a working set of username-password credentials for a former employee’s TeamViewer account provided an entry route. A similar incident occurred just a few months later at a Florida water treatment plant. In the Florida incident, the intruder managed to compromise a TeamViewer account and raise levels of lye in the water to hazardous levels. 

A couple of severe identity and access management failings contributed to these incidents. In the California incident, admins failed to remove an orphaned user account belonging to a former employee so the account still remained enabled and retained its permissions. Additionally, weak authentication in both attacks enabled straightforward access to accounts using just a username-password pair. 

Lesson Learned: Strong authentication is imperative for all applications used within critical infrastructure IT and OT ecosystems. According to CISA, multi-factor authentication strengthens organizations against account takeover by greatly increasing the level of difficulty for bad actors.

3. Colonial Pipeline, May 2021 

A complete shutdown of the 5,500-mile Colonial Pipeline in 2021 was one of the most high-profile cyber attacks on critical infrastructure in the last few years. A ransomware attack on The Colonial Pipeline Company resulted in a five-day pipeline shutdown, leading to fuel shortages in several U.S. states. 

Detailed investigations into the Colonial Pipeline attack unearthed some avoidable flaws. The root cause stemmed from a legacy VPN application that admins failed to decommission even though it was no longer in use. Threat actors gained access to an employee’s credentials for this legacy VPN, and the account was not safeguarded by multi-factor authentication. These credentials provided the foundation for moving laterally and installing ransomware on the billing systems for the pipeline. 

These flaws were bad enough, but the most worrying element was the cascading impact on the pipeline’s operations. The company decided to shut down the entire operational side of things due to concerns about ransomware spreading to the operational technology side. 

In recent years, many sectors in critical infrastructure have been drawn to the benefits of IT/OT convergence, which integrates IT systems with physical processes controlled via operational technology (OT). The attractions of this convergence include better decision-making, reduced downtime, and improved efficiency. However, not paying sufficient attention to securing this integration results in the possibility of spillovers from cyber attacks on IT systems into critical OT processes. 

Lesson Learned: Security must be a priority for successful IT/OT convergence.

4. JBS Foods, May 2021

Prolific ransomware gang REvil hit the world’s largest meat processing company in May 2021 with an attack that led to an almost three-day disruption in operations. While the impact of the attack on consumers was minimal, the attack brought into sharp focus the food security threats from cyber attacks. 

Independent security research discovered leaked credentials belonging to employees in JBS Australia circulating on the dark web in March 2021. These credentials point to an employee’s user account as the initial access vector, most likely to a remote desktop protocol (RDP) connection. Separate research found a vulnerable port open on JBS USA’s IT network. 

Lesson Learned: Attack surface management is vital for critical infrastructure. This management should include automated efforts to monitor your organization’s digital footprint on the dark web for stolen credentials. 

5. Springhill Medical Center, July 2019

The ruthlessness of profit-motivated hacking groups became palpable when healthcare organizations started to suffer from the impacts of ransomware. Springhill Medical Center is a private hospital that serves residents in Alabama. Amidst the chaos of a ransomware attack that took down Springhill’s computers and monitors, a woman gave birth to a child who sustained severe brain damage and died nine months later in the first alleged death resulting from ransomware. 

Since cybercriminals started targeting critical infrastructure, there have been warnings about potential threats to human life. The Springhill attack exemplified that the disruptions from cyber attacks can indeed have tragic consequences. 

Lesson Learned: Lives are truly at stake when it comes to critical infrastructure cybersecurity. All edge case IT/OT attack scenarios must be tested to minimize risk to human life. 

The Importance of a Proactive Approach

While looking back on previous incidents provides actionable lessons, a reactive approach to cybersecurity won’t suffice in critical infrastructure. Detection, response, and remediation methods only function smoothly when they’ve been practiced and have become muscle memory. Teams from both IT and OT networks must be well-versed to respond to different attack scenarios reflecting the growing convergence between these areas. 

Cloud Range provides realistic simulated scenarios that mimic real-world attacks on critical infrastructure. These simulated attacks allow you to proactively improve your cybersecurity defenses instead of waiting for the damage to be done. 

Learn more about Cloud Range for Critical Infrastructure here.