Every organisation must be ready for a cyberattack at any moment in today’s connected landscape. Phishing and ransomware, for example, have become ubiquitous and constantly evolve, requiring enterprises to always step up their defences.
State-sponsored attacks, however, represent a whole other breed of threat due to their size, scope, and motivation. While critical infrastructure sectors like gas, water, and telecommunications are frequently in the crosshairs, other businesses shouldn’t assume they’re immune to these malicious actors.
To address this issue, Nathan Wenzler, Chief Security Strategist at Tenable, sat down with Frontier Enterprise. He explored the current state of state-sponsored attacks and suggested how enterprises and entire industries can respond.
What are your current observations pertaining to state-sponsored attacks, as opposed to usual cybersecurity threats?
I absolutely think there’s a real threat going on there. We’ve seen instances, such as the recent discovery of the Volt Typhoon (APT Group), which illuminate the scale of these threats. When such attacks are brought to light, it becomes clear what these kinds of attacks truly entail. In this context, an attack doesn’t necessarily mean something active has occurred. Many nation-state actors are preparing for future attacks by infiltrating systems, building persistence, and quietly embedding themselves in as many systems as possible. This groundwork, although silent, constitutes an attack; they have breached systems and compromised security. This is a key distinction between nation-state attacks and those by traditional cybercriminals, who are usually motivated by financial gain. Nation-state actors employ different tactics and motivations, presenting a unique challenge. Every instance of nation-state actor attacks reveals a consistent pattern: a broad scope, quiet infiltration, and compromise of a large number of systems.
These actors exhibit greater sophistication, aiming to remain undetected, with a specific focus rather than opportunistic attacks. This contrasts with cybercriminals, who, if they encounter robust defences, may simply move to the next target. Nation-state attackers, however, are determined and selective in their targets.
Critical infrastructure has been largely ignored for many years, with a false sense of security about non-standard computing platforms. The interconnectedness of these systems, while beneficial for management and public safety, also makes them prime targets. The original assumption that these systems, due to their isolation, required no stringent security measures has been proven dangerously naive. Now that these systems are network-connected, their inherent vulnerabilities are exposed.
The interconnectivity of critical systems offers significant benefits for management, monitoring, and public safety. However, this also renders them vulnerable to attacks. IoT devices, modems, and routers, closely linked to critical infrastructure networks, have been exploited by adversaries for quiet staging. This strategy allows them to remain close to targets that are poorly monitored and defended, poised for significant impact. Through quiet staging, adversaries position themselves advantageously, ready to strike when the opportunity arises.
How do you see the current strict separation between IT and OT systems progressing in the future?
I think we’re going to see a big mix of that. Many companies and organisations are moving towards more interconnected setups for their environments. Consequently, OT systems and networks are now, at least to some extent, connected to the corporate or IT environments. Realistically, every OT environment contains traditional IT systems, including workstations and servers, underpinned by some form of Active Directory domain for user logins. Thus, a complete separation has never truly existed; it’s more a question of how far the network extends. We’ve seen this trend starting to happen.
In some cases, we may see organisations reverting to a purely air-gapped model for certain systems. However, I envisage this shift occurring within the context of more formal risk management strategies. Historically, going back 20, 30, 40 years, the assumption was that industrial facilities would remain isolated, a notion that has evolved over the past few decades.
An illustrative example involves an energy company managing assets across approximately 50 different locations, including power plants and hydroelectric dams. The approach to asset identification was manual, with an engineer recounting how they physically visited each site to record serial numbers and firmware versions, consuming a substantial portion of their time. The introduction of software tools and sensors capable of automating this process represented a significant shift, potentially freeing up time for other tasks and highlighting the inefficiencies and inaccuracies of manual processes.
The engineer’s reaction to the introduction of automated tools for asset identification underscored a shift in operational efficiency. The prospect of eliminating the need for manual checks brought a sense of relief. This was a reflection of how manual processes, apart from being time-consuming, were prone to inaccuracies and oversights, such as missing an asset during factory walkthroughs or overlooking a device hidden under a desk. The transition highlighted the importance of evaluating the trade-offs between the tangible benefits of automation against the risks and inefficiencies inherent in manual systems.
Reflecting on the evolution of the security landscape over the past two and a half decades, the engineer noted a dramatic improvement. Where once the industry made do with limited tools, necessitating the creation of custom scripts and security protocols, the present offers a plethora of sophisticated technologies. These advancements facilitate a more effective management of integrated IT and OT environments, enabling organisations to implement controls and practices that were previously unavailable. This progress not only enhances monitoring and response capabilities but also introduces operational efficiencies that far outweigh the drawbacks of traditional, disconnected systems.
The conversation around the necessity and benefits of integrating advanced technological solutions into organisational infrastructure has thus shifted. The acknowledgment of these advancements illustrates a broader industry recognition of the efficiency gains and improved security posture achievable with modern tools. Consequently, the inclination towards maintaining disconnected, air-gapped systems is diminishing in favour of a more integrated, technology-driven approach that ensures robust infrastructure protection in an interconnected environment.
How can governments in Singapore and other parts of Asia, where critical infrastructure is mainly state-owned, effectively collaborate with the private sector to protect against state-sponsored cyberattacks?
Looking at some of the legislation that was passed, and recent activities like those in the Philippines and the anti-ransomware initiative that the US initiated with other 40 countries, it’s evident that many steps are being taken by governments. What struck me immediately, from my history and experience in the industry, is the need for private and public sectors to work hand-in-hand. There is truly no separation of responsibility or duty. This presents a challenge, as motivations, resources, and financial capabilities differ vastly. In many instances, governments may have more funds than corporations, or conversely, in places like the US, corporations may outpace government funding. However, the notion that the government is solely responsible for stopping cyberattacks, leading some in the private sector to believe they need not take action, is a mistake. Viewing this as a partnership is crucial; if the government escalates its efforts, the private sector must reciprocate. View it from that adversarial standpoint, the nation-state actors, the cybercriminals, all of these groups, they have all of these hackers at their disposal.
Consider Singapore, a nation with advanced technological platforms and a unified app for government services, which every citizen relies on. To an attacker, there is no distinction between the government operating such an app and its users; the target is simply the app. If compromising it can impact a country or its services, that becomes the focus, whether by attacking government infrastructure, like data centres or backend servers, or by compromising users’ devices. Attackers have numerous options and will choose whatever achieves their goal. They are not concerned with whether their target is part of the government or the private sector.
Therefore, adopting a stance where the government and private sector operate in isolation is ineffective. Recognising the importance of collaboration, despite the challenges of resource allocation, is vital. Private sector organisations need to build robust relationships with the government, fostering joint cooperation. As the government amplifies its defensive measures, the private sector must follow suit. Many countries face difficulties due to the nascent state of their security programs, still in the process of developing the necessary infrastructure and resources. Expecting the government to shoulder the entire burden because it supposedly has greater resources is a flawed approach. There is no ‘they’ in this scenario; there is only ‘us,’ and we must collectively adopt this mindset to enhance our defensive capabilities.
Legislation is one thing, but enforcement is a whole other matter. Any thoughts on how the enforcement or counteroffensive against state-sponsored attacks can be taken care of?
Addressing cyberattacks involves two different discussions: enforcement strategies and future defence mechanisms, alongside the separate topic of counteroffensive measures. However, we have to be realistic. There is no absolute; we will never completely eradicate cyberthreats. That’s an important part of understanding cyberattacks just in general: Yes, technology is just machines, and despite automation, our use of these tools constantly evolves. Thus, completely eliminating cyberattacks is impossible; we’ll never achieve zero incidents.
It’s very similar to the legislative efforts made in every country for fire safety. There are building codes prohibiting the use of highly flammable materials and mandating the installation of sprinkler systems and fire extinguishers on every floor of every building. Financial investments have also been made over the years in fire departments to enhance response capabilities to fires. This comprehensive legal and financial commitment aims at preventing fires, acknowledging, however, that fires still occur despite these measures. Yet, we don’t witness catastrophes like the early 1900s incident where two-thirds of San Francisco was devastated by an uncontrollable fire. The frequency and severity of fire incidents have significantly decreased, demonstrating that these measures are intended to mitigate damage rather than completely eliminate the occurrence of fires.
Cyberattacks are similar. We’re never going to get to zero, but we can do better to mitigate the amount of harm that those cyberattacks can cause. We can also do better to lower the frequency in which they happen. That’s where the legislation can be very effective and very important.
The steps taken by Australia against ransomware attacks is fascinating because they identified who was responsible for the attacks. They implemented sanctions and criminalised any form of financial assistance to these cybercriminals, including providing access to cryptocurrency wallets. That’s a significant step by a government agency to recognise that eliminating financial incentives for cyberattackers strips away the motivation. This, in turn, are big steps to mitigate the harm. Is it going to stop that particular threat actor from conducting ransomware attacks? Probably not. Will it impact their ability to make money from it? Definitely. Is it going to impact their ability to continue wide-scale attacks? Probably.
Understanding that it’s impossible to prevent 100% of cyberattacks is crucial. Acknowledging this reality is key to managing our expectations and focusing on mitigation and resilience rather than unattainable perfection.