In May 2023 the Danish energy sector got hit by several waves of cyber attacks. SektorCERT where able to detect and mitigate the attacks early on by relying on their network-based intrusion detection system (NIDS).
May 11, 2023 became the busiest day for SektorCERT, a Danish non-profit body determined to secure Denmark’s source of economical and societal life: the energy distribution network.
On that day and the following weeks, the Danish critical infrastructure was exposed to several cyber attacks waves that included everything from targeted, orchestrated attacks to APT activities and opportunistic followers who jumped the bandwagon for a quick win. Even the notorious Advanced Persistent Threat Sandworm seems to have shown up for two seconds.
It all started with a new vulnerability on a type of firewall (by Zyxel) commonly used by Danish critical infrastructures to separate the external from the internal network. Typically, patching of the firewalls went slowly. So, SektorCERT were already on high alert when on May 11, alarms in their nation-wide security monitoring went off. Naturally, the firewalls themselves did not see their own compromise but instead handed over access credentials to the attackers willingly.
11 companies were compromised immediately. Over the weeks this number increased to 22 companies that operate parts of the Danish energy infrastructure. In particular, the initial targeted attacks were surprisingly successful. As SektorCERT wrote in their report: “The attackers knew in advance who they wanted to hit. Not once did a shot miss the target. All attacks hit exactly where the vulnerabilities were. Our assessment was that it was an attacker who did not want to make too much noise, but wanted to ’fly under the radar’ and avoid being detected if someone was watching in traffic.”
Nonetheless, SektorCERT were able to mitigate most attacks and prevent the worst fall-out. A few companies went offline to prevent threat propagation. One critical infrastructure even shut down all connections to their infrastructure and had to drive out to all remote locations to resume manual operation. Apart from that, the Danish people enjoyed undisturbed electric supply. And that is thanks to SektorCERT’s expertise, commitment and smart detection system.
How were SektorCERT able to react that quickly?
Of course, the long answer presents a bit more complex picture that includes a large expert team, an even larger threat library and a direct connection to authorities as well as a well-oiled process.
But to get down to the fundamentals of it all, the short answer is: NIDS – a network-based intrusion detection system that allows them to monitor communication to, from and within their members’ networks, including IT and OT networks.
According to the report, SektorCERT has 270 sensors installed at Danish critical infrastructure sites (as of May 2023). SektorCERT offers two levels of network monitoring. The basic monitoring taps the external network just before it enters a member’s infrastructure, while the extended monitoring adds sensors to critical nodes in a member’s internal networks. Both OT and IT can be included. The sensors passively record the entire traffic passing them and send it to SektorCERT for analysis to detect anomalies in any asset’s behavior.
In a nutshell, SektorCERT runs a huge network monitoring with anomaly detection operation not unlike Rhebo’s own NIDS Rhebo Industrial Protector. And we celebrate what they have accomplished.
Because the most important take-away from SektorCERT’s report is: The non-profit organization would not have been able to detect the attacks without their NIDS. The firewalls certainly wouldn’t have helped them. Or as SektorCERT stated in their report: “We were therefore in a situation where the attack groups had a publicly known vulnerability they could use to penetrate the industrial control systems. And the primary defense against that happening was precisely the equipment that was vulnerable [i.e., the firewalls]. It was a so-called worst case scenario – the worst imaginable scenario.”
An NIDS is the much needed 2nd line of defense
Only by continuously monitoring the entire communication stream from, to and within their members’ networks, SektorCERT were enabled to see the attackers’ various activities in real time. Only by looking for anomalous network behavior that did not fit with the expected pattern, SektorCERT were able to detect the attacks (some of them 0-day exploits) in their early stages and react quickly for a successful mitigation.
Most of all, the case highlights the need for a defense-in-depth approach, particularly in highly volatile, sought-after and critical infrastructures. The approach covers exactly the case SektorCERT experienced in May 2023. When the first line of defense (i.e. firewalls) gets compromised or bypassed (e.g. by means of stolen credentials) there needs to be a second line of defense within the network to detect, locate and specify the breach. That is exactly where an OT monitoring with anomaly detection sits.
Defense-in-Depth includes both perimeter security and inner security akin to the security posture of a nation state.
While this definitely also includes the IT environment of critical or important entities, it is even more crucial for the OT environments which are historically insecure-by-design and often neglected in terms of risk exposure and cybersecurity posture.
Fortunately, (critical infrastructure) companies do not have to wait until a nation-wide, non-profit organization like SektorCERT is established in their country to protect their industrial assets with OT monitoring and anomaly detection. Rhebo Industrial Protector is available for any industrial company and can be easily integrated into the OT network as well as SIEM systems like Splunk or IBM QRadar.
It’s time to look out for your OT networks.
Header-Photo: Nils Jepsen (user:Nico-dk, CC BY-SA 3.0 <http://creativecommons.org/licenses/by-sa/3.0/>, via Wikimedia Commons