New Delhi: Digitization of infrastructure in critical infrastructure sectors is leaving the door open for hackers to exploit unpatched vulnerabilities. Experts and industry stakeholders say that state-backed cyber criminals are often behind such attacks, and the increasing demand to connect operational technologies (OT) to the information technology (IT) infrastructure is adding to the cyber risks of companies.
OT infrastructure refers to the core operational equipment of a company. For instance, the oil rigs and exploration equipment of a company such as ONGC would fall under the purview of OT, and forms the critical infrastructure of the company.
On the other hand, IT-OT integration refers to the connecting of the OT equipment to the internet, which has so far remained disconnected. This is done by using sensors and chips, which provide companies with data on their functioning etc.
In May last year, a report by trade association Nasscom, titled ‘Reimagining Indian enterprises’ tech landscape’, highlighted that 60 percent of companies in the Indian manufacturing sector were actively increasing their investments in digital services and digitization of their infrastructure. The story is similar for entities in other sectors as well, such as power generation and distribution, and oil and gas.
According to N. Raman, executive director and chief information security officer (CISO) of Oil and Natural Gas Corporation (ONGC), while the company’s OT infrastructure remains air-gapped as of today, they too are increasing their IT-OT integration due to industry demand.
However, while this was so far possible, an increasing need to connect critical infrastructure to IT for operational efficiencies is exposing the same to cyber vulnerabilities. “When you deploy new infrastructure from scratch, you can have security built into the system by design. However, retrofitting connectivity in a legacy system (such as a company’s existing OT infrastructure) leaves the scope open for cyber security vulnerabilities, which is what the attackers look to exploit,” explained Raman.
A report from earlier this month by consultancy firm Deloitte, titled ‘Reimagining OT cyber security strategy’, highlighted this. The report cited data from India’s National Critical Information Infrastructure Protection Centre (NCIIPC)’s Responsible Vulnerability Disclosure Programme to state that in Q3 2021 alone, 3,913 vulnerabilities were reported in critical infrastructure of Indian companies.
For instance, the common vulnerabilities and exposure (CVE) database for April 2022 from the NCIIPC, reports flaws in tools that automate even basic functions, like human resources, IT, along with software used to connect to data centers, design products and more. CVEs are public databases that list commonly known computer security flaws.
Power grids in India were likely contributors to these vulnerabilities, which faced a slew of cyber attacks during this period. In July 2021, union power minister Raj Kumar Singh told the parliament that load dispatch centres belonging to Power System Operation Corporation (Posoco), National Thermal Power Corporation (NTPC) Kudgi and the Telangana State Transco faced cyber attacks. In the disclosure, Singh had stated that the cyber attacks were unsuccessful.
In October 2020, a widespread power outage in Mumbai that affected critical public services such as railways, water supply and hospitals were allegedly caused due to a state-backed cyber attack. At the time, Nitin Raut, minister for power in the Maharashtra state government had alleged sabotage of critical infrastructure as the causing factor.
More recently, in April this year, Oil India Limited (OIL) reportedly faced a cyber attack in its IT systems. While the company maintained that no losses were incurred, reports claimed that the hackers deployed ransomware in OIL’s IT infrastructure, and demanded $7.5 million to unlock its servers.
An April 2022 report on cyber attacks on the Indian oil and gas industry’s infrastructure by civil body CyberPeace Foundation stated that the OIL attack was only one such instance. It claimed that between October 2021 and April 2022, over 3.6 lakh such cyber attacks were observed.
“It’s not that companies are being careless in their adoption of Industry 4.0 standard. But, the security threat that comes with digitizing legacy infrastructure with 15-20-year life spans is unavoidable,” said Santosh Kinugu, executive director of Deloitte India.
Further, Akshat Jain, co-founder and chief technology officer (CTO) of cyber security firm CyberArk, said that along with all the complexities of OT infrastructure, most exploits have a human origin. “Most of the issues in the critical infrastructure cyber security space occur due to human lapses. For instance, an unsuspecting employee can fall prey to a spear phishing email and inadvertently give access to a company’s entire IT and OT infrastructure to attackers, which creates a big security issue for companies,” he said.
The lack of ample cyber security professionals is also a problem, experts stated. While ONGC’s Raman said that all of the company’s cyber security operations are handled by an in-house team, Jain added that companies are now looking to outsource their security operations to external security firms.
While companies such as Sophos, CrowdStrike and even Microsoft today offer cyber security teams along with software, the threat to critical infrastructure is a persistent one – and with increasing digitization, is only set to grow.