Critical Infrastructure Is at Risk. How Bringing in Penetration Testing Companies Can Offer Protection from Nation-State Attacks

Most Americans have never heard of Aliquippa. Perhaps that’s what made this small western Pennsylvania town a perfect target for a cyberattack.

In late 2023, a booster station for Aliquippa’s water authority was hacked by an Iranian cyber organization known as Cyber Av3ngers. “In the attacks, hackers affiliated with Iran's Islamic Revolutionary Guard Corps. penetrated programmable logic controllers, or PLCs — industrial computers made to control heavy machines that are used in factories and public utilities,” explained Government Technology.

A small town was the perfect place for a nation-state threat actor to launch an attack on the critical infrastructure. They are less likely to have cybersecurity systems in place or conduct regular risk assessments or penetration testing on it facilities because, as Matthew Mottes, the chairman of Aliquippa’s water authority, stated, ““If you told me to list 10 things that would go wrong with our water authority, this would not be on the list.”

If this Iranian attack raised awareness to the risks to the critical infrastructure, it didn’t take China very long to up the ante. At the end of January, 2024, the FBI announced it “disrupted a state-backed Chinese effort to plant malware that could be used to damage civilian infrastructure.”

The hacking group, Volt Typhoon, planned to launch botnets across hundreds of home and small-business routers as a way to divert attention while they planned malware attacks on critical infrastructure ranging from water treatment plants to the electric grid. The FBI disrupted the botnet attack before it could do damage, but as CISA reported, “Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and noncontinental United States and its territories, including Guam.” The attacks, CISA added, aren’t consistent with typical espionage operations, which heightens the concerns around the attacks coming to the critical infrastructure.

“China's intent, as highlighted by FBI Director Christopher Wray, involves positioning themselves strategically within American infrastructure to potentially inflict real-world harm if necessary,” said Lisa Plaggemier, Executive Director at the National Cybersecurity Alliance, in an email interview. “The goal may be to gain leverage in geopolitical conflicts, advance economic interests, or undermine confidence in democratic institutions.”

Critical Infrastructure Is Vulnerable

The critical infrastructure is an easy target for nation-state actors. The equipment and facilities often use outdated devices and systems. Those operating critical facilities and utilities have not adopted adequate cybersecurity measures and they lack comprehensive threat awareness tools and training.

“Outdated devices, particularly routers and other networking equipment, present a specific risk due to the lack of software updates and security patches, making them susceptible to exploitation by malicious actors,” said Plaggemier. “Additionally, critical infrastructure systems often rely on interconnected networks and legacy technologies, which may have inherent vulnerabilities that can be exploited. Certain sectors, such as the energy grid and transportation networks, are particularly at risk due to their widespread impact and reliance on interconnected systems.”

According to CISA, Volt Typhoon relied on living of the land (LOTL) techniques to target critical infrastructure. LOTL attacks use trusted and legitimate tools already present in the system, thereby avoiding easy detection.

Using Pen Testing Firms to Protect Critical Infrastructure

Penetration testing services play a crucial role in helping companies within critical infrastructure identify vulnerabilities and threats within their systems.

“By simulating real-world cyberattacks,” said Plaggemier, “penetration testing can uncover weaknesses in networks, applications, and infrastructure components that could be exploited by malicious actors. It also provides organizations with valuable insights into their security posture, allowing them to prioritize remediation efforts and strengthen their defenses against potential cyber threats.”

Risk assessments and penetrations testing services improve cybersecurity hygiene in an industry that has traditionally made security an afterthought. Penetration testing services will find the potential vulnerabilities in old operating systems and software, as well as harden the protections around the tools exploited in LOTL attacks. In fact, CISA recommends using third-party pen testing firms to validate systems and meet any compliance standards around the critical infrastructure.

While the FBI has issued warnings about these threats, addressing vulnerabilities and preventing cyberattacks requires a multifaceted approach. Concrete instructions for mitigating risks include implementing robust cybersecurity protocols, conducting regular risk assessments, and enhancing employee training and awareness.

“Organizations should prioritize continuous monitoring of their networks for suspicious activity, regularly update software and firmware to address known vulnerabilities, and establish incident response plans to quickly address any breaches,” said Plaggemier. “Collaboration with government agencies, industry partners, and cybersecurity experts can also provide valuable resources and guidance in developing effective defense strategies.”

ERMProtect Can Help

ERMProtect has been providing penetration testing services since its founding in 1998. We conduct pen testing and Red Team assessments for critical functions of multiple government and semi-government entities, including but not limited to aviation, transportation, healthcare, water treatment and utilities. We have the expertise and experience required to help your organization. Please contact Silka Gonzalez at sgonzalez@ermprotect.com, Judy Miller at jmiller@ermprotect.com or call 305-447-6750 to set up a free consultation.