Cyber attacks can have a major impact on operational technology security systems.
By Rik Ferguson
From the August 2023 Issue of facility executive
From politics to pop culture, “fake news” has become a hot topic. It can move markets, influence elections, and convince the world that the Pope is a fashion icon. Though the Colonial Pipeline attack was by no means “fake news,” it provides a related example of how perception can influence beliefs and behaviors; consumers who heard of the attack became concerned about the availability of gas, leading to a surge in consumption and an ultimate shortage.
This scenario begs the question if there is potential for disinformation campaigns to lead to that same kind of outcome, but without a ransomware attack occurring. Beyond perception, could disinformation impact cybersecurity processes and responses to threats? What would happen if disinformation is received and acted upon unnecessarily to help ascertain the state of an operational technology’s security posture?
As attacks on some of our most critical infrastructure continue to rise in number and sophistication, the potential for disinformation to impact operational technology (OT) security and its risk management strategies— potentially without an attack even being launched— is a scenario security teams absolutely need to prepare for and know what to be looking for.
Poisoning The Well With Disinformation
As fake ransomware gangs, false breach claims and empty threats become more prevalent, it is important to be aware of the tactics these actors may leverage to disseminate disinformation and influence OT environments.
One avenue attackers may go is targeting actual OT security systems and information. This could involve feeding inaccurate data into s (ICS) that automate OT environments to tamper with controls, such as regulating the temperature of a nuclear power plant. Or, it could involve manipulating the data lakes that govern artificial intelligence (AI) and machine learning (ML) functions and decision making. If organizations can no longer rely on the integrity of their own data, they will be forced to halt operations until the claim can be either proved or disproved, resulting in costly periods of downtime.
Apart from targeting physical security systems, bad actors may also choose to target individuals through social engineering schemes. Take the example of Business Email Compromise, where an attacker pretends to be someone senior in the victim’s organization and uses that position to persuade a “colleague” in finance to pay bogus invoices. Now, think of that in the context of shutting down or reconfiguring of critical processes, or the opening up of attack vectors into the organization such as opening ports on firewalls. Now you have a disinformation-driven, socially engineered attack…