A strong cyber defense is a critical capability in today’s world, where public safety on the one hand and critical infrastructure on the other are undergoing a full digital transformation. Cyber-attack methods are one of the largest and fastest growing categories of crime in the world due to the low cost of their implementation. Moreover, the magnitude of the damage they can cause when applied on critical infrastructures is another reason that makes cyber-attacks attractive to attackers.
Cyber-criminals are directly responsible for financial assets stolen online, data breaches, and the damage and loss caused to civil society by the disruption of critical infrastructure operators. Financial losses and damage to critical infrastructures cause losses of billions of US dollars each year, and in some sectors, attack attempts are increasing two to three times each year.
There are three main reasons why cyber-attacks are increasing at such a rapid pace. The first is that industrial enterprises, which include business processes in the field of operational technology, are increasingly using digital transformation based on signaling, sensor technology and the Internet of Things technologies, and their automation systems consist entirely of these arguments. A cyber-attack on these subsystems, which have become part of operational technology, brings with it many consequences that can have major impacts on the physical world.
Another reason for the increase in cyber-attacks is that financial systems are becoming more and more online every day. Financial technology makes our lives as risky as it makes our lives easier. Financial institutions especially such as banks should be very cautious when carrying out digital transformation. The slightest mistake can result in the loss of millions of US dollars in a matter of seconds. In fact, even central banks of states are frequently targeted by cyber-attackers who see the lure of this through global systems such as SWIFT.
The third and final reason that makes cyber-attacks popular is their ease. Moreover, the identity of the attackers remains mostly anonymous, which makes it as attractive as it is easy. Today, many different types of attack methods can be used in hybrid form and can leave critical infrastructure systems completely vulnerable and exposed, often due to the lack of knowledge and mistakes of the targeted victims.
When we put all these reasons together, cyber espionage is an epidemic and very widespread. Even the world’s largest companies and public institutions lose terabytes of intellectual properties and financial assets through online systems every year. Anonymous and malicious attackers threaten our power grids, national financial systems, telecommunications infrastructures, healthcare organizations and even nuclear power plants. After all, when critical infrastructures are the target of cyber-attacks, the resulting threat poses a risk to the whole society beyond the public sector.
Due to its geopolitical position, Türkiye is the target of numerous cyber attacks every day. Türkiye is also very important for other countries, especially in the field of energy, due to its important energy projects such as tanap, blue stream, Baku-Ceyhan-Tbilisi pipeline. In addition, the country is an important international financial service provider, especially MEA region, with its 51 different domestic and foreign international bank institutions. In addition to all these, when we consider that the country is the connection point of the Asian and European continents and is surrounded by commercial seas on three sides, we can easily understand what a great danger it is facing in all sectors of critical infrastructure.
Cyber security and critical infrastructure is one of the key emerging issues to be discussed within the contemporary security structure. There are multiple reasons behind cyber-attacks on critical infrastructures. According to the US Department of Homeland Security, critical infrastructure (CI) consists of “assets, systems and networks, whether physical or virtual”. “2030 agenda of NATO also includes increasing cyber threats.
According to data of the World Economic Forum, between 2001 and 2018, the financial losses caused by cyber-attacks targeting critical infrastructure in cities reported to the Internet Crimes Complaint Center in the US increased dramatically from 17.8 million USD to 2.71 billion USD. The reason for the rapid increase over the years has been the increase in online connections. Early-stage viruses were pre- installation sector viruses and could only infect a local computer restricted by floppy disks used by users of infected sharing computers. Viruses spread on floppy disks were gradually replaced by other viruses attached to part of emails as internet service became more widespread. These viruses are designed to be attached to data files, and many attacks today continue to be carried out in this way.
As of 2021, the budget allocated for the protection of critical infrastructure only within US organizations increased by 9 Billion USD compared to the previous year and reached 105.99 Billion USD, and the increase is expected to continue at a high acceleration and reach 154.59 Billion USD by 2027. The main reason for this increase is the security problems that the Covid-19 pandemic has brought with remote working. IT staff and other service units responsible for critical infrastructure have had to take more precautions to ensure that systems and services continue to run smoothly despite an increasingly comfortable location-independent working environment. Therefore, the ability to securely monitor and manage infrastructure operations remotely by authorized staff has become more critical today than ever before.
For the entire IT industry and stakeholders, especially in the US, the Solarwinds Orion Attack in 2020 was a turning point in prioritizing secure connectivity. According to the information shared by Solarwinds with the SEC, in this attack 18,000 Orion customers, mostly non-governmental organizations and public institutions, found their systems under attack with the update they received. Even more critical was the fact that these institutions included the Pentagon and many other ministries within the US government. The scale of the intrusion through this attack clearly demonstrates how vulnerable systems can be when they have weak connections and how easily threatening actors can infiltrate once access is gained.
On 12 December 2015, unauthorized remote access was gained to the service centers of 3 different electricity distribution companies in Ukraine and circuit breakers were applied in 30 different substations, leaving more than 230,000 subscribers in the capital Kiev and Ivano-Frisk regions without power for hours.
The first stages of such a comprehensive cyber-attack, planned to disable public services, began in the spring of 2015. A white-collar employee of one of the electricity distribution companies unwittingly fell victim to a targeted phishing attack when s/he opened an attachment to an email s/he had received, triggering a malware that was able to infect the distribution company’s internal network via his/her office laptop. This malware, called BlackEnergy, has been used since 2014 to infiltrate energy organizations.
The electricity distribution company had two different network systems, one between the IT network and the Internet, and the other between the IT and OT (industrial) network, with separate firewalls on each network system. In order to carry out an effective attack, it was necessary to penetrate both firewalls, enter the internal network and then send circuit breaker commands to the substations on the OT network. This could not have been accomplished by a targeted phishing attack alone, but a successful first phase would have provided all the information needed for the next phase by monitoring the computers of the system participants for some time.
During the second phase of the attack, for several months, the BlackEnergy malware was remotely controlled to collect organization-specific data, step-by-step infiltrate all server systems, detect vulnerabilities and perform monitoring activities by penetrating the industrial automation network where transformers are controlled. After collecting all the necessary information with advanced persistent threat (APT) and keyloggers, malware software was installed by remotely connecting to the servers to be attacked in a short period of time when employees were not at their computers and the system was prepared for the day of the attack.
On December 23, the attacker launched the final and third phase of the attack, remotely connecting to the OT servers and quickly shutting down the circuit breakers. Distribution company operators tried to disconnect the remote connection and reactivate the transformers, but in the second stage, the attacker, who captured the operators’ passwords with a keylogger, changed all passwords before the attack and prevented intervention during the attack. The entire attack took place within ten minutes, and the attacker also deleted the disks on the servers, causing permanent and catastrophic data loss. In addition, by connecting to IT servers, s/he rendered the call center inoperable with a DDoS attack and prevented subscribers from contacting the distribution center. This was enough to keep the blackout in place for a longer period of time.
To briefly mention the stages of the attack; 1st phase involved sending a targeted phishing mail with the BlackEnergy app to multiple users, which took a few days for one of the employees to interact with, and gradually spread across the organization’s internal network for a months-long listening phase. The 2nd phase continued for five months as a passive listening phase. The last phase is the shortest and the 3rd phase is where the attack took place. At this stage, the systems were locked down at the right time and the entire attack took place in just ten minutes.
All three phases of the attack could not be fully analyzed because the attacker deleted data that permanently erased most of the log records on the system. There are two major factors that make this attack important; first, many different cyber-attack methods were used together to maximize the damage to critical infrastructure, and second, this attack, carried out by a Russia-based hacker group, added a new aspect to the Ukraine-Russia War that erupted after the Crimea crisis.
It is also worth reminding that 91% of all electricity networks in the world have experienced at least one cyber-attack, so that we can see more clearly how much risk electricity generation networks are under.
In June 2017, the NotPetya Attack, which was carried out using the ransomware method, is the cyber attack with the largest economic impact to date, with a loss of 10 billion USD to its victims. Again, this attack, which initially targeted Ukraine, later became uncontrollable and spread rapidly to many countries around the world.
The source of the attack was the M.E. Doc tax calculation application belonging to the Linkos Group in Ukraine. The application was used by all entities that trade in Ukraine and are included in the tax system. The virus infected the systems thanks to an update patch to the M.E. Doc application. The hacker group, thought to be based in Russia, infiltrated this update package and planted the ransomware software, and all entities that updated quickly incorporated the virus into their systems. The main reason why the virus caused so much damage was a vulnerability in SMB, the messaging protocol used in Microsoft operating systems, which quickly spread to the entire network system of the user entity as well as the systems of third parties and organizations connected to the entities. In this respect, the NotPetya attack is the most widespread cyber-attack in the shortest period of time…