A Stuxnet-like attack could “very easily happen again”, a cybersecurity expert has warned, as tensions grow following Russia’s continued war against Ukraine.
Stuxnet was a computer worm designed to attack Iranian nuclear centrifuges. The scale of the endeavour heavily implies state-backing for such an attack. Given geopolitical tensions, similar assaults on new targets cannot be ruled out.
DNV Cyber Security head of business development Christian Nerland cited widespread concerns among energy sector professionals. Nerland said the company had carried out a survey, showing that 60% of respondents expected a “serious cyber incident” in their systems within the next two years.
The company carried out its survey around the time of the invasion. It saw concerns rise by 10% from before the invasion to after.
Russia launched a cyberattack on a communications company, Viasat, one hour before it launched its invasion of Ukraine, according to UK authorities. The cyberattack was intended to degrade the Ukrainian military, but there was a knock-on impact, felt by wind farms in central Europe and internet users.
DNV Cyber Security focuses on control systems. Attacks on these are particularly concerning, Nerland reported.
“The really scary part is that it’s not just losing data or money, but plants can blow up, personnel be killed or oil spills occur,” he said.
While the attack on Nord Stream appears to have been a result of some sort of explosive device, this sort of an incident can also be caused by a cyberattack. In the 1980s, the CIA is alleged to have caused an explosion in a Soviet Union gas pipeline through manipulating pressure tests.
It is not just nation states that can pose cyber risks, Nerland continued.
“Green activists, terrorist organisations, nation states working on sabotage, there are many types of players,” he said.
Companies have responded by commissioning more penetration testing, where “good guy” hackers attempt to enter their systems, in a bid to test defences. Nerland said there had also been more demand for training.
“Technology is easy, you can buy it off the shelf. What’s harder is getting your people to understand and be aware – and keep on being aware,” he said.
The task is uphill. “What is great today might not work tomorrow, it’s a never ending story”, the DNV executive continued.
Nerland drew a comparison to how physical safety operations had improved over the years. Incidents such as Piper Alpha and Macondo served as a awake up call, for companies and regulators.
“Companies need to collaborate. There needs to be more standardisation,” he said. Where companies already work together, such as contractors working for an operator, care must be taken so the cybersecurity concerns are aligned. “Supply chain security – there are weak links,” Nerland continued.