Learn how to stay ahead of cyber attacks

Use a risk-based approach to minimize risk against cyber attacks, especially for critical infrastructure facilities and industries.

By Ken Modeste, UL April 14, 2018

As governments, businesses, and individuals become more connected each day, the risks of cyber attacks are increasing exponentially and in tandem with this connectivity. An interesting shift is starting in cyber-attack activity, intention, and attribution. Independent hackers or organizations used to be at the forefront of cyber attacks; now, nation-state sponsored attacks against government institutions, businesses (especially those in the critical infrastructure segments) have increased.

Though the backing of a nation-state does not mean an attack will be more nefarious or damaging than those launched by independent hacker organizations, nation-state sponsorship often provides an attacker with considerable resources. The cyber-weaponization of global nations and the attacks that inevitably follow are not necessarily new, but this territory has recently been forced into the spotlight, and now is the time for companies to take action to guard against the risk of a cyber attack.

Fortunately, companies can learn a lot from past attacks, even from those outside their industry, to improve their defensive postures and to take necessary cybersecurity measures.

Looking at what made some of these nation-state cyber attacks successful, it is possible to identify patterns in attack methods, understand common access paths, and address ways in which businesses can safeguard their sensitive systems and information against malicious activity. Due to the constant evolution of technology and software that is used to carry out cyber attacks, there is no one solution. However, with training and robust internal processes, organizations can help minimize the risk of a cyber attack and the potential damage that can occur.

History of cyber attacks

One aspect of cyber attacks (or cyber warfare) that makes them difficult to track and assess is it’s difficult to identify who is to blame for the attack. It is still possible to assess patterns from one attack to the next, and regardless of attribution, most major attacks share two common traits: sophisticated technology (though not exclusively) and exploitation of the human element. From the now-infamous Russian hacker group, "Cozy Bear," to North Korea’s elite hacker group, "Bureau 121," these attacks are meticulously planned and, in some situations, carried out in multiple stages over long periods of time. To illustrate common tactics, software, and malware often used by nation-state attacks, three examples are highlighted.

1. Dragonfly 2.0, critical infrastructure

As a major component of critical infrastructure, the energy sector has become a prime target for cyber attacks. One of the most prominent recent attacks is the Ukrainian power outage that occurred in December 2016, and it is possible that another group, currently referred to as "Dragonfly 2.0," is currently pursuing the same end goal in Europe and North America. The main strategy of this hacker group appears to be gaining access to the victim’s network and, again, humans are being exploited as the main access point. By deploying several strategies, including malicious emails, watering hole attacks (when frequently visited websites are infected with malware), software infected with trojan viruses and various malware programs, it is now believed Dragonfly spent 2011 through 2014 gathering information and credentials before resurfacing in 2017 to potentially launch an attack.

2. Sony Pictures Entertainment

Prior to the release of 2014’s "The Interview," Sony pictures cancelled New York openings due to threats of violence from a hacker group that also claimed responsibility for the Sony data breach earlier that year. Though this was an attack aimed at a private company, the breach was used as leverage to threaten physical harm while the prior attack left many internal communications exposed and forced Sony to take thousands of systems offline.

3. 2016 Democratic National Convention (DNC) email

Arguably, one of the most talked about events from the 2016 United States presidential race, the hacking of the Democratic National Convention (DNC) email system and subsequent hacking of Democratic candidate Hillary Clinton’s personal email made global headlines. Arguably, this particular attack brought the threat of nation-state cyber warfare to the main stage.

Although it was initially difficult to identify the cyber attack source, CrowdStrike, a cybersecurity company, identified Cozy Bear and Fancy Bear, as the groups responsible. Here, the human element was exploited. Spear-phishing emails—emails that appear to be from trustworthy sources but actually contain malware or other malicious content—were sent to government agencies, nonprofits, and contractors. When these emails were opened or links contained in the emails were clicked on, the hackers were given access to documents that were saved, reviewed, and used for intelligence that likely led to deeper attacks. 

Developing a proactive cybersecurity strategy

Understanding the unique motivation of nation-state cyber attacks is essential to developing a strategy to safeguard a system against an array of potential breaches. Though traditional espionage is rooted in the desire to learn, nation-state cyber attacks often seek to sabotage through direct action or interference.

Due to the complexity of these cyber attacks, they are often conducted in stages, beginning with information gathering. Fortunately, despite the end goal of these attacks being fairly unique, nation-state sponsored hackers typically use the same methods-some sophisticated, others fairly off-the-shelf as independent attacks in their plan.

First, these groups aim to establish a regular presence in the system by using advanced persistent threats (APT) and remote access tools (RAT) to avoid detection and bypass security at unprepared facilities. From there, data mining would begin as the hackers worked to harvest information that ultimately will be used to complete the attack (leak the data, leverage the data, use the data to control/damage the system/infrastructure, etc.) or launch subsequent attacks. Because of these threats, it is tempting for organizations to want to double down on technology in an effort to keep pace, but approaching the issue from a strategic standpoint by taking a risk-based approach would be more effective overall.

Secure systems and facilities by improving the human side of systems interaction. In nearly every cyber attack, humans unwittingly gave access to hackers by opening and spreading infected emails and clicking on links. To minimize the likelihood of damage, limit user access to critical systems as necessary as a starting point. Continuous, regularly updated staff training is the keystone to mitigating cybersecurity threats and developing a solid cybersecurity strategy. 

Cybersecurity tools

Tools and technology remain important, but with government-backed hacking groups having access to the latest technology, it is clear these individuals and organizations need to stay one step ahead—especially with legacy software and systems. An effective cybersecurity strategy needs to involve more than just technology.

By training staff to understand the risks of cyber attacks and the common pathways for these attacks, such as spear-phishing, potential issues can be reported and mitigated before malicious activity can set in. Even the most effective security system can be thwarted by human error.

Nevertheless, software security remains a valuable part of a cybersecurity solution, and it is important to identify, assess, and correct vulnerabilities in software applications before the software is integrated into a system and while it is in use.

Fortunately, while working to improve technology, the industry has also been working to develop criteria necessary to assess the software used to protect sensitive information and critical infrastructure from cyber attacks. Engaging with a third party for these evaluations can help save time and resources while instilling confidence in the software.

Cybersecurity programs help minimize risk by helping ensure that all software is secure and remain secure. For example, the UL Cybersecurity Assurance Program (UL CAP) relies on the UL 2900 set of standards, which were developed by UL subject matter experts with input from major government, academic, and industry stakeholders. By deploying consistent testable criteria, companies can begin to reduce exploitation, address known malware, enhance security controls, and expand security awareness. All of these are essential steps for conducting business in today’s connected world.

With a strong software foundation in place—including procedures to ensure that the evaluated software remains updated, effective, and secure—staff training creates a final, necessary layer of protection and another set of watchful eyes.

With every new security development, new malware and access methods are being tested and deployed by hackers globally. This is the reality of living with the convenience of a connected world. However, it is possible to remain aware and ready in the face of increasing cyber attacks and that readiness exists in the hands of every staff member with a connection to a network.

Ken Modeste is cybersecurity lead and global principal engineer, UL. Edited by Emily Guenther, associate content manager, CFE Media, Control Engineering, eguenther@cfemedia.com.


KEYWORD: Cyber attack

Defining different types of cyber attacks

How to minimize the risk against a cyber attack.

Consider this

How can you help your organization minimize the risk of an external or internal cyber attack?


Ken Modeste is the principal technical advisor and SME for UL’s cybersecurity program. He helped develop UL’s series of cybersecurity standards that tests network-connectable devices for known vulnerabilities and software security. As part of the cybersecurity strategy for UL, Ken is responsible for strategically identifying long-term growth opportunities that align with UL’s mission to address public safety. He is responsible for creating the laboratory, hiring and training personnel and developing programs and services to support UL’s client security needs and has helped develop and execute long-term software strategies.