A new report from Denmark’s SektorCERT reveals that Denmark faced its most extensive cyberattack to critical energy infrastructure ever in May 2023. The coordinated, well-planned attack compromised 22 energy operators responsible for various aspects of the Danish energy infrastructure across the country.
Here’s what we know about the attack and how energy operators can proactively prepare for similar breaches.
What we know about the Danish energy infrastructure attack
Based on information from SektorCERT, a nonprofit organization that runs a sensor network to detect, identify, and research threats to the Danish critical energy infrastructure, this is what we know about the attack:
Unprecedented scale: Such a substantial cyberattack hasn’t been executed before on Danish critical energy infrastructure. The attackers managed to breach the systems of 22 energy operators within a short time span. Attackers infiltrated the operators’ industrial control systems, forcing several to disconnect from the national or local electricity distribution network and operate in “island mode.”
Well-prepared attacks: The attackers exhibited meticulous planning, demonstrating an advanced level of preparation and research. They accurately identified their targets in advance and executed their plan with precision. This reflects an ongoing trend of consistent cyberattacks, especially from foreign actors, that SektorCERT has identified.
Lack of visibility: While SektorCERT was able to successfully detect the attack before it spread further, the report found that many member operators didn’t know of vulnerabilities in their individual networks — especially between IT and OT systems — or that their networks were attacked.
Lack of segmentation: The attackers exploited a remotely exploitable vulnerability on the operators’ perimeter firewalls to facilitate their initial breach. Once the breach accessed the network, it was easy for them to move laterally because the operators had very little segmentation beyond their network perimeter. This systematic vulnerability allowed attackers to exploit multiple operators across the country and could have resulted in widespread infrastructure outages.
How to proactively prepare for energy infrastructure attacks
In today’s threat landscape, breaches like the one suffered by the Danish energy infrastructure are inevitable. Critical infrastructure operators need to improve cyber resilience to ensure they can maintain operations during attacks. Adopting an approach like Zero Trust will simplify the progress to improved resilience by shifting the focus to identifying verified processes and allowing them to communicate.
Recommendation 16 in the report identifies the need for segmentation. Traditional static firewalls don't provide the agility to respond quickly, so Zero Trust Segmentation (ZTS), also called microsegmentation, based on Zero Trust principles should be used across the entire infrastructure.
This shifts the focus from trying to protect the network towards protecting individual assets within infrastructure, including applications, sub-stations, and wind turbines.
Watch the video below to learn more about how Illumio ZTS secure energy operations:
5 ways Illumio ZTS helps energy operators maintain operations during a breach
The Illumio ZTS Platform aligns with many of the recommendations from SektorCERT’s report. By implementing Illumio ZTS, energy operators can see security risk, set granular segmentation policy, and stop the spread of inevitable breaches.
Exposure of services
Illumio ZTS allows you to see all application dependencies, including where resources are exposed to the internet, so that you can shut down all communications except those that are necessary for operations. This significantly reduces your operation’s attack surface and blocks breaches from reaching further into your network
Map network inputs
Many member operators didn’t have complete visibility into the communication and traffic between workloads and devices on their network. As a result, they were unaware of security gaps that let the attack spread. Illumio’s application dependency mapping allows organizations to gain easy-to-understand visibility into traffic across all workloads, including containers, IoT, and virtual machines, in a single console. This allows security teams to pinpoint network risks and create security policies that block unnecessary connections between ports.
While many operators had firewalls in place at the network perimeter, they lacked effective segmentation inside the network interior. This allowed the attackers to quickly and quietly spread through the network after the initial breach. In addition to providing end-to-end visibility, Illumio ZTS contains the spread of breaches across the entire attack surface. By building granular segmentation policies with Illumio, security teams can proactively isolate critical assets or reactively isolate compromised systems during an active attack.
SektorCERT’s report revealed that many operators didn’t know about the devices that were attacked in their network. This meant many resources were left open and unpatched — a vulnerability of which the attackers took advantage. Illumio provides complete visibility into all communication and traffic between workloads and devices across the entire network, so operators are never left surprised by what’s operating on their network.
SektorCERT recommends member operators have close cooperation and good agreements with their suppliers. But even the best efforts to partner with suppliers on cybersecurity can fail. With Illumio ZTS in place, operators can be confident that their systems will be secure no matter the security practices of their suppliers’ networks. And even when a supply chain attack does happen, Illumio ensures the breach doesn’t spread any further into operators’ systems.
Keep learning about how Illumio helps energy operators stop breaches and maintain operations:
4 Common Objections to Zero Trust Segmentation — And How to Overcome Them
Zero Trust Segmentation is a proven way to prevent ransomware propagation, but may seem overwhelming for IT leaders at midsize organizations. Here are four common objections we've heard from them and how to overcome each.