Columbia's booming transport sector and threats to technological and SCADA integration
The Scenario
The transportation sector in Columbia is undergoing a massive SCADA upgradation. This is important for Colombia's economy as the industry is poised to grow over the coming years, and the transportation facility is critical to Columbia's progress. Therefore, Infrastructure investment programs like the 4G program, SCADA integration, and the Government's Master Plan for Intermodal Transport (PMTI) reduce operational costs that once seemed high and less competitive internationally. From the consumer-facing aspect, this initiative is cost-effective and beneficial from the long-term perspective for advancing multi-modal transport. Here, it is also essential to consider that the foreign direct investment (FDI) in the transport sector in Columbia has gone up tenfold.
Cyberattacks are being witnessed in the government facilities and transport sector every day as this progress toward modernization and economic well-being. In 2020, there were several cyber-attacks detected in Columbian entities. To understand the magnitude, mechanism, and gap, we analyze the series of attacks, including an attack on metallurgical manufacturing companies that are vendors to the transport sector agencies in Columbia.
To consider this cyberattack on critical infrastructure facilities in Columbia, the attackers relied on the use of remote access Trojans (RAT) used in the cyber-espionage operations to spy on the victims. As per the investigation, a vast network range of IP addresses was designated for command and control. These are zombie computers, i.e., computers under the absolute power of hackers. There were also compromised OT devices that were proxies to the compromised servers detected as a part of the Attack. In addition, the compromised servers were using dynamic DNS services to make the situation worse, which meant that the infrastructure would never function optimally. At least 70 DNS were active, and new ones were registered regularly during the time frame.
Phishing emails were sent from the DNS servers, and the emails contained a file with malware. This will sound typical of a cyberattack. However, there was a difference in the attachment used for phishing emails in this Attack. The Remote Access Trojans (RATs) were only operational in the C&C infrastructure. Also, the threat actors show perfect usage of the Spanish Language in the emails that were sent. Most of these emails were sent from a telecommunication company called SIMIT, and they were targeting the Columbian entities using malware that they did not develop.
The phishing email contained a PDF file embedded with malware that could only execute with a click. Also, most of these emails personified the Office of the Attorney General (Fiscalia General De La Nacion) and the Columbian National Directorate of Tax and Customs.
Usually, a regular archives file with a RAR extension has an executable file inside. In this case, these files were hosted in a standard cloud server such as One Drive. One click could extract the file and execute it in the system. It was found that a variety of packers could be used as executables. However, for this purpose, they would use a Remote Access Trojan as a packer installed in the victimized computers affecting the system payload and the processes. Also, some victims say that it was inevitable for them to click as the notification emails were about 'driving infraction,' 'mandatory COVID-19 test', 'Court Hearing,' and 'Investigation against the recipient's misuse of public funds. These notifications were sent using emails.
Further, it was noticed that 'NSIS installers', the attacker, commonly used droppers. To bring this into perspective, Nullsoft Scriptable Install Systems is a programmable file that tries to evade detection as these files are written to the disk and contain other benign files. There are only two malicious files in the list. One is an encrypted RAT executable and DLL file that decrypts and runs the Trojan.
The intensity of the Attack
The primary focus of security in the transport sector, especially in Columbia, is detecting chemical, biological, and other weapons, drugs, and illegal entry. Another area of concern that does not receive as much notoriety as the previous issues is SCADA security. The utilities that supply transport rely on SCADA systems for their operations. In addition, these utilities are interdependent in that a disruption in one might critically affect another. For example, if the electric power is disrupted, the whole system would cease working. All equipment requiring electricity, such as motorized gates, spotlights, computer systems, and detection systems, would be inoperable. In Columbia, dealing with such issues that affect transport operations is the responsibility of local authorities. However, the transport authorities are unaware of the vulnerabilities in the entire system. In an attack on the transport sector, these systems can also be disabled and have a ripple effect on the economy and security.
Key Stakeholders in the Scenario
Ministerio de Transporte, Ministerio de Obras Públicas y Transporte, Ferrocarril de Bolívar, Ferrocarril de Santa Marta, Ferrocarril de Cartagena, Ferrocarril de Girardot, Ferrocarril de La Sabana y Cundinamarca, Ferrocarril de Antioquia, Metro de Medellín, Ferrocarriles del Norte de Colombia S.A. (FENOCO), Policía de Carreteras, Unidades de Intervención y Reacción, National Roads Institute (INVÍAS), Policía Nacional de Colombia, Rede Integrada de Transporte, Marcopolo S.A., Inter-American Development Bank, Concessionaire Ruta del Cacao S.A.S, Ashmore Group, Mercantil Colpatria.
Assessment and Result
Although the transport facility of Columbia is increasingly relying on the upgraded Digital Infrastructure, it is unclear who is responsible for protecting against cyberattacks. This is also because of the dynamic changing environment in the case of a technology update. In this age of disruption, the ecosystem is changing quickly. The system will become more vulnerable as innovation, competition, and pandemics fuel the digital revolution without dedicated action. One of the reasons for cyberattacks and the motivation behind hackers in nations like Columbia is the economic and financial gap. However, with the intensive geopolitical situation in the region and Venezuela's condition, we see that there is also a purely disruptive and destructive intention, not just financial. The evolution of the risk landscape is taxing the responsiveness of an otherwise mature and well-regulated system facilitated by technological innovation. Therefore, the system requires a "cyber plan of action." Needless to say that cyber diplomacy and joining forces with liberal and like-minded states will secure the regional conditions.
It is also essential to consider that better protecting the transport facilities is primarily an organizational and diplomatic challenge. Efforts to harden defenses and toughen regulations are crucial but are not enough to outpace the growing risks. Unlike many sectors, most of the government-run side of the transport ecosystem lacks resources and is unable to differentiate the roles and responsibilities of various entities in the process.
The fragmentation among stakeholders and initiatives partly stems from cyber risk's unique aspects and evolving nature. These communities operate in silos and tackle the issue through their own mandates. For example, the supervisory control of metro transport focuses on cyber resilience, diplomats on norms of state behavior, national security agencies/police on trying to deter malicious activity, and private sector entities on firm-specific rather than sector-specific risks. As lines between various stakeholders become ever fuzzier, the lines of responsibility for security are likewise increasingly blurred.
There is a disconnect between transport authorities, police, and the diplomatic communities. Therefore, cyber diplomacy must be taught in training unanimously so that every entity knows the cyber threats and their responsibilities. It must be realized that the responsibility gap and continued uncertainty about roles and mandates to protect the risky ecosystem. It must be taken into account that this uncertainty is also due to the current geopolitical climate and high levels of mistrust in the government, which hinders collaboration among the international community. As a result, cooperation on cybersecurity has been polarized and fragmented and often limited to the smallest circles of trust on sensitive national security equities. As a result, international and multi-stakeholder cooperation is not a "nice-to-have" but a "need-to-have.”
The strategy of Columbia's Cyber Diplomacy must be based on three principles. First, greater clarity about roles and responsibilities. Only a few countries have built effective relationships among their authorities, law enforcement, diplomats, relevant government entities, and industry. Existing fragmentation also hampers international cooperation and weakens the global system's collective resilience, recovery, and response capabilities.
Second, international collaboration is necessary and urgent. Although Columbia's Cybersecurity law and policy are mature in Latin America, to deal with the scale of the threat and the system's global interdependency, governments, private firms, and other companies cannot protect against cyber threats if they work alone. Therefore there needs to be reduced fragmentation will free up the capacity to tackle the problem. Although there are many initiatives underway to protect institutions better, they remain siloed. There is also increased redundancy and duplication of each other, increasing transaction costs. On the other hand, several of these initiatives are mature enough to be shared, better coordinated, and further internationalized.
Finally, the Government of Columbia can support these efforts by establishing entities to assess threats and coordinate responses. Intelligence gathering should focus on threats to all the critical infrastructure systems, and governments should share such intelligence with allies and like-minded countries. China and Russia operate in both government and private sector networks throughout the hemisphere. Realizing this has forced some countries in the region to update their capabilities. Ironically, Chinese and Russian support for Venezuela has motivated Colombia to develop a significant ability.