Multiple US and allied cybersecurity agencies have recently warned about an ongoing campaign by pro-Russia hacktivist groups to target and compromise operational technology (OT) systems across critical infrastructure sectors in North America and Europe. According to a new joint cybersecurity alert have been observed gaining remote access to small-scale industrial control systems used in water/wastewater, dams, energy, and food and agriculture by exploiting internet-exposed human-machine interfaces (HMIs) and using default or weak passwords.
See cybersecurity alert: https://www.ic3.gov/Media/News/2024/240501.pdf
While the intrusions so far have largely caused nuisance impacts like manipulating equipment settings, the alert warns that hackers potentially have capabilities to pose major physical threats to insecure OT environments they access. "The increase of attacks on critical assets and infrastructure is requiring the cybersecurity profession to draw a stronger connection between commercial business and national security," said Henryk Ciejek, VP of Information Security at PayScale. "As the commercial business world provides increasing technology support to local and national infrastructure, the scope of security expands beyond general commercial terms and underscores the importance of established security vetting processes for both the vendors and government bodies."
See: https://redskyalliance.org/xindustry/ot-it-warning
Some key examples of confirmed activity from early 2024 include pro-Russia groups remotely accessing HMIs at water treatment facilities to max out pump settings, disable alarms, and change the current passwords to lock out operators leading to minor spills in some cases.
To defend against this ongoing campaign, the cybersecurity agencies are urging critical infrastructure organizations to urgently implement several risk mitigation measures, such as:
- Limiting internet exposure of OT systems and using firewalls/VPNs to restrict remote access.
- Enabling multi-factor authentication for all OT network access.
- Changing all default passwords to strong, unique credentials.
- Keeping software like VNC clients patched and updated (particularly remote access).
- Creating allow-lists limiting HMI access to authorized Ips.
- Ensuring ability to manually operate OT systems if compromised.
The agencies also called on OT device manufacturers to build more secure products by design, eliminating issues like default passwords that are widely exploited by hackers.
Ciejek suggested it would behoove cybersecurity teams to "work closely with and install up-to-date patching and updates as provided by vendors."
From the alert, the partnering agencies recommend network defenders strengthen their security postures with these suggestions:
- Integrate cybersecurity considerations into the conception, design, development, and operation of OT systems.
- Practice and maintain the ability to operate systems manually [CPG 5.A].
- Check the integrity of PLC ladder logic or other PLC programming languages and diagrams and check for any unauthorized modifications to ensure correct operation.
- Update and safeguard network diagrams to reflect both the IT and OT networks [CPG 2.P].
- Be aware of cyber/physical-enabled threats. Take inventory and determine the end-of-life status of all HMIs [CPG 1.A].
- Implement software and hardware limits to the manipulation of physical processes, limiting the impact of a successful compromise.
For OT device manufacturers, the alert's recommendations are straightforward:
- Eliminate default and require strong passwords.
- Mandate multifactor authentication for privileged users.
- Include logging at no additional charge.
- Publish Software Bills of Materials (SBOM).
While the hacktivists may overstate impacts, the alert underscores the escalating physical threat cyber attackers motivated by the Russia-Ukraine war could pose to essential services if OT security practices are not improved across sectors like water, energy, and food production.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Our services can help detect cyber threats and vulnerabilities. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments