It’s looking like 2024 could be a happy new year for cyber criminals, which would make it an unhappy, expensive, dangerous year for the rest of us.
Yes, cyber attack headlines have been a constant in the tech press for decades. Still, the sophistication of attacks combined with the growing “attack surface” – not just vulnerabilities in software but also in the operational technology (OT) of infrastructure – is ominous, especially when it involves the critical infrastructure that maintains what we consider “normal” life.
The list of headlines just in recent weeks could be enough to make you want to disconnect from the internet and demand that everybody else do the same. Here’s a sampling.
- A joint advisory in mid-December from the FBI and CISA in the US and the Australian Signals Directorate’s Australian Cyber Security Centre warned that the Play ransomware group had impacted about 300 businesses and critical infrastructure organisations in North America, South America, Europe and Australia as of this past October by using “a double-extortion model, encrypting systems after exfiltrating data”.
- The Hacker News reported that “ransomware attacks are increasingly exploiting vulnerabilities rather than using phishing e-mails as initial infection vectors, jumping from nearly zero in the second half of 2022 to almost a third in the first half of 2023, per data from Corvus”. And the cyber security firm NCC reported that ransomware attacks in November were up 67% from 2022, with industrials (33%), consumer cyclicals (18%) and healthcare (11%) remaining the most targeted sectors.
- Comcast Cable Communications, doing business as Xfinity, disclosed in mid-December that attackers who breached one of its Citrix servers in October also stole the sensitive information of nearly 36 million customers from its systems. Bleeping Computer reported that about two weeks after Citrix released security updates to address a critical vulnerability now known as Citrix Bleed, the company found evidence of malicious activity on its network between 16 October and 19 October. Cyber security company Mandiant said the Citrix flaw had been actively exploited as a zero-day since at least late August 2023.
- The Ohio Lottery reported in late December that it had been forced to shut down some key systems on Christmas Eve after a cyber attack affected an undisclosed number of internal applications. A relatively new ransomware gang calling itself DragonForce took credit for the attack, claiming it had encrypted devices and stolen the data of more than 3 million customers, including Social Security numbers and dates of birth – data that, unlike a credit card number or a PIN, you can’t change.
- A string of cyber attacks on healthcare providers over several months in 2023 required US hospitals to divert ambulances. CNN reported that an attack against healthcare conglomerate Ardent Health Services over the Thanksgiving weekend affected hospitals from New Jersey to New Mexico. That prompted the Department of Health and Human Services to publish plans to increase federal funding for poorly protected rural hospitals and to impose stricter fines for lax security by healthcare providers.
- An alphabet soup of government agencies – the FBI, CISA, NSA, EPA and Israel’s National Cyber Directorate – issued a joint cyber security advisory at the beginning of December “to highlight continued malicious cyber activity against OT devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat cyber actors”. The advisory came after an attack on the Municipal Water Authority of Aliquippa, Pennsylvania, by a group of hackers calling themselves Cyber Av3ngers that, according to the agency advisory, is a persona used by hackers affiliated with the IRGC. While water authority officials said the facility had not been compromised, the attack is another example that critical infrastructure is a target of hostile nation states. David Kane, CEO of Pittsburgh-based Ethical Intruder, told the Pittsburgh Post-Gazette that it was “very alarming to see an attack on the OT side. A related physical threat could have changed the filtration or stopped water flow altogether.”
The list could go on, of course. But it’s more than enough to illustrate that not only is information – personal, financial and intellectual property – at risk. So are physical objects and services. At the personal level, it’s your vehicle plus everything in your “smart” home, from appliances to TVs, nanny cams and home security systems. At the infrastructure level, that means healthcare, utilities, traffic control, the electrical grid and more.
Industrial control systems expert Joe Weiss, managing partner at Applied Control Solutions, noted in a recent blog about the Aliquippa attack that “Iran is in an undeclared war, including cyber war, against the US and our critical infrastructures”, and that Aliquippa “may not be a one-off attack against a small water utility, as the hack was against a control system vendor [Israel-based Unitronics] supplying a cost-effective system [a programmable logic controller (PLC)] that is used in control systems at many critical infrastructures systems, not just water utilities”.
Indeed, in a later blog he noted that “the same PLCs used in water and wastewater management are used in all forms of manufacturing (they were originally invented for auto manufacturing), and in pipelines, chemical plants, refineries, power, the food and beverage sector, transportation, etc. What makes PLCs cyber vulnerable in any one sector makes them cyber vulnerable in all sectors.”
Weiss also noted that the “IRGC is a nation-state with associated capabilities, not just some hackers who support a cause”, and that because the group got access to the system’s PLCs – industrial computers used to control and monitor industrial equipment based on custom programming – “they can compromise the near- or long-term operation of any targeted system”.
He wrote: “There are 226 Unitronics systems in the US and more than 1 800 worldwide… This is a nation-state supply chain attack against US critical infrastructure, not any single end-user or sector… One wonders who else has been hacked, or when they will be attacked? Imagine what damage could accrue if the attack targeted other control system suppliers.”
Weiss isn’t the only one noticing the trend. OT and internet of things security firm Claroty’s recent 2023 ‘Global state of industrial cybersecurity’ report, based on a global survey of 1 100 IT and OT security professionals, found that about 75% had been the target of ransomware attacks, with 17% affecting OT systems and 37% hitting both IT and OT systems.
That was a 10% increase since 2021, which the report called “particularly significant”.
Disconnect
So the obvious question is what, if anything, can individuals and organisations do to reverse those trends? For starters, PLCs shouldn’t be connected to the internet.
Craig Spiezle, president of AgeLight Digital Trust Group, said the risks to internet-facing critical infrastructure like utility systems “have been highlighted for nearly a decade. While larger cities have isolated systems, many smaller utilities have not”.
“Utilities are facing a perfect storm,” he said. “The issue comes down to the complexity of multiple legacy systems. Ideally, such at-risk systems should be isolated from external intrusions.”
He added that while rigorous testing of software for vulnerabilities is important, “perhaps more important are software bills of materials (SBOMs) – [documents that identify] what code libraries are embedded in the devices – software and firmware. SBOMs will give you a handle on inventory system and risks.”
Spiezle said that while he worked for his local government, “I ended up taking some systems and disabling some remote capabilities based on a risk/benefit analysis. For example, rather than have devices connected, text notifications were enabled for sensor failure or exceeding operating tolerances. In such cases, there were redundant controls, so the tradeoffs were easy.”
Gerry Kennedy, CEO of Observatory Strategic Management, in a recent post on LinkedIn, said another piece of the problem is the difficulty of communication between the IT side and the OT side. He likened it to the Old Testament story of the Tower of Babel, when humanity had been speaking a single language until they resolved to build a tower to heaven. Then God intervened and caused different groups to start speaking different languages. Since the people couldn’t communicate, they couldn’t keep building the tower.
“A parallel unfolds in the tech landscape, where the languages of IT and OT have diverged, creating unique cultures with distinct lexicons. Much like the biblical tale, the modern ‘confusion of tongues’ manifests as a disparity between IT and OT languages, posing a potential peril to humanity,” he wrote.
So it sounds like, in addition to security training, there needs to be some language, or at least jargon, training.
Finally, the joint advisory from CISA and the other agencies on the attacks by the IRGC has a list of recommendations.
- Change all default passwords on PLCs and HMIs [human machine interfaces] and use a strong password.
- Disconnect the PLC from the public-facing internet.
- Implement multifactor authentication for access to the OT network whenever applicable.
- If remote access is required, implement a firewall and/or virtual private network (VPN) in front of the PLC to control network access. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication.
- Create strong backups of the logic and configurations of PLCs to enable fast recovery. Get familiar with factory resets and backup deployment as preparation for a possible ransomware attack.
- Keep PLC devices updated.
- Confirm third-party vendors are applying the above recommended countermeasures to mitigate exposure of these devices and all installed equipment.
Even those aren’t silver bullets, according to Weiss, who wrote that some of them are useful but not all are realistic. For example, in response to the recommendation that a VPN will enable multifactor authentication even if the PLC doesn’t, Weiss wrote that “if the PLC is already compromised, the VPN will be providing compromised data”.
Still, those and other recommendations are much better than nothing. Implementing them would make it a more difficult new year for attackers, and better for the rest of us.
For more information, please contact, Nkateko Malindi Business Development Manager at Altron Arrow: nmalindi@arrow.altech.co.za.
Written by: Taylor Armerding, security advocate at the Synopsys Software Integrity Group. He writes mainly about software security, data security and privacy.
Share