At a glance.
- Ukrainian energy firm reports Russian cyberattack.
- Iranian steel mill suspends production due to cyberattack.
- ICEFALL: a set of OT vulnerabilities.
- Thermal camera vulnerabilities.
- Vulnerabilities in access control panels.
- Smart factories are unprepared to defend against cyberattacks.
- US TSA issues relaxed pipeline cybersecurity directives.
- CISA hosts cybersecurity exercises.
- US cybersecurity bill focuses on training.
- Slovenia conducts cybersecurity exercises for nuclear facilities.
Cyberattack hits Ukrainian energy provider.
Last Friday, DTEK Group, Ukraine's largest private energy firm, an operator of power plants in various parts of Ukraine, said that it had been the victim of a cyberattack. The attack, in CNN's account, had complicated goals. It aimed to, as DTEK put it, “'destabilize the technological processes' of its distribution and generation firms, spread propaganda about the company’s operations, and 'to leave Ukrainian consumers without electricity.'” XakNet ("HackNet"), a hacktivist organization that's transparently a GRU front (whatever its denials on Telegram may say), claimed last week to have penetrated DTEK's networks and published some screenshots as coup-counting evidence of its success, but the actual consequences of the operation, if any, remain unclear.
Vosvete IT, relying in part on information from Slovakia's National Security Authority, makes two points that seem to position the incident in the larger context of both lawfare and kinetic combat. "These cyber attacks on the consortium occurred just days after Rinat Akhmetov, one of the richest men in Ukraine and a shareholder of DTEK, sued Russia at the European Court of Human Rights for causing billions in damages to his assets," and they also occurred at about the same time Russian forces shelled a DTEK power plant in Kryvyi Rih, a mining and industrial city in Dniepro region.
Iranian steel mill suspends production due to cyberattack.
A cyberattack hit one of Iran’s major steel companies last week, forcing it to halt production, SecurityWeek reports. The attack struck the state-owned Khuzestan Steel Co. and two other major steel producers. An anonymous hacking group, “Gonjeshke Darande” ("Predatory Sparrow," in the Jerusalem Post's translation), has claimed responsibility for the attack, saying that it was done to target the “aggression of the Islamic Republic.” The group shared alleged closed-circuit footage from the Khuzestan Steel Co. in which a piece of heavy machinery on a steel billet production line malfunctioned and caused a fire. The CEO of Khuzestan Steel, Amin Ebrahimi, claimed that the attack was thwarted, saying, “Fortunately with time and awareness, the attack was unsuccessful,” and noting that everything should return to normal by the end of Monday. Neither of the other steel producers targeted in the attack noted damage or production issues.
Predatory Sparrow has been heard from before, CyberScoop observes, notably in 2021's wiper attacks against Iran's rail system, and Check Point has obtained samples from the most recent incident that link it to the earlier attack. Relatively little is known about the group, beyond, that is, their self-presentation as hacktivist opposed to the Islamic Republic.
ICEFALL: a set of OT vulnerabilities.
Researchers at Forescout have disclosed a set of fifty-six vulnerabilities they’ve called “ICEFALL,” and that affect OT devices from ten vendors. “The vulnerabilities are divided into four main categories,” Forescout says, “insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functionality.” Several of the issues flagged in the report have been known within the community for some time.
It’s worth noting that some of the vulnerabilities collected under ICEFALL represent design choices that don’t lend themselves to simple, straightforward patching. Completely mitigating the ICEFALL vulnerabilities will require vendor-delivered system updates, not all of which are immediately available. In the meantime, network isolation (particularly isolation of OT and industrial control systems from business networks and the wider Internet), restricting network connections to specifically selected engineering workstations, and, of course "focusing on consequence reduction" are the sensible practices affected organizations should follow.
CISA, the US Cybersecurity and Infrastructure Security Agency noted the report on ICEFALL, and the agency has advised attention to both the report and the mitigation recommendations it contains. CISA also pointed out that five of its recent alerts address issues associated with ICEFALL: ICSA-22-172-02 (JTEKT TOYOPUC), ICSA-22-172-03 (Phoenix Contact Classic Line Controllers), ICSA-22-172-04 (Phoenix Contact ProConOS and MULTIPROG), ICSA-22-172-05 (Phoenix Contact Classic Line Industrial Controllers) and ICSA-22-172-06 (Siemens WinCC OA). Each of those advisories contains actionable mitigations, and users of these products should review CISA’s material and determine where the recommendations apply to their environment.
Ron Fabela, CTO & co-founder at SynSaber commented on ICEFALL:
"Harkening back to S4's Project Basecamp over a decade ago, Forescout's Vedere Labs lists in detail the continued challenge of 'insecure by design' in industrial control systems. Hardcoded passwords and lack of authentication may be known knowns within OT security circles but the OT ICEFALL report lists them out in black and white for all to see. Like Project Basecamp, OT ICEFALL focuses on the low hanging exploitation fruit of ICS, where exploitation isn't really necessary at all in most cases. Simply sending the correct command, knowing how to run strings against firmware, or often times just reading the manual will yield the necessary information for attacking these systems.
"But the community needs to ask the question: does generating CVEs for engineering decisions move the ball forward in securing ICS? While the work of researchers is beneficial from an awareness stance asset owners are left with more 'vulnerabilities' that are most likely un-patchable during their operational period. For a community already over taxed with compliance, breach reporting, and "threat actor of the month" FUD, the hope is that these vulnerability reports motivate real change: improved security from the product vendors and better procurement requirements in the future. Until then, we have to monitor and protect the critical systems in place now, CVEs or not."
Roger Hill, Senior Director of Product Security, Kudelski Security, offered the following thoughts:
“While there are nuances that impact the severity of the risks identified, this report highlights the continued need for the industry to focus on OT security. The report should also serve as great motivation for companies to implement OT network threat monitoring to detect malicious activity early. We believe manufacturers with known vulnerabilities will take action to mitigate risks, but we still recommend organizations have a professional risk assessment performed on ICS systems, develop a security roadmap and ensure funding to execute their plan.
"Efforts to harden ICS technologies should be a key priority for companies, as there are real risks with them given that many were invented before internet connectivity was envisioned. At a minimum, we recommend organizations segment OT networks from IT networks with Industrial DMZ firewalls. Further segmentation with automation firewalls should segment the process network from the controls network, as such controls deliver the ability to define least privilege policy at the device and protocol level.”
Thermal camera vulnerabilities.
Researchers at SEC Consult have discovered vulnerabilities in InfiRay thermal cameras that could allow hackers to interfere with industrial processes. Steffen Robertz from SEC Consult told SecurityWeek, “The camera is used in industrial environments to check/control temperatures. The test device was located in a factory, where it verified that metal pieces arriving on a conveyor belt were still hot enough for the next process step. An attacker would be able to report wrong temperatures and thus create inferior products or halt the production. The temperature output might also be fed in a control loop. By reporting a lower temperature, the temperature of, for example, a furnace might be increased automatically.”
The researchers noted, “The vendor was unresponsive during the disclosure process. Hence it is unclear whether patches are available. Customers are urged to approach their vendor contact and request security reviews and updates.”
Vulnerabilities in access control panels.
Trellix has identified critical vulnerabilities affecting HID Mercury access control panels sold by Carrier subsidiary LenelS2. The risk here is to plant physical security and access control, but note that access to production systems within a plant has been used before to introduce malware into control systems.
These control panels are widely used for physical security, and the researchers were able to exploit the flaws to remotely manipulate door locks. The most serious of the vulnerabilities can allow for unauthenticated remote code execution and received a CVSS score of 10. SecurityWeek points out that, “Most of these vulnerabilities can be exploited without authentication, but exploitation requires a direct connection to the targeted system.”
Trellix states, “Customers using HID Global Mercury boards should contact their Mercury OEM partner for access to security patches prior to weaponization by malicious threat actors, which could lead to both digital or physical breaches of sensitive information and protected locations.” The researchers note that Carrier was very helpful and cooperative in getting the vulnerabilities patched.
CISA issued an alert regarding the vulnerabilities, stating, “Carrier recommends updating these access panels to the most current released firmware via the LenelS2 Partner Center. Please contact a Carrier support channel partner for instructions. The controller can also be configured to disable web access, which prevents remote login into the controller’s webpage.”
Smart factories are unprepared to defend against cyberattacks.
A report from the Capgemini Research Institute found that only 6% of smart factory organizations have "established mature practices of cybersecurity":
"We found organizations in general to be inadequately prepared in terms of awareness, governance, protection, detection, and resilience. Our analysis indicates that governance is a particular area of concern, with this area demonstrating the lowest level of preparedness across multiple parameters. Response preparedness is also strikingly low: 54% of executives say they don’t have (or do not know whether they have) a team dedicated to preparing for and responding to cyberattacks at their organization’s smart factories."
US TSA issues relaxed pipeline cybersecurity directives.
After last year’s unprecedented Colonial Pipeline attack, the US Transportation Security Administration (TSA) responded by issuing a set of strict cyber security directives for pipelines and other surface transportation industries. The first-of-their-kind directives received pushback from companies and industry lobbyists who felt that the rules, written in the heat of the moment, were too extreme and could disrupt business operations. Now the TSA has released updated, less stringent directives that industry experts say could indicate how the administration plans to write permanent rules going forward.
One revised directive allows designated pipeline operators a full twenty-four hours to report an attack (twice the time allotted in the original rules). An update to a second directive is expected to be less stringent about required security measures like multi-factor authentication password-reset requirements, which work in traditional business settings but would prove nearly impossible for pipelines’ more complicated systems.
TSA says they consulted with industry and government partners in drafting the new rules, explaining, “The goal is to move to a “performance-based model that will enhance security and provide the flexibility needed to ensure cybersecurity advances with improvements in technology.” Suzanne Lemieux, director of operations security and emergency response policy at the American Petroleum Institute, told the Wall Street Journal, “We’re encouraged by the changes they’ve made. There were a lot of things that weren’t well thought out in the urgency of getting this out [last year].”
CISA's tabletop exercises are now being made available to qualified partners.
The Cybersecurity and Infrastructure Security Agency (CISA) hosted a workshop last month providing an overview of the CISA Tabletop Exercises Packages (CTEP), an unclassified, adaptable exercise resource focused on facilitating discussion around a scripted hazard or threat scenario. Robert Lauer, the workshop facilitator, explained that the CTEP is “designed to assist government and industry partners in developing your own tabletop exercises with pre-built templates.” There are over a hundred scenarios to choose from that encompass both cyber and physical security. Several of them involve both. The CTEP exercise materials include a situation manual, an exercise planner handbook, a facilitator and evaluator handbook, and various templates that can be used throughout the exercise. The ultimate goal of the resource is to “help facilitate understanding, identify strengths and areas for improvement, and/or changes in policies and procedures.”
GovTech reports that workshops on CTEP will be held monthly and hosted by CISA Exercises Infrastructure Security & Exercise Branch, with participation from private stakeholders and critical infrastructure owners and operators. There is no registration required for these workshops, which are open to the public. To use the CTEP exercises, however, you need a Critical Infrastructure community account on the Homeland Security Information Network (HSIN-CI), and you can learn how to create an account here.
For those interested in how to approach wargaming for cybersecurity, SearchSecurity offers some thoughts on how to plan and conduct an exercise.
US cybersecurity bill focuses on training.
The US House of Representatives passed the “Industrial Control Systems Cybersecurity Training Act,” a cybersecurity bill introduced in May aimed at strengthening US cybersecurity protections after a government-issued warning back in April about Russia-linked malware targeting industrial processes. SecurityWeek reports that the legislation would amend the Homeland Security Act of 2002 to allow the Cybersecurity and Infrastructure Security Agency (CISA) to create a free training program both for government agencies and the private sector; it would focus on cyber defense strategies for industrial control systems. Representative Eric Swalwell (Democrat, California 15th District), who introduced the bill, explained, “With the increased threat of Russian cyberattacks, we must be cognizant of cyberwarfare from state-sponsored actors. This bill would help train our information technology professionals in the federal government, national laboratories, and private sector to better defend against damaging foreign attacks.”
Slovenia conducts cybersecurity exercises for nuclear facilities.
The Slovenian Nuclear Safety Administration (SNSA) conducted a large-scale exercise focused on cybersecurity for nuclear facilities. According to the International Atomic Energy Agency (IAEA), “The scenario involved real operational technology systems with insider threats, external cyber-attacks, and physical intrusions to a hypothetical nuclear facility exhibiting the impacts of a computer security compromise of critical operational control systems leading to a nuclear security event.”
Elena Buglova, Director of the IAEA Division of Nuclear Security, stated, “Increasing awareness about the response capabilities needed to secure nuclear facilities from cyber-attacks is one of the objectives of such exercises. The identification of any existing vulnerabilities, the testing of internal procedures and the strengthening of collaboration among involved stakeholders are some of the practical benefits for the host countries. The interest for computer security exercises is growing and the IAEA stands ready to support countries’ requests in this area of nuclear security.”
Igor SIRC, Director of SNSA, added, “The organising team and the participants were extremely engaged. The well-tailored scenario offered all of them a first-hand experience on the interconnections between safety, security, and emergency preparedness functions during a highly sophisticated cyber security incident. Our national capabilities for response to emergencies, triggered by cyber security events at nuclear facilities, have been further strengthened after this exercise.”
Recent ICS security advisories.
The US Cybersecurity and Infrastructure Security Agency (CISA) on June 9th issued an industrial control system (ICS) advisory affecting Mitsubishi Electric Air Conditioning Systems.
POn the 14th of June CISA released three industrial control system (ICS) security advisories, for Johnson Controls Metasys ADS ADX OAS Servers, Meridian Cooperative Meridian, and Mitsubishi Electric MELSEC-Q/L and MELSEC iQ-R.
Other ICS issues were also addressed that day. SecurityWeek reports that Siemens and Schneider Electric between them patched eighty-three vulnerabilities in their products. Siemens addressed fifty-nine vulnerabilities in fourteen advisories, and Schneider Electric fixed twenty-four vulnerabilities, covered in eight advisories.
On June 21st CISA released six industrial control system (ICS) advisories, for OFFIS DCMTK ("mitigations for a path traversal, relative path traversal, NULL pointer reference vulnerability in DCMTK, an OFFIS product of libraries and software that process DICOM image files"), Yokogawa STARDOM ("mitigations for Cleartext Transmission of Sensitive Information, and Use of Hard-coded Credentials vulnerabilities in the Yokogawa STARDOM network control system"), Yokogawa CAMS for HIS ("mitigations for a Violation of Secure Design Principles vulnerability in the Yokogawa Consolidation Alarm Management Software for Human Interface Station"), Secheron SEPCOS Control and Protection Relay ("mitigations for Improper Enforcement of Behavioral Workflow, Lack of Administrator Control over Security, Improper Privilege Management, and Insufficiently Protected Credentials vulnerabilities in the Secheron SEPCOS Control and Protection Relay"), Pyramid Solutions EtherNet/IP Adapter Development Kit ("mitigations for an Out-of-bounds Write vulnerability in the Pyramid Solutions EtherNet/IP Adapter Development Kit"), and Elcomplus SmartICS ("mitigations for Improper Access Control, Relative Path Traversal, and Cross-site Scripting vulnerabilities in the Elcomplus SmartICS web-based HMI").
The agency also issued six industrial control system (ICS) security advisories, for Mitsubishi Electric MELSEC Q and L Series (with "mitigations for an Improper Resource Locking vulnerability in Mitsubishi Electric MELSEC Q and L Series CPUs"), JTEKT TOYOPUC ("mitigations for a Missing Authentication for Critical Function vulnerability in the JTEKT TOYOPUC programmable logic controller"), Phoenix Contact Classic Line Controllers ("mitigations for an Insufficient Verification of Data Authenticity vulnerability in the Phoenix Contact Classic Line Controllers"), Phoenix Contact ProConOS and MULTIPROG (addressing "an Insufficient Verification of Data Authenticity vulnerability in the Phoenix Contact ProConOS and MULTIPROG software development kit"), Phoenix Contact Classic Line Industrial Controllers ("mitigations for a Missing Authentication for Critical Function Insufficient Verification of Data Authenticity vulnerability in the Phoenix Contact Classic Line Industrial Controllers), and, finally, Siemens WinCC OA (with "mitigations for a Use of Client-side Authentication vulnerability in the Siemens SIMATIC WinCC OA software management platform").
CISA released six ICS security advisories on June 28th, for:
- ABB e-Design ("mitigations for an Incorrect Default Permissions vulnerability in ABB e-Design engineering software").
- Omron SYSMAC CS/CJ/CP Series and NJ/NX Series ("mitigations for Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity, and Plaintext Storage of a Password vulnerabilities in Omron SYSMAC CS/CJ/CP Series and NJ/NX Series programmable logic controllers").
- Advantech iView ("mitigations for a SQL Injection, Missing Authentication for Critical Function, Relative Path Traversal, and Command Injection vulnerabilities in Advantech iView management software").
- Motorola Solutions MOSCAD IP and ACE IP Gateways ("mitigations for a missing authentication for critical function vulnerability in the Motorola Solutions MOSCAD IP and ACE IP Gateways products").
- Motorola Solutions MDLC ("mitigations for Use of a Broken or Risky Cryptographic Algorithm, and Plaintext Storage of a Password vulnerabilities in the Motorola Solutions MDLC protocol parser").
- Motorola Solutions ACE1000 ("mitigations for Use of Hard-coded Cryptographic Key, Use of Hard-coded Credentials, and Insufficient Verification of Data Authenticity vulnerabilities in the Motorola Solutions ACE1000 remote terminal unit").
On June 30th, CISA released six more ICS advisories:
- Exemys RME1 ("mitigations for an Improper Authentication vulnerability in the Exemys RME1 analog acquisition module").
- Yokogawa Wide Area Communication Router ("mitigations for a Use of Insufficiently Random Values vulnerability in the Yokogawa Wide Area Communication Router").
- Emerson DeltaV Distributed Control System ("mitigations for Missing Authentication for Critical Function, Use of Hard-coded Credentials, Insufficient Verification of Data Authenticity, and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in the Emerson DeltaV Distributed Control System software management platform").
- Distributed Data Systems WebHMI ("mitigations for Cross-site Scripting, and OS Command Injection vulnerabilities in the Distributed Data Systems WebHMI SCADA system").
- Mitsubishi Electric FA Engineering Software (Update A) ("[A] follow-up to the original advisory titled ICSA-21-350-05 Mitsubishi Electric FA Engineering Software that was published December 16, 2021, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Out-of-bounds Read, and Integer Underflow vulnerabilities in Mitsubishi Electric's FA Engineering Software products").
- CODESYS Gateway Server (Update A) ("[A] follow-up to the original advisory titled ICSA-15-258-02 3S CODESYS Gateway Server Buffer overflow Vulnerability that was published September 15, 2015, on the ICS webpage at cisa.gov/ics. This advisory provides mitigation details for a Heap-based Buffer Overflow vulnerability in CODESYS Gateway Server products").