At a glance.
- Port and terminal cybersecurity.
- India collaborates on energy sector cybersecurity.
- Cyber attack against Tata Power.
- Sabotage and terrorism directed against infrastructure.
- White House statement on cybersecurity.
- TSA says it will issue new aviation cybersecurity requirements.
- TSA announces railway cybersecurity directive.
- The ransomware threat to industrial organizations.
- CISA's recent Industrial Control System Advisories.
Port and terminal cybersecurity.
US law firm Jones Walker LLP has published the results of a survey on the cybersecurity of ports and terminals in the United States. The study looked at blue-water facilities (adjacent to the open sea) and brown-water facilities (usually located on inland rivers). The survey found that 90% of respondents believed their organizations were prepared to defend against cyberattacks, but 74% said their systems have been subjected to breaches or attempted breaches over the course of the past year.
The report notes that these organizations need to be preparing themselves to comply with the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) new requirements:
“Marine facilities need to be aware, however, of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) that was enacted in March 2022. CIRCIA requires CISA to develop and implement regulations requiring a company that operates in one or more of CISA’s 16 critical infrastructure sectors to report covered cyber incidents and ransomware payments to CISA within 72 hours of the company’s reasonable belief that a cyber incident has occurred and to report ransom payments within 24 hours after a payment is made.
“These new authorities are regulatory in nature and require CISA to complete mandatory rulemaking activities before the reporting requirements go into effect. CIRCIA mandates that CISA develop and publish a Notice of Proposed Rulemaking (NPRM), which will be open for public comment, and a Final Rule. CIRCIA also requires that CISA consult with various entities throughout the rulemaking process, including risk management agencies in CISA’s critical infrastructure sectors, the Department of Justice, other appropriate federal agencies, and a soon-to-be-formed DHSchaired Cyber Incident Reporting Council. As of the date of our report, this work is underway. Each facility should consult its legal counsel for the latest developments in this process.”
The report also calls for more training for employees and collaboration between organizations in the industry:
“The Jones Walker 2022 Ports and Terminals Cybersecurity Survey found that only 24% of brown water ports and terminals required staff to participate in annual training. As an association dedicated to fostering mutual support among our members, we were also concerned to learn from the Jones Walker survey that [...] 25% (one quarter) of the respondents still do not collaborate with others in the industry to improve cybersecurity efforts. It seems so obvious that one way to thwart cyber attacks is to share best practices and to collaborate with each other across our industry. Industry associations [...] are ideal for this, especially for the smaller facilities along our nation’s inland waterways.”
India collaborates on energy sector cybersecurity.
India Science Wire reports on a collaboration between India’s government-owned Power Grid Corporation of India Limited, the Indian Institute of Science, and the Foundation for Science, Innovation, and Development to improve cybersecurity for India’s power grids. The entities are working together to form a think tank called the “POWERGRID Centre of Excellence in Cybersecurity in Power Transmission and Grid Operation.”
Shri K. Sreekant, Chairman and Managing Director of Power Grid, explained, “Cybersecurity in transmission and grid operations is critical in today’s digital era. Development of robust defence against cybersecurity is of paramount importance in maintaining reliable power supply. Continuous and collaborative research involving academia and industry for development of cyber resilient systems as well as capacity building is the need of the hour towards creating a safe and secure grid.”
Sreekant added that, “POWERGRID, the largest transmission utility of the country, is happy to associate with the Indian Institute of Science, Bangalore, for setting up the POWERGRID Centre of Excellence in Cybersecurity. POWERGRID is committed to provide funding to the extent of Rs 119.02 crores over the next 10 years and also depute its industry experts to this centre to bolster research in this area.”
Cyber attack against Tata Power.
Indian energy company Tata Power disclosed on Friday that it was hit by a cyberattack that affected some of its IT systems, the Record reports. The nature of the attack is unclear, but the company says its operational technology is still functioning.
Mint quotes Tata Power as saying, “The Company has taken steps to retrieve and restore the systems. All critical operational systems are functioning; however, as a measure of abundant precaution, restricted access and preventive checks have been put in place for employee and customer facing portals and touch points. The Company will update on the matter going forward.”
The Economic Times cites a “senior official from the Maharashtra Police's cyber wing” as saying that “an intelligence input had been received about threat to Tata Power and other electricity companies.” The official said the companies have been alerted to the threat.
The indications are that the incident involved a cyberattack against Tata Power’s IT systems, but it bears close watching for any potential effect on, or pivot into, control systems.
Sabotage and terrorism directed against infrastructure.
The sabotage of the Nord Stream pipelines remains under investigation. TASS has stated that Russia is displeased that Gazprom has not been, and no doubt will not be, invited to participate in the inquest. The Ministry of Foreign Affairs called the ambassadors of Germany, Sweden, and Denmark onto the carpet for a dressing down. TASS quotes the Ministry as explaining, "It was stressed that if Russian experts are denied access to the ongoing investigation, Moscow will assume that the abovementioned countries have something to hide or that they are covering up the perpetrators of those terrorist acts. Naturally, Russia will not recognize any ‘pseudo-results’ of such an investigation unless Russian specialists participate."
Physical sabotage inevitably raises the possibility of cyber sabotage. Addressing an energy conference in Moscow, President Putin pointed, with grave and statesmanlike concern, to the Nord Stream sabotage as an example of a growing trend toward "terrorism" directed against infrastructure, the Telegraph reports. The sabotage sets, he said, "a dangerous precedent," something the global community should fear and take steps to address. The sabotage "shows that any critically important object of transport, energy or utilities infrastructure is under threat.” He wasn't concerned at the conference to name culprits (he's blamed NATO, or the US, for the sabotage; almost everyone else suspects Russia) merely to sound a warning.
Russian strikes against Ukrainian civilian infrastructure, especially in Kharkiv and Zaporizhzhia, where electrical power facilities seem to be the principal targets. Ukraine has also warned, the Telegraph reports, that Russian forces have mined a large dam near Kherson with the intention of destroying it and flooding the surrounding countryside in a false flag provocation they would blame on Ukraine. (Russia denies any such activity.)
And it's worth noting that not all outages are caused by sabotage. The Shetland Island undersea cable was cut last Thursday, and some observers initially suspected this was done maliciously. But the Record reports that it appears the cable was severed accidentally by a fishing vessel. Accidents do happen, and this was apparently one of them. But it's worth noting that this outage was prematurely, and widely, attributed to sabotage in social media, and that clearly Russia's now-kinetic war against infrastructure has given people the jitters.
White House statement on cybersecurity.
The White House has issued a statement on the steps the Biden administration has taken to improve cybersecurity for critical infrastructure:
“The Administration has worked closely with key sectors – including transportation, banking, water, and healthcare – to help stakeholders understand cyber threats to critical systems and adopt minimum cybersecurity standards. This includes the introduction of multiple performance-based directives by the Transportation Security Administration (TSA) to increase cybersecurity resilience for the pipeline and rail sectors, as well as a measure on cyber requirements for the aviation sector. Through the President’s National Security Memorandum 8 on Improving Cybersecurity for Critical Infrastructure Control Systems, we are issuing cybersecurity performance goals that will provide a baseline to drive investment toward the most important security outcomes. We will continue to work with critical infrastructure owners and operators, sector by sector, to accelerate rapid cybersecurity and resilience improvements and proactive measures.
The statement adds, “This month, we will bring together companies, associations and government partners to discuss the development of a label for Internet of Things (IoT) devices so that Americans can easily recognize which devices meet the highest cybersecurity standards to protect against hacking and other cyber vulnerabilities. By developing and rolling out a common label for products that meet U.S. Government standards and are tested by vetted and approved entities, we will help American consumers easily identify secure tech to bring into their homes. We are starting with some of the most common, and often most at-risk, technologies — routers and home cameras — to deliver the most impact, most quickly.”
And needless to say, many of the labeled IoT devices will end up in industrial environments. If you think of the familiar EnergyStar labels on products that consume electricity, the anticipated labels can be expected to look something like that.
TSA says it will issue new aviation cybersecurity requirements.
Early this month several US airport websites suffered what appear to be coordinated denial-of-service attacks at the hands of pro-Russian threat actors. In response, Reuters reports, the US Transportation Security Administration (TSA) has announced plans to issue new cybersecurity requirements for critical aviation systems. The new requirements represent in part a response to a 2020 Government Accountability Office report that urged the Federal Aviation Administration (FAA) to tighten regulations for airport cybersecurity protocols. The FAA last month sent a notice directing airports "to consider and address physical and cyber security risks relevant to the transportation mode and type and scale of the project," stating that "projects that have not appropriately considered and addressed physical and cyber security and resilience ... will be required to do so before receiving funds for construction." The TSA stated on Monday that it has already "updated its aviation security programs to require airport and airline operators designate a cybersecurity coordinator and report cybersecurity incidents, conduct a cybersecurity assessment, and develop remediation measures and incident response plans," and that it will "soon issue additional performance-based cybersecurity requirements for critical aviation systems."
TSA announces railway cybersecurity directive.
In related news, TSA has also issued a security directive addressing the cybersecurity of freight railway carriers. Called “Rail Cybersecurity Mitigations and Testing,” the directive’s goal is to protect railway systems from the growing threat of cyberattacks that could disrupt railroad services, preventing the transport of essential goods and in turn, threatening national security. Railway owners and operators will be required to establish a TSA-approved Cybersecurity Implementation Plan. The goal of such plans would be resilience, ensuring that operations could continue even in the event of an attack. The rail operators will also be asked to establish a Cybersecurity Assessment Program to measure the effectiveness of their protocols.
The ransomware threat to industrial organizations.
Dragos blogged this morning about the ransomware threat industrial organizations confront. It's a longstanding problem. In the third quarter North America was the most targeted region, with Europe running a close second. The most targeted sector was metal products. Dragos researchers mention the customary difficulty involved in tracking ransomware threat actors as they form, shut down, disperse or rebrand, and they also take note of the way in which the threat tracks political conflict. "Dragos observed ransomware trends tied to political and economic reasons, such as the conflict between Russia and Ukraine and Iranian and Albanian political tensions. Dragos observed another trend related to the global crisis of energy supplies and prices, which may have caused Ragnar Locker, AlphaV and possibly other ransomware groups to increase their activities targeting Energy sectors."
Looking ahead to the fourth quarter, "Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems. Due to the changes in ransomware groups and the leaking of the Lockbit 3.0 builder, Dragos assesses with moderate confidence that more new ransomware groups will appear in the next quarter, as either new or reformed ones."
CISA's recent Industrial Control System Advisories.
The US Cybersecurity and Infrastructure Security Agency (CISA) on September 28th released six Industrial Control System Advisories: ICSA-22-272-01 Hitachi Energy MicroSCADA Pro X SYS600_8DBD000106 ("Improper Input Validation, Improper Privilege Management, Improper Access Control, Improper Handling of Unexpected Data"), ICSA-22-272-02 Hitachi Energy MicroSCADA Pro X SYS600_8DBD000107 ("NULL Pointer Dereference, Infinite Loop"), ICSMA-22-251-01 Baxter Sigma Spectrum Infusion Pump (Update A) ("Missing Encryption of Sensitive Data, Use of Externally Controlled Format String, Missing Authentication for Critical Function"), ICSA-22-235-01 ARC Informatique PcVue (Update A) ("Cleartext Storage of Sensitive Information"), ICSA-22-244-01 Delta Electronics DOPSoft (Update A) ("Out-of-bounds Read"), and ICSA-21-182-03 Delta Electronics DOPSoft (Update B) ("Out-of-bounds Read").
On October 4th CISA released five Industrial Control System (ICS) Advisories. The notices affected Johnson Controls Metasys ADX Server (improper authentication " could allow an Active Directory user to execute validated actions without providing a valid password"), Hitachi Energy Modular Switchgear Monitoring (cross-site request forgery and HTTP response splitting "could allow an attacker to perform malicious command injection, trick a valid user into downloading malicious software onto their computer;" "successful exploitation may also allow an attacker to pose as a legitimate user"), Horner Automation Cscape (out-of-bounds write, access of uninitialized pointer vulnerabilities "could allow local attackers to execute arbitrary code"), Omron CX-Programmer (an out-of-bounds write vulnerability could be exploited to crash a device or allow arbitrary code execution), and BD Totalys MultiProcessor (hard-coded credentials "could allow an attacker to access, modify, or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI), and personally identifiable information (PII)").
Coinciding with Patch Tuesday, CISA issued three industrial control system advisories, for Altair HyperView Player, Daikin SVMPC1 and SVMPC2, and Sensormatic Electronics C-CURE 9000.
An unusually large tranche of Advisories appeared on October 13th, as CISA released a total of 25, addressing issues in Siemens LOGO!, Siemens Industrial Edge Management, Siemens Solid Edge, Siemens SIMATIC S7-1200 and S7-1500 CPU Families, Hitachi Energy Lumada Asset Performance Management Prognostic Model Executor Service, Siemens Desigo PXM Devices Webserver, Siemens Nucleus RTOS FTP Server, Siemens TCP Event Service of SCALANCE and RUGGEDCOM Devices, Siemens SICAM P850 and P855 Devices, Siemens JT Open Toolkit and Simcenter Femap, Siemens SCALANCE and RUGGEDCOM Products, Siemens APOGEE, TALON and Desigo PXC/PXM Products, Siemens LOGO! 8 BM Devices, Siemens SIMATIC HMI Panels, Siemens SCALANCE X-200 and X-200IRT Families, Siemens Desigo CC and Cerberus DMS, Mitsubishi Electric MELSEC iQ-R Series (UpdateA), Mitsubishi Electric MELSEC iQ-R Series (UpdateA), Siemens PROFINET Stack Integrated on Interniche Stack (Update D), Siemens SINEC NMS (Update A), Siemens SCALANCE (Update A), Siemens SCALANCE W1750D (Update A), Siemens Apache HTTP Server (Update A), Siemens OpenSSL Affected Industrial Products (Update D), and Siemens Industrial Products with OPC UA (Update C).
On October 18th the agency issued released two industrial control system (ICS) advisories, for Advantech R-SeeNet (mitigation for "Path Traversal, Stack-based Buffer Overflow"), and Hitachi Energy APM Edge (Update A) (mitigation for "Reliance on Uncontrolled Component).
On October 20th, CISA released three Industrial Control System (ICS) Advisories, for Bentley Systems MicroStation Connect (remediations for "Stack-based Buffer Overflow, Out-of-bounds Read"), B Braun Infusomat Space Large Volume Pump (Update A) (remediations for "Unrestricted Upload of File with Dangerous Type, Cleartext Transmission of Sensitive Information, Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity, and Improper Input Validation"), and B. Braun SpaceCom Battery Pack SP with Wi-Fi and Data module compactplus (Update A) (remediations for "Cross-site Scripting, Open Redirect, XPath Injection, Session Fixation, Use of a One-way Hash without a Salt, Relative Path Traversal, Improper Verification of Cryptographic Signature, Improper Privilege Management, Use of Hard-coded Credentials, Active Debug Code, Improper Access Control").
And, finally, on October 25th, CISA issued eight more ICS Advisories, for AliveCor KardiaMobile ("Authentication Bypass by Assumed-immutable Data, Missing Encryption of Sensitive Data"), Haas Controller ("Missing Authentication for Critical Function, Insufficient Granularity of Access Control, Cleartext Transmission of Sensitive Information"), HEIDENHAIN Controller TNC ("Improper Authentication"), Siemens Siveillance Video Mobile Server ("Weak Authentication"), Hitachi Energy MicroSCADA X DMS600 ("Reliance on Uncontrolled Component"), Johnson Controls CKS CEVAS ("Cross-site Scripting"), Delta Electronics DIAEnergie ("Cross-site Scripting, SQL Injection"), and Delta Electronics InfraSuite Device Master ("Deserialization of Untrusted Data, Path Traversal, Missing Authentication for Critical Function").