At a glance.
- Zero-days affect industrial routers.
- Israeli and Palestinian hacktivists target ICS.
- Johnson Controls sustains cyberattack.
- Ransomware attack on Clorox.
- Colonial Pipeline says new ransomware claims are due to an unrelated third-party breach.
- Coinmining as an (alleged, potential) front for espionage or stage for sabotage.
- Nearly 100,000 ICS services exposed to the Internet.
- Microsoft on the state of OT security.
- CISA views China as the top threat to US critical infrastructure.
- FBI anticipates an increase in Chinese and Russian targeting of the energy sector.
- Joint advisory warns of Beijing’s “BlackTech” threat activity.
- NSA releases ICS intrusion detection signatures.
- CISA's push for hardware bills of materials.
- Improving security for open-source ICS software.
- Homeland Security IG finds flaws in TSA pipeline security regulations.
- EPA withdraws water system cybersecurity memorandum.
- Cybersecurity in the US industrial base.
- Most organizations are struggling with IoT security.
- CISA ICS advisories.
Zero-days affect industrial routers.
Cisco Talos has disclosed ten zero-day vulnerabilities affecting Yifan YF325 industrial cellular routers that could lead to buffer overflows and remote code execution. According to Yifan’s website, YF325 routers are “widely used on M2M fields, such as self-service terminal industry, intelligent transportation, smart grid, industrial automation, telemetry, finance, POS, water supply, environment protection, post, weather, and so on.” All of the vulnerabilities were assigned a severity score of 9.8.
Talos notified the vendor of the vulnerabilities in June, and is disclosing the flaws in accordance with its vulnerability disclosure policy.
Israeli and Palestinian hacktivists target ICS.
Researchers at Cybernews are tracking targeting of industrial control systems by pro-Israeli and pro-Palestinian hacktivists. While it's not clear if any of these attempts have been successful, the researchers note: “As per Cybernews’ findings, some Israeli organizations are exposing their Modbus, a SCADA communications protocol. In fact, researchers found 400 such occurrences. Researchers also discovered that nearly 150 Message Queuing Telemetry Transport (MQTT) ports remain open – this system is responsible for communication between MES (manufacturing execution system) and SCADA. When it comes to Palestine, its organizations are also exposing Modbus and MQTT, as well as Siemens automation and Symantec systems.”
Again, while hacktivist organizations have claimed to have executed attacks on ICS, those claims are so far at best unconfirmed, and it’s worth remembering that hacktivists are much given to exaggeration and self-promotion. But prudent operators will be on their guard (even though hacktivists, like criminals, are known to do a lot of lying--see the notes on Colonial Pipeline, below, for a good example of criminal fibbing).
Johnson Controls sustains cyberattack.
Building automation company Johnson Controls International has sustained a major ransomware attack that’s affected the operations of several of the company’s subsidiaries, BleepingComputer reports. The attackers have encrypted the company’s VMWare ESXi servers and claim to have stolen more than 27 terabytes of corporate data. BleepingComputer cites a source as saying that the attackers are demanding a $51 million ransom.
Johnson Controls confirmed a “cybersecurity incident” in an 8-K filing with the SEC, stating, “The Company continues to assess what information was impacted and is executing its incident management and protection plan, including implementing remediation measures to mitigate the impact of the incident, and will continue taking additional steps as appropriate.”
Lior Yaari, CEO and co-founder of Grip Security, commented: “Johnson Controls is one of the leaders in digital technologies and services for buildings in key industries such as healthcare, airports, hotels, and stadiums. If the breach expands beyond the company itself to the systems deployed by their customers, this attack could wreak havoc on huge swaths of businesses. Their OpenBlue platform is a SaaS application whose users could be targeted from compromised identities that result from this recent attack. JCI needs to thoroughly assess what data is at risk and advise its customers whether they may be affected.”
Ransomware attack on Clorox.
Bloomberg reports that Scattered Spider, the ALPHV-affiliated gang associated with the ransomware incidents at MGM Resorts and Caesars Entertainment is now believed to have also been responsible for the cyberatttack against Clorox. The company has been concerned about the effect of the attack on its business, since production of several product lines was interrupted during the incident. The Wall Street Journal writes that Clorox warned that the incident caused sales to fall between 23% and 28% for the quarter that closed on September 30th. The company will also show a loss for the quarter; it had projected roughly $150 million in profit. Thus the cyberattack was clearly material under any construal of the SEC's new reporting regulations.
The incident highlights how ransomware attacks against IT systems can indirectly impact industrial operations by inducing an organization to shut down systems out of fear of cross-infection.
Colonial Pipeline says new ransomware claims are due to an unrelated third-party breach.
Colonial Pipeline has shut down rumors that it was hit by another ransomware attack, Fox 5 Atlanta reports. The Record cites a Colonial Pipeline spokesperson as saying, “Colonial Pipeline is aware of unsubstantiated claims posted to an online forum that its system has been compromised by an unknown party. After working with our security and technology teams, as well as our partners at CISA, we can confirm that there has been no disruption to pipeline operations and our system is secure at this time. Files that were posted online initially appear to be part of a third-party data breach unrelated to Colonial Pipeline.” So the criminals are lying, which, as Dragos CEO Rob Lee points out, should surprise no one.
Coinmining as an (alleged, potential) front for espionage or stage for sabotage.
Coin mining is famously electrical-and-computational-power-hungry. It's now far advanced from the days when it might have been possible for some regular Joe to make some money on his laptop. Coin mining operations are now, effectively, large, powerful, single-purpose data centers. Some of the mines are owned, sometimes via a series of cutouts, by the Chinese government or Chinese corporations, and the US has begun taking note. The New York Times reports, “In at least 12 states, including Arkansas, Ohio, Oklahoma, Tennessee, Texas, and Wyoming, The Times identified Chinese-owned or -operated Bitcoin mines that together use as much energy as 1.5 million homes. At full capacity, the Cheyenne, Wyo., mine alone would require enough electricity to power 55,000 houses.” The Wyoming mine is particularly interesting. It's situated between a big Microsoft data center that supports the US Department of Defense and F.E. Warren Air Force Base, a command center for US intercontinental ballistic missiles.
Microsoft warned the US Treasury Department's Committee on Foreign Investment in the United States last year of the threat such installations could pose. The mines are positioned to be able to collect intelligence on sensitive activity, and their consumption of electrical power is so high that they can stress the power grid, or, by cycling that consumption, upset the balance on which a reliable grid depends. The prospect of destabilizing the grid is probably the more serious of the risks. Coin mines are largely unregulated, and US agencies are considering the possibility of prescribing how rapidly they can start and stop their active mining operations.
Nearly 100,000 ICS services exposed to the Internet.
BitSight has identified nearly 100,000 industrial control systems exposed to the Internet, particularly in the education, technology, government and politics, and business sectors. The researchers note, however, that overall there’s been a steady decline in Internet-exposed ICS services since 2019. So in some respects this is actually a good-news story.
BitSight adds, “Exposed systems and devices communicating via the Modbus and S7 protocols are more common in June 2023 than before, with the former increasing in prevalence from 2020 and the latter more recently from mid-2022. However, exposed industrial control systems communicating via Niagara Fox have been trending downward since roughly 2021. Organizations should be aware of these changes in prevalence to inform their OT/ICS security strategies.”
Microsoft on the state of OT security.
Microsoft’s Digital Defense Report for 2023, in collaboration with researchers at aDolus, looks at the state of IoT and OT security, finding that 78% of devices in industrial control networks contain vulnerabilities. 46% of these devices cannot be patched, often because their firmware is no longer supported.
Microsoft adds, “We found a significant lag between the availability of security fixes in firmware and their deployment onto the OT network. Although many of the PLC models showed a marked reduction in high confidence exploitable CVEs from older versions to the newest versions, over 60 percent of devices were still running older versions of the firmware with eight or more exploitable CVEs. If the latest version of the firmware available for these PLC models were to be deployed, the number of devices with no known exploitable CVEs would increase from four to 40 percent.”
CISA views China as the top threat to US critical infrastructure.
The US Cybersecurity and Infrastructure Security Agency (CISA) considers China to be the top nation-state threat to US critical infrastructure, Utility Dive reports. CISA Director Jen Easterly said at the Secureworks Threat Intelligence Summit that China-aligned threat actors are focused on battlespace preparation against US infrastructure in case a military conflict breaks out. “Even if we are aware of this threat, it may be difficult to find these actors in our infrastructure and so we have to work to ensure that our systems and our businesses and our networks are resilient,” Easterly said.
FBI anticipates an increase in Chinese and Russian targeting of the energy sector.
The Record reports that the FBI has issued an alert warning the energy industry to expect an increase in cyber activity from Chinese and Russian hackers. The Record says the alert cites several factors that may lead to such an escalation, including “increased U.S. exports of liquefied natural gas (LNG); changes in the global crude oil supply chain favoring the U.S.; ongoing Western pressure on Russia’s energy supply; and China’s reliance on oil imports.”
As sanctions continue to bite Russian exports, and as China’s appetite for oil grows, US LNG facilities increase in value, and where there’s greater value, there’s also usually greater risk.
Joint advisory warns of Beijing’s “BlackTech” threat activity.
A Joint Cybersecurity Advisory issued by US and Japanese security and intelligence agencies warns of BlackTech, an industrial espionage activity cluster operated by China. The threat actor is targeting “government, industrial, technology, media, electronics, telecommunication, and defense industrial base sectors.”
BlackTech has shown the ability to modify router firmware undetected, and to “exploit routers’ domain-trust relationships.” The campaign has begun by compromising routers in subsidiary companies and then pivoting from the subsidiaries to corporate headquarters in the US and Japan. The goal of BlackTech's collection has for the most part been the acquisition of intellectual property.
NSA releases ICS intrusion detection signatures.
The US National Security Agency has published a GitHub repository containing intrusion detection signatures and analytics for ICS, SCADA, and other OT environments, SecurityWeek reports. NSA says the repository is meant to "enable Critical Infrastructure Defenders, Intrusion Analysts, and others to implement continuous and vigilant system monitoring." The agency adds, "These signatures/analytics aren't necessarily malicious activity. They require follow on analysis to truly determine if this activity is malicious or not."
CISA's push for hardware bills of materials.
The US Cybersecurity and Infrastructure Security Agency (CISA) released its Hardware Bill of Materials Framework for Supply Chain Risk Management. Created by the Information and Communications Technology Supply Chain Risk Management Task Force, the document provides guidelines by which tech manufacturers can clearly communicate with buyers about the hardware components of their products. The goal is akin to a nutrition label found on a package of food, giving the consumer – in this case, tech purchasers – a clearer idea of the ingredients the product contains, and in turn the inherent risks of using it.
CISA National Risk Management Center Assistant Director and ICT SCRM Task Force Co-Chair Mona Harrington stated in a press release, “With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience. By enhancing transparency and traceability through HBOM, stakeholders can identify and address potential risks within the supply chain, ensuring that the digital landscape remains robust and secure against emerging threats and challenges.”
The framework offers a set of potential use cases that purchasers may have for HBOMs, a format that should be used to create consistency across HBOMs, and taxonomy of component/input attributes that should be included in the HBOM. As NextGov notes, adherence to the framework is voluntary, but in the absence of mandatory guidance, the task force hopes the document will lead to a more consistent approach.
Improving security for open-source ICS software.
CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the US Department of the Treasury have released guidance on improving the security of open-source software for operational technology and industrial control systems. The guidance provides recommendations for “supporting OSS development and maintenance, managing and patching vulnerabilities in OT/ICS environments, and using the Cross-Sector Cybersecurity Performance Goals (CPGs) as a common framework for adopting key cybersecurity best practices in relation to OSS.”
The guidance emerged from a public-private partnership. CISA consulted Accenture, Claroty, Dragos, Fortinet, Google, Honeywell, Microsoft, Nozomi Networks, NumFOCUS, the OpenSSF / Linux Foundation, Rockwell Automation, the Rust Foundation, Schneider Electric, Schweitzer Engineering Laboratories, Siemens, and Xylem [ZIGH-lem]. These stakeholders brought wide experience in information technology, operational technology, industrial control systems, cybersecurity, software design, and risk management.
The guidance, sensibly, makes “safety a priority.” That’s entirely reasonable given the potential for an ICS incident to have kinetic effects that could induce unsafe conditions. Should a system come under attack, graceful degradation, for example, is one realistic option, as are fail-safe designs. “Fail-safe” doesn’t mean “safe from failure.” Rather it means that, if a system fails, it fails into a safe condition as opposed to a dangerous one.
The document also notes some of the ways IT differs from OT. Common best-practices that have evolved to help secure IT can’t always be applied mechanically or unproblematically to OT systems. Consider patching. Keeping patches up-to-date is always one of the first best practices recommended. Even with IT systems it’s not always quite so straightforward. With OT systems, involving as they do even more complex dependencies, interaction with more legacy systems, and the overarching importance of availability, it’s a much more difficult proposition. And, as the recommendations say, there’s also a convergence between OT and IT proper, especially with respect to open source software.
Insofar as it’s possible, CISA and its partners recommend always following secure-by-design and secure-by-default development practices. These can be challenging, especially when open-source software is used. “The diverse way [open-source software] can be integrated into OT products can make it difficult to know whether certain software modules, and their associated vulnerabilities, are present and/or exploitable. Additional challenges include an overall minimized opportunity to patch and increased aversion to new variables added into production environments because of the often stringent uptime requirements for OT environments.”
CISA organizes its high-level recommendations for managing open-source risk under two heads: transparency and verifiability.
Transparency includes:
- What assets an organization owns and operates–this is asset management transparency.
- What software each software asset contains (and here a Software Bill of Materials can be helpful)
- The supplier’s process for updating firmware and software.
- Ensuring that the software an organization's assets are running is in fact the software that the developer wrote, and that the developer who wrote the software is the intended developer–the one who’s supposed to have written it.
Verifiability, which CISA describes as “the ability to confirm the authenticity of information and data related to systems,” includes:
- Users’ identity and access restrictions.
- Data integrity—”the accuracy and validity of data throughout its lifecycle.”
- Ensuring that software is functioning as specified.
- And, of course, overall system security.
The document contains a number of concise yet actionable recommendations. It’s worth your attention; read the whole thing. It’s just nine pages long, and worth a close reading.
Homeland Security IG finds flaws in TSA pipeline security regulations.
A redacted version of a report by the Office of the Inspector General at the Department of Homeland Security has been released. The IG was looking into the Transportation Security Administration’s (that’s TSA’s) formulation and enforcement of pipeline safety regulations after the May 2021 ransomware attack against Colonial Pipeline.
TSA responded with two regulations:
- Security Directive Pipeline–2021–01, “Enhancing Pipeline Cybersecurity (SD-01),” issued on May 26th, 2021, rule required that operators of “critical” pipelines–those that carry hazardous fluids and natural gas–to designate a cybersecurity coordinator, report cyber incidents, and conduct a vulnerability assessment.
- The second regulation, Security Directive Pipeline–2021– 02 “Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing,” issued on July 19th of that year, required owners and operators of pipelines designated as “critical” “to implement additional and immediately needed cybersecurity measures to prevent disruption and degradation to their infrastructure in response to an ongoing threat.
The IG found that TSA, while it properly worked with stakeholders to develop the rules, didn’t effectively follow-up to track compliance. The IG made three recommendations, all of them procedural enhancements:
- “We recommend the TSA Assistant Administrator for Policy, Plans, and Engagement, in consultation with interagency partners, such as the Department of Transportation, complete rulemaking that will permanently codify critical cybersecurity requirements for pipelines.”
- “We recommend the TSA Assistant Administrator for Surface Operations develop standard operating procedures and a formal tracking system to ensure consistent tracking and follow-up of the implementation of security directives and eventual regulations.”
- “We recommend the TSA Assistant Administrator for Surface Operations include in TSA’s standard operating procedures developed in response to recommendation 2, a requirement to conduct follow-up inspections that ensure pipeline operators have completed mitigation activities to address cybersecurity vulnerabilities.”
TSA has concurred with the IG’s report and its recommendations.
EPA withdraws water system cybersecurity memorandum.
The US Environmental Protection Agency (EPA) has rescinded a memorandum issued in March 2023 addressing cybersecurity for public water systems, Nextgov reports. The withdrawal is the result of ongoing litigation between the EPA and the states of Missouri, Arkansas, and Iowa. The US Court of Appeals for the Eighth Circuit in July ordered a halt of the memorandum’s enforcement after state lawmakers argued that smaller water suppliers lacked the resources to meet the requirements.
Cybersecurity in the US industrial base.
Aprio has released the results of a survey looking at cybersecurity in the manufacturing industry, finding that “nearly two-thirds of manufacturers experienced unauthorized access to their companies’ networks and data in the past year.” The survey also found that “fewer than half of companies surveyed report having a cybersecurity policy and only 36% have enhanced IT security.”
Aprio adds, “Manufacturers can leverage digital tools to achieve competitive advantage by sharing information across functions and with supply-chain partners to improve productivity and respond in real-time to operational problems. But most companies are not utilizing this – in fact, 39% of surveyed manufacturers are using 5G networks and only 21% are using edge computing.”
Most organizations are struggling with IoT security.
Keyfactor has released the results of a survey conducted by Vanson Bourne finding that 97% of organizations “are struggling to secure their IoT and connected products to some degree.” The researchers “found that 89% of respondents’ organizations that operate and use IoT and connected products have been hit by cyber-attacks at an average cost of $250K. Furthermore, in the past three years, 69% of organizations have seen an increase in cyber attacks on their IoT devices.”
CISA ICS advisories.
CISA has released an ICS advisory for a vulnerability affecting Mitsubishi Electric MELSEC-Q Series PLCs. The vulnerability can be exploited remotely to cause uncontrolled resource consumption, resulting in resource exhaustion. CISA explains, “A remote attacker can send specific packets over several ports on the affected products that will result in an Ethernet communication crash.”
CISA released nineteen more ICS advisories on October 12th regarding vulnerabilities affecting products from Siemens, Weintek, Hikvision, Advantech, Schneider Electric, Santesoft, and PTC.
On October 17th, the agency issued two advisories for vulnerabilities affecting Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation products and Rockwell Automation FactoryTalk Linx.
And on October 19th, CISA published an advisory for a set of critical vulnerabilities affecting Hitachi Energy's RTU500 Series.