At a glance.
- White House releases the National Cybersecurity Strategy.
- The President's Budget aligns with the National Cybersecurity Strategy.
- TSA issues new cybersecurity requirements for the aviation industry.
- Ransomware Vulnerability Warning Pilot supports critical infrastructure operators.
- 2022 ICS/IoT Cybersecurity Year in Review.
- Cranes as a security threat.
- EPA Memo requires water systems to include cybersecurity in their safety audits.
- MKS Instruments discloses ransomware incident.
- Ransomware hits a major food producer.
- Red-teaming critical infrastructure.
- LockBit claims attack on water utility in Portugal.
- Schneider PLC vulnerabilities.
- CISA releases ICS advisories.
White House releases the National Cybersecurity Strategy.
The White House last week released the National Cybersecurity Strategy. The strategy refocuses roles, responsibilities, and resource allocations in the digital ecosystem, with a five pillar approach. The White House shared that two primary goals of the strategy are to “rebalance the responsibility to defend cyberspace,” by shifting the burden of cybersecurity away from individuals and onto specialized organizations in the sector, as well as to “realign incentives to favor long-term investments” by balancing threat defense with smart planning and investment.
The strategy is planned to prioritize ease and effectiveness of cybersecurity implementation, quick recovery from incidents, and reinforcement of digital values in three points highlighted by the administration: defensibility, resiliency, and values-alignment.
The strategy has five core tenets: “Defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals.”
President's Budget aligns with National Cybersecurity Strategy.
The President's Budget for Fiscal Year 2024 has been published, and it addresses cybersecurity across the spectrum of the Federal Government's operations. The Budget will now go to Congress for the usual review, debate, modification, and passage. The Budget throughout ties appropriate spending requests to the National Cybersecurity Strategy.
The President's message in the opening pages of the document says, in part, "this Budget cements our commitment to confronting global challenges and keeping America safe. It outlines crucial investments to out-compete China globally and to continue support for Ukraine in the face of unprovoked Russian aggression. It also continues our work to restore America’s global leadership—reviving key alliances and partnerships, strengthening our military, fostering democracy and human rights, protecting global health, honoring our veterans, fixing our immigration system at home, and advancing cybersecurity through implementation of the National Cybersecurity Strategy I just signed."
Of particular interest are the requests made on behalf of the Departments of Energy and Homeland Security. Energy is set to receive, pending Congressional passage of the Budget, $245 million "to enhance the security of clean energy technologies and the energy supply." In the Department of Homeland Security the Cybersecurity and Infrastructure Security Agency would get $3.1 billion, an increase of $145 million over present allocations.
TSA issues new cybersecurity requirements for the aviation industry.
The US Transportation Security Administration (TSA) last week issued an emergency cybersecurity amendment for the security programs of airport and aircraft operators. The TSA says the measures are urgent due to "persistent cybersecurity threats against U.S. critical infrastructure, including the aviation sector." The amendment "requires that impacted TSA-regulated entities develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure." This will include the following steps:
- "Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa;
- "Create access control measures to secure and prevent unauthorized access to critical cyber systems;
- "Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations;
- "Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology."
Ransomware Vulnerability Warning Pilot supports critical infrastructure operators.
The US Cybersecurity & Infrastructure Security Agency (CISA) has announced the launch of the Ransomware Vulnerability Warning Pilot (RVWP), a support program designed to help critical infrastructure operators protect themselves against ransomware attacks. Authorized by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, the RVWP will help CISA detect vulnerabilities susceptible to exploitation by ransomware and alert critical infrastructure operators so that the flaws can be mitigated before attacks occur. As Bleeping Computer notes, the RVWP is part of the US’s wider initiative to defend against the rising threat of ransomware that began after a wave of cyberattacks on critical infrastructure operators and government agencies. Interested organizations can email CISA at vulnerability@cisa.dhs.gov to enroll.
2022 ICS/IoT Cybersecurity Year in Review.
The 2022 ICS/IoT Cybersecurity Year in Review is out. In this annual report, Dragos describes emergent threats to supply chains (notably CHERNOVITE's PIPEDREAM toolkit), the effects of Russia's war against Ukraine on industrial cybersecurity, and the growing and continued threat of ransomware. It also endorses and explains the SANS Institute's Five ICS Cybersecurity Critical Controls: ICS-Specific Incident Response, Defensible Architecture, ICS Network Visibility, Secure Remote Access, and Risk-Based Vulnerability Management.
Cranes as a security threat.
The US government is concerned that Chinese-made ship-to-shore cranes could pose a national security threat, the Wall Street Journal reports. The cranes in question are manufactured by the Chinese company ZPMC, which a US official said makes around 80% of ship-to-shore cranes used at US ports. The Journal explains that these cranes “contain sophisticated sensors that can register and track the provenance and destination of containers, prompting concerns that China could capture information about material being shipped in or out of the country to support U.S. military operations around the world.”
The government doesn’t point to any instances of cranes actually being used for these purposes, but the defense policy bill passed by the US Congress at the end of last year requires the Transportation Department’s maritime administrator to conduct a study to determine whether these cranes could pose cybersecurity threats. Note that the immediate risk being reported is a threat to information security, not necessarily to the operation of the cranes themselves: the concern is so far about espionage as opposed to sabotage.
EPA Memo requires water systems to include cybersecurity in their safety audits.
The US Environmental Protection Agency (EPA) on Friday issued a memorandum “stressing the need for states to assess cybersecurity risk at drinking water systems to protect our public drinking water.” The memorandum requires that states include cybersecurity when they conduct audits of water systems. The agency said in a statement, “While some public water systems (PWSs) have taken important steps to improve their cybersecurity, a recent survey and reports of cyber-attacks show that many have not adopted basic cybersecurity best practices and are at risk of cyber-attacks — whether from an individual, criminal collective, or a sophisticated state or state-sponsored actor. This memorandum requires states to survey cyber security best practices at PWSs.”
MKS Instruments discloses ransomware incident.
MKS Instruments, a Massachusetts-based supplier of "instruments, systems, subsystems and process control solutions that measure, monitor, deliver, analyze, power and control critical parameters of advanced manufacturing processes," has filed a Form 8K with the US Securities and Exchange Commission (SEC) disclosing a ransomware attack and describing the attack's consequences. John T.C. Lee, President and Chief Executive Officer of MKS said, “We are well into the recovery phase of our manufacturing and service operations following the ransomware incident identified on February 3rd, and we expect these operations will be restored over the coming weeks.”
Since the ransomware will have a material impact on the company's first quarter results, and it's still unclear what that impact will be, MKS is delaying its first quarter guidance. Nonetheless, "the Company currently estimates the impact from the incident on first quarter revenue to be at least $200 million" out of revenue expected to amount to about $1 billion.
The effects weren’t confined to the initial victim. The attack disrupted supply chains as well. Semiconductor technology giant Applied Materials saw financial losses of $250 million in sales this quarter due to a cyberattack, the Silicon Valley Business Journal reports. A ransomware attack impacted one of the company’s third-party suppliers, deduced by industry analysts to be MKS Instruments, the Record reports. The Record quotes Applied Materials CEO Gary Dickerson as saying in a conference call, “Very recently, one of our major suppliers encountered a disruption that will impact our second-quarter shipments." In a recent earnings report release from Applied Materials, the company anticipates the second fiscal quarter of this year to net $6.40 billion and cites “ongoing supply chain challenges and a negative estimated impact of $250 million dollars related to a cybersecurity event recently announced by one of our suppliers.”
Ransomware hits a major food producer.
A ransomware attack on fruit and vegetable distributor Dole led the company to interrupt operations at its North American processing plants, CNN Business reports. A February 10th memo from the senior vice president of the company's Fresh Vegetables division said, “Dole Food Company is in the midst of a Cyber Attack and have subsequently shut down our systems throughout North America.” The shutdown affected deliveries of salad kits to food retailers. The specific strain of ransomware involved has not been publicly disclosed, but on February 22nd the company posted the following disclosure to its website:
"Dole plc (DOLE:NYSE) announced today that the company recently experienced a cybersecurity incident that has been identified as ransomware. Upon learning of this incident, Dole moved quickly to contain the threat and engaged leading third-party cybersecurity experts, who have been working in partnership with Dole’s internal teams to remediate the issue and secure systems.
"The company has notified law enforcement about the incident and are cooperating with their investigation. While continuing to investigate the scope of the incident, the impact to Dole operations has been limited."
Red-teaming critical infrastructure.
The US Cybersecurity and Infrastructure Security Agency (CISA) has published the findings of a red team assessment the agency carried out against a large critical infrastructure organization last year. The operation, conducted at the request of the organization, lasted three months. The red team was able to gain access to two workstations via spearphishing attacks. The team was also able to move laterally within the network, but were unable to gain access to the organization's sensitive business systems after running up against multifactor authentication measures and time constraints. However, CISA believes that “by using Secure Shell (SSH) session socket files ... they could have accessed any hosts available to the users whose workstations were compromised.”
LockBit claims attack on water utility in Portugal.
The LockBit ransomware gang has claimed responsibility for an attack against a water utility in Portugal. The Record reports that Águas e Energia do Porto, which serves the country's second largest city, said that neither water supply nor wastewater services were affected, but that some customer data may have been exposed. LockBit has given the utility until March 7th to pay the ransom, at which point the gang says it will release the stolen data.
Schneider PLC vulnerabilities.
Forescout has disclosed two vulnerabilities affecting the Unity line of Schneider Electric’s Modicon programmable logic controllers (PLCs). The security firm discovered the flaws last year as part of its OT:ICEFALL research, but waited to disclose them at the request of the vendor. One vulnerability can enable remote code execution “via an undocumented memory write operation,” while the other “exemplifies a broken authentication scheme.” The two flaws can be chained to carry out remote code execution on Modicon Unity PLCs, which can enable deeper access to industrial control systems.
The researchers note that while the exploitation of these flaws is complex, organizations should keep these types of vulnerabilities in mind. The Record quotes security researcher Jos Wetzels as saying, “This is not your average script [kiddie] stuff, but it is something you should take into account as a possibility when you’re designing new system architectures.”
CISA releases ICS advisories.
The US Cybersecurity and Infrastructure Security Agency (CISA) on February 16th released fifteen industrial control system (ICS) advisories. They cover systems by Siemens, Sub-IoT, Delta Electronic, and BD Alaris. On February 23rd, CISA issued advisories for PTC, Moxa, and BD products. Three more were released on February 28th, these for Hitachi Energy and Mitsubishi Electric systems. On March 2nd, CISA released five advisories for Mitsubishi Electric, Rittal, and Meditronic products. Five more were released on March 9th, these for Akuvox, B&R Systems, ABB, STEP, and Hitachi Energy products. And on March 14th the agency issued an additional four advisories, these covering GE, Omron, AVEVA, and Autodesk products. Operators, check your systems, and, as always, apply updates per vendor instructions.