At a glance.
- ControlLogix RCE exploit.
- Court temporarily blocks water system cybersecurity mandate.
- Industrial controller vulnerabilities pose a risk to critical infrastructure.
- TSA updates security rules for oil and natural gas pipeline operators.
- White House publishes an Implementation Plan for the National Cybersecurity Strategy.
- US Federal government issues voluntary IoT security guidelines.
- Japan’s largest port disrupted by ransomware.
- Cl0p breaches Schneider Electric and Siemens Energy.
- Solar panel vulnerabilities.
- Threats and risks to electric vehicle charging stations.
- Massachusetts man charged with remotely sabotaging a Californian water treatment plant.
- RedEnergy ransomware and information stealer targets industrial sectors.
ControlLogix RCE exploit.
An unnamed APT is in possession of a remote code execution exploit affecting Rockwell Automation ControlLogix communications modules, BleepingComputer reports. Rockwell has issued patches for all affected products, and organizations are strongly advised to apply them. Rockwell analyzed the vulnerability with assistance from the US Cybersecurity and Infrastructure Security Agency (CISA), and the company believes there’s “a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers.”
Dragos said in an analysis of the vulnerability, “Knowing about an APT-owned vulnerability before exploitation is a rare opportunity for proactive defense for critical industrial sectors. The type of access provided by CVE-2023-3595 is similar to the zero-day employed by XENOTIME in the TRISIS attack. Both allow for arbitrary firmware memory manipulation, though CVE-2023-3595 targets a communication module responsible for handling network commands. However, their impact is the same. Additionally, in both cases, there exists the potential to corrupt the information used for incident response and recovery.”
Court temporarily blocks water system cybersecurity mandate.
The US Court of Appeals for the 8th Circuit has granted a temporary stay of an EPA memorandum that would require states to evaluate the cybersecurity of their water systems, the Washington Post reports. Agency spokesperson Robert Daguillard told the Post, “EPA is disappointed by the Eighth Circuit Court of Appeals order that undercuts EPA’s efforts to protect the safety of the nation’s drinking water from malicious cyberattacks.”
The one-sentence ruling offered no reasons for the temporary stay, simply stating, “The motion for stay of the Environmental Protection Agency’s March 3, 2023 memorandum pending disposition of the petition for review is granted.” Three state attorneys general petitioned for the stay, and they did so with the support of several water utility associations. The petitioners’ public statements have emphasized their skepticism over the EPA’s proposed rules, which they regarded as representing a simplistic, “one-size-fits-all” approach to water system cybersecurity. They also objected to what they characterized as a heavy financial burden the rules would impose on smaller utilities.
The EPA for its part has emphasized the troubling frequency of cyberattacks against water systems. The utilities do rely heavily on networked operational control systems for their routine operations. A recent example of a cyber threat to a water system is the one that affected the Discovery Bay Water Treatment Plant in California. That attack drew a Federal indictment.
Industrial controller vulnerabilities pose a risk to critical infrastructure.
Researchers at Armis discovered nine vulnerabilities affecting Honeywell’s Experion distributed control system (DCS) products, TechCrunch reports. An attacker with network access could exploit the flaws to “remotely run unauthorized code on both the Honeywell server and controllers.”
Curtis Simpson, CISO at Armis, told TechCrunch, “Worst-case scenarios you can think of from a business perspective are complete outages and a lack of availability. But there’s worse scenarios than that, including safety issues that can impact human lives.”
Honeywell issued patches for the flaws in June. Honeywell spokesperson Caitlin E. Leopold said in a comment to TechCrunch, “We have been working with ARMIS on this issue as part of a responsible disclosure process. We have released patches to resolve the vulnerability and notified impacted customers. There are no known exploits of this vulnerability at this time. Experion C300 owners should continue to isolate and monitor their process control network and apply available patches as soon as possible.”
TSA updates security rules for oil and natural gas pipeline operators.
Yesterday the US Transportation Security Administration (TSA) released a memorandum announcing an update to its Security Directive regarding strengthening the cybersecurity of oil and natural gas. While earlier versions of the directive required oil and natural gas pipeline owners/operators to develop processes and cybersecurity implementation plans, the revision requires testing and evaluation of those plans. TSA Administrator David Pekoske stated, “TSA is committed to keeping the nation’s transportation systems secure in this challenging cyber threat environment. This revised security directive sustains the strong cybersecurity measures already in place for the oil and natural gas pipeline industry.” The TSA website explains that ever year operators must submit an updated Cybersecurity Assessment Plan to TSA for review and approval and report the results from previous year assessments. TSA requires 100% of an owner/ operator’s security measures be assessed every three years, and operators must provide an assessment schedule that meets these criteria. As well, the update calls for operators to test at least two Cybersecurity Incident Response Plan (CIRP) objectives and include individuals serving in positions identified in the CIRP yearly.
White House publishes an Implementation Plan for the National Cybersecurity Strategy.
The National Cybersecurity Strategy Implementation Plan the White House issued earlier this month has five “pillars.” All of them are of interest to operational technology and industrial control system operators, but the first pillar, “Defending Critical Infrastructure,” has particular relevance. That pillar has five “strategic objectives” that are in turn supported by specific initiatives.
“Establish Cybersecurity Requirements to Support National Security and Public Safety,” the first strategic objective, is self-explanatory, and the objectives suggest that the Government believes current regulatory regimes are inadequate to the task.
The second strategic objective, “Scale Public-Private Collaboration,” tasks the Sector Risk Management Agencies responsible for each of the sixteen critical infrastructure sectors with developing secure-by-design and secure-by-default principles that would advance their sectors’ security.
“Integrate Federal Cybersecurity Centers” is the third objective. The single initiative here mandates a review to identify capability gaps.
“Update Federal Incident Response Plans and Processes,” the next strategic objective, aims at developing such plans and processes into a comprehensive, whole-of-nation approach to cyber incidents. It seeks to make response quicker, more immediately responsive to warnings, and to develop training (tabletop exercises are particularly called out) that will enable the responders to work effectively.
The fifth strategic objective, “Modernize Federal Defenses,” concentrates mostly on IT systems, with special attention paid to Federal Civilian Executive Branch Agencies’ systems.
The guidance is not, the White House points out, exhaustive. Agencies are expected to take actions appropriate to their mission and circumstances. Operators of critical infrastructure might begin by getting close to their Sector Risk Management Agency, their SRMA. The ones most likely to be of interest for ICS security are:
- For the Chemical Sector, the Critical Manufacturing Sector, the Dams Sector, and the Nuclear Reactors, Materials, and Waste Sector, the SRMA would be the Department of Homeland Security.
- The Department of Homeland Security and the Department of Transportation share responsibility for the Transportation Systems Sector.
- The Department of Defense is the SRMA for the Defense Industrial Base Sector.
- The Energy Sector (less the nuclear reactors assigned to the Department of Homeland Security) fall to the Department of Energy.
- And the Department of Agriculture and the Department of Health and Human Services share responsibility for the Food and Agriculture Sector.
Since public-private partnership is called out repeatedly in the implementation plan, companies would do well to take the document at its word, and not hesitate to reach out to the appropriate Federal offices.
US Federal government issues voluntary IoT security guidelines.
The White House has announced a cybersecurity labeling program for smart devices: “Under the proposed new program, consumers would see a newly created ‘U.S. Cyber Trust Mark’ in the form of a distinct shield logo applied to products meeting established cybersecurity criteria. The goal of the program is to provide tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes.” Manufacturers and retailers that have committed to the voluntary program include Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech, and Samsung Electronics.
According to CyberScoop, the program will be overseen by the Federal Communications Commission (FCC). The Washington Post last month interviewed FCC Chair Jessica Rosenworcel, whose organization will provide the oversight the plan anticipates.
The choice of the FCC as the responsible agency emphasizes that connected devices, and realistically that means at some point wireless connectivity, will be the devices that will qualify for, or fail to qualify for, the badge. Rosenworcel told the Post, “We live in an era of always-on connectivity. Connections aren’t just convenient; they power every aspect of modern life. And if this energy is new, I would say our authority is old. We’re just giving it modern meaning. And I think in a modern way that requires us thinking about how to make [communications] networks cybersecure.”
She also offered some thoughts on network security. “On network security, we have issued a list of equipment that we believe is insecure that we won’t support in our networks,” she said, and here she’s clearly alluding to the rip-and-replace program that addresses concerns about the security of Chinese manufactured hardware. “We also have an ongoing program to rip out and replace insecure network equipment to the extent it's out there.”
She also wants to see her Commission continue to work “to understand” the vulnerabilities in the Border Gateway Protocol.
The whole effort, Rosenworcel believes, is inherently an interagency one, whichever organization takes the lead. “I don’t think this task is one where the agency succeeds on its own,” she told the Post. She hopes to increase coordination with other agencies from across the government. Different agencies have different missions, different histories, and different equities, which should enable them to make distinctive contributions to the common task of securing connected devices.
What sorts of devices might be up for a Cyber Trust Mark? Rosenworcel mentioned connected refrigerators, microwaves, televisions, climate control systems, fitness trackers, and baby monitors. The Post points out several lacunae gaps: speakers, doorbells, security cameras, and cars, but after all the list Rosenworcel reeled off was an informal one.
The Cyber Trust Mark is intended to be a carrot, and not the sort of stick one often associates with regulatory action. Rosenworcel thinks the labels might begin to appear by the end of next year, by the end of 2024. “These things don’t move fast,” Rosenworcel said, and cautioned that her prediction wasn’t a commitment to a timeline.
Japan’s largest port disrupted by ransomware.
The Port of Nagoya, Japan's busiest ocean terminal, sustained a ransomware attack against the Nagoya Port Unified Terminal System on July 4th, BleepingComputer reports. Nikkei Asia says the issue came to light when a port employee noticed anomalies in his system. Investigation revealed the cause to be a ransomware infestation. The Japan Times says the LockBit gang was responsible for the attack.
Bloomberg reports that the port began gradually resuming operations on July 6th.
Cl0p breaches Schneider Electric and Siemens Energy.
The Cl0p ransomware gang has used the MOVEit vulnerability to compromise Schneider Electric and Siemens Energy, SecurityAffairs reports. Siemens said in a statement to BleepingComputer, "Regarding the global data security incident, Siemens Energy is among the targets. Based on the current analysis no critical data has been compromised and our operations have not been affected. We took immediate action when we learned about the incident."
Schneider says they’ve contained the incident, telling BleepingComputer, "On May 30th, 2023, Schneider Electric became aware of vulnerabilities impacting Progress MOVEit Transfer software. We promptly deployed available mitigations to secure data and infrastructure and have continued to monitor the situation closely.” After applying the mitigations the company learned of claims that it had been the victim of an attack that exploited MOVEit vulnerabilities. It’s investigating those claims as well.
An investigation and analysis by the Dragos Threat Intelligence team has yielded some important insights into Cl0p's activities. Notably, Dragos was able to recover targeted process names associated with specific hash values embedded in a CL0P sample. While most of these are IT-related processes, CL0P ransomware does contain targeting of OT-related processes found on Windows operating systems. However, it does not use or target OT-specific protocols.
The primary threat from CL0P's activities is directed toward IT networks and IT assets within OT environments. The impact on OT networks can become significant if the adversary manages to encrypt servers, historians, engineering workstations, and other essential computing devices.
Solar panel vulnerabilities.
SecurityWeek reports that hundreds of instances of the solar power monitoring product Contec SolarView are still affected by an actively exploited vulnerability described by Palo Alto Networks in June. An exploit for the vulnerability (CVE-2022-29303) has been public since May 2022.
Researchers at VulnCheck found six hundred SolarView instances exposed to the internet, four hundred of which are vulnerable. VulnCheck states, “When considered in isolation, exploitation of this system is not significant. The SolarView series are all monitoring systems, so loss of view (T0829) is likely the worst-case scenario. However, the impact of exploitation could be high, depending on the network the SolarView hardware is integrated into. For instance, if the hardware is part of a solar power generation site, then the attacker may affect loss of productivity and revenue (T0828) by using the hardware as a network pivot to attack other ICS resources.”
Thus the issue isn’t the individual panels, but rather the potential effect on the grid.
Threats and risks to electric vehicle charging stations.
WIRED describes the potential impacts of vulnerabilities affecting electric vehicle charging stations. Ken Munro, a cofounder of Pen Test Partners, told WIRED that his top concern was with vulnerabilities that could allow attackers to stop or start chargers en masse, which could destabilize electricity networks. Munro said, “We’ve inadvertently created a weapon that nation-states can use against our power grid.”
Munro says legislation in the United Kingdom could serve as a model for lawmakers in the US. The UK requires EV charging stations to have a randomized delay functionality of up to ten minutes, which would mitigate the impact of thousands of charging stations turning on at the same time. Munro stated, “You don’t get that spike, which is great. It removes the threat from the power grid.”
And so, again, it’s not so much the station as it is the grid, and the effect that deliberately induced power fluctuations can have on that larger electrical grid.
Massachusetts man charged with remotely sabotaging a Californian water treatment plant.
A federal grand jury has indicted a man from Tracy, Massachusetts for intentionally causing damage to a protected computer after he was accused of remotely deleting critical software from a water treatment facility. The man, Rambler Gallo, was employed as an “Instrumentation and Control Tech” for a private company responsible for operating the Discovery Bay Water Treatment Plant, located in Discovery Bay California. The indictment was filed on June 27th, and was unsealed on July 7th. HackRead reports that Gallo apparently resigned from the company responsible for servicing the plant, and subsequently uninstalled the critical software on the water plant’s computers. (We note that Mr. Gallo is of course entitled to the presumption of innocence with respect to the allegations.)
If convicted, Gallo could face up to ten years in prison and a $250,000 fine. The motives for such an attack (if indeed it was an attack and not human error) are unknown at the time of writing and, according to the press statement, the FBI is investigating the case.
RedEnergy ransomware and information stealer targets industrial sectors.
Zscaler says the RedEnergy malware operators are targeting entities in the energy, oil, gas, telecom, and machinery sectors. RedEnergy is what Zscaler calls a “Stealer-as-a-Ransomware”—malware designed to exfiltrate data before encrypting it.
The researchers state, “Zscaler recently made a significant discovery involving a new and sophisticated threat campaign named RedEnergy stealer targeting the Philippines Industrial Machinery Manufacturing Company, as well as other industries with notable LinkedIn pages. These pages typically contain essential company information and website links, making them attractive targets for cybercriminals.”
Zscaler explains that when someone visits an affected website, they’re redirected without their knowledge to a malicious site. Upon arrival, they’re invited to install what seems to be a legitimate browser update. Should they follow that prompt, they will download not the innocent browser update, but the RedStealer executable.
It’s a ransomware campaign that’s relatively conventional in its effect, but it’s noteworthy in that it’s being deployed largely against industrial targets.