Control Loop: The OT Cybersecurity Podcast 10.5.22
Ep 10 | 10.5.22

Disrupt, disable, deny, deceive, and/or destroy.


It’s Wednesday, October 5th, 2022, and you’re listening to Control Loop.

In today’s OT cybersecurity briefing:

Russia’s Nord Stream pipelines were sabotaged in a kinetic attack. NSA and CISA have issued guidance on ICS threats. Ukraine anticipates Russian cyberattacks against the energy sector. Dragos receives CVE numbering authority. And CISA releases more ICS Advisories.

And, later in the show, hear an update from guest Dragos’ Dawn Cappelli on the Dragos OT-CERT now that it's live and providing free resources to small and medium sized organizations with OT environments.

In Part 2 of the Learning Lab segment on electricity, Mark Urban is joined by Dragos' Senior Director of Strategy Phil Tonkin. Now that we know how much electricity is generated, Phil sheds some light on where it all goes.

Nord Stream pipelines sabotaged in a kinetic attack.

Our first story isn’t a cyberattack. It’s a traditional, if advanced, act of kinetic sabotage, but it brings the threat to critical infrastructure into sharp relief. 

The Nord Stream pipelines appear to have been sabotaged. Swedish monitoring stations early Monday morning detected two explosions in the Baltic Sea near the pipelines, Bloomberg reports. Natural gas has been breaking to the surface in the vicinity breaks in the pipeline. Again, this isn't a cyberattack, but rather a more traditional act of kinetic sabotage. The incident does, however, indicate the substantial grey zone threat to critical infrastructure.

The Washington Post writes that the explosions, which occurred in international waters near the Danish island of Bornholm, broke two Nord Stream 1 lines and one Nord Stream 2 line. The Swedish National Seismic Network and Germany's Research Center for Geosciences both say that their observations indicate an artificial, human-induced explosion, not a natural seismic event. “These are deliberate actions, not an accident,” Danish Prime Minister Mette Frederiksen said yesterday. “The situation is as serious as it gets.” Investigation is in progress.

Kremlin spokesman Dmitry Peskov denied any Russian involvement, and said that Moscow was "extremely concerned" about the incident. 

The Nord Stream pipelines deliver natural gas from Russia to Germany, and from there to other European users. Nord Stream 1 hasn't functioned since August, after Russia shut it down in response to imposition of sanctions by the European Union, and Nord Stream 2 hasn't yet received authority to operate, so severing them has no immediate effect on European natural gas supplies. The proximate concerns are environmental, and large-scale leaks of residual methane in the lines are worrisome.

NSA and CISA issue guidance on ICS threats.

The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a joint cybersecurity advisory outlining threats to operational technology (OT) and industrial control systems (ICS):

"Cyber actors, from cyber criminals to state-sponsored APT actors, target critical infrastructure to achieve a variety of objectives. Cyber criminals are financially motivated and target OT/ICS assets for financial gain (e.g., data extortion or ransomware operations). State-sponsored APT actors target critical infrastructure for political and/or military objectives, such as destabilizing political or economic landscapes or causing psychological or social impacts on a population. The cyber actor selects the target and intended effect—to disrupt, disable, deny, deceive, and/or destroy—based on these objectives. For example, disabling power grids in strategic locations could destabilize economic landscapes or support broader military campaigns. Disrupting water treatment facilities or threatening to destroy a dam could have psychological or social impacts on a population."

The agencies explain that most threat actors targeting ICS systems, regardless of their motive, typically attempt to achieve the following goals:

  • "Degrade the operator's ability to monitor the targeted system or degrade the operator’s confidence in the control system’s ability to operate, control, and monitor the targeted system. Functionally, an actor could prevent the operator's display (human machine interface, or HMI) from being updated and selectively update or change visualizations on the HMI, as witnessed during the attack on the Ukraine power grid.(Manipulation of View [T0832]

  • "Operate the targeted control system. Functionally, this includes the ability to modify analog and digital values internal to the system (changing alarms and adding or modifying user accounts), or to change output control points — this includes abilities such as altering tap changer output signals, turbine speed demand, and opening and closing breakers. (Manipulation of Control [T0831])

  • "Impair the system's ability to report data. Functionally, this is accomplished by degrading or disrupting communications with external communications circuits (e.g., ICCP2, HDLC3, PLC4, VSAT, SCADA radio, other radio frequency mediums), remote terminal units (RTUs) or programmable logic controllers (PLCs), connected business or corporate networks, HMI subnetworks, other remote I/O, and any connected Historian/bulk data storage. (Block Reporting Message [T0804], Denial of View [T0815])

  • "Deny the operator's ability to control the targeted system. Functionally, this includes the ability to stop, abort, or corrupt the system’s operating system (OS) or the supervisory control and data acquisition (SCADA) system’s software functionality. (Denial of Control [T0813])

  • "Enable remote or local reconnaissance on the control system. Functionally, an actor could obtain system configuration information to enable development of a modified system configuration or a custom tool. (Collection [TA0100], Theft of Operational Information [T0882])."

NSA and CISA explain the potential consequences of these attacks:

"Using these techniques, cyber actors could cause various physical consequences. They could open or close breakers, throttle valves, overfill tanks, set turbines to over-speed, or place plants in unsafe operating conditions. Additionally, cyber actors could manipulate the control environment, obscuring operator awareness and obstructing recovery, by locking interfaces and setting monitors to show normal conditions. Actors can even suspend alarm functionality, allowing the system to operate under unsafe conditions without alerting the operator. Even when physical safety systems should prevent catastrophic physical consequences, more limited effects are possible and could be sufficient to meet the actor’s intent. In some scenarios though, if an actor simultaneously manipulates multiple parts of the system, the physical safety systems may not be enough. Impacts to the system could be temporary or permanent, potentially even including physical destruction of equipment."

The agencies offer extensive advice on defending against these attacks in their report.

Ukraine anticipates Russian cyberattacks against energy sector.

Ukraine’s defense intelligence agency said last Monday that it’s anticipating “massive cyberattacks” from Russia targeting the energy sector of Ukraine and its allies:

“The Kremlin is planning to carry out massive cyberattacks on the critical infrastructure facilities of Ukrainian enterprises and critical infrastructure institutions of Ukraine’s allies. First of all, attacks will be aimed at enterprises of the energy sector. The experience of cyberattacks on Ukraine's energy systems in 2015 and 2016 will be used when conducting operations.

“By the cyberattacks, the enemy will try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine. The occupying command is convinced that this will slow down the offensive operations of the Ukrainian Defence Forces.

“The Kremlin also intends to increase the intensity of DDoS attacks on the critical infrastructure of Ukraine's closest allies, primarily Poland and the Baltic states.”

Dragos receives CVE numbering authority.

Dragos has been designated a CVE numbering authority by the CVE Program. Dragos explains the implications of the designation: "As a CNA, Dragos is authorized to assign CVE IDs to newly discovered vulnerabilities and publicly disclose information about these vulnerabilities through CVE Records. This includes assigning CVE IDs to vulnerabilities found in the company’s own products as well as any third-party products not covered by another CNA that Dragos finds through its ongoing research to help organizations protect their ICS/OT systems." The CVE Program is sponsored by the US Cybersecurity and Infrastructure Security Agency and administered by the MITRE Corporation.

CISA's ICS Advisories.

Since our last podcast episode CISA has released over a dozen ICS advisories, addressing issues with products from Medtronic, Hitachi, Misubishi, Delta Electronics and others. Be sure to check out the complete list on CISA’s web site.