Control Loop: The OT Cybersecurity Podcast 12.13.23
Ep 40 | 12.13.23

Utility attacks and electrical sector supply chain vulnerabilities.


Dave Bittner: It's December 13, 2023, and you're listening to Control Loop. In today's OT Cybersecurity briefing, Iranian hacktivists hit a Pennsylvania water utility. Attacks against water systems are an instance of a larger threat. Supply chain vulnerabilities in the electrical sector. We welcome guest Nick Sanna of the FAIR Institute and Safe Security today. Nick talks about the challenges the White House faces in attempting to harmonize critical infrastructure regulations. The Learning Lab has part two of a discussion on building automation systems that Dragos's Mark Urban had with colleagues Daniel Gaeta and Zach Spencer. [ Music ] The Municipal Water Authority of Aliquippa, Pennsylvania, said on November 25 that the Iranian hacktivist group, the CyberAv3ngers, had taken control of one of the local water utility's booster stations. The group cited the target's use of Israeli made Unitronics PLCs as justification for the attacks. The attack affected a station that monitors and regulates pressure for Raccoon and Potter townships. KDKA CBS News Pittsburgh reported that the attack immediately tripped an alarm and that neither the safety nor the availability of the township's water were affected. The attackers displayed a message on the station's monitors expressing their political purpose, stating, "You have been hacked down with Israel, every equipment made in Israel is CyberAv3nger's legal target." The utility used a programmable logic controller provided by Unitronics, an Israeli company. The Beaver Countian reports that operators responded to the alarm by reverting to manual control. The US Cybersecurity and Infrastructure Security Agency confirmed that the systems exploited in the attack were Unitronics' programmable logic controllers. "In general," CISA explains, "PLCs are used in the water and wastewater sector to control and monitor various stages and processes of water and wastewater treatment, including turning on and off pumps at a pump station, to fill tanks and reservoirs, flow pacing chemicals to meet regulations, gather compliance data for monthly regulation reports, and announcing critical alarms to operations." The CyberAv3ngers -- a hacktivist group connected to Iran's Islamic Revolutionary Guard Corps -- have claimed attacks on utilities before, but those utilities have been in Israel. In October, they claimed to have attacked closed-circuit television systems at the national water company Mecca Wrought [phonetic]. That attack they appeared to have actually carried out. That same month, they also claimed falsely to have compromised the Dorad power station, also in Israel. The Pennsylvania attack indicates an expansion of the group's activities. The Cyber Av3ngers have been known for exaggerating their cyberattack capabilities. However, their recent attack in late November 2023 did mark a shift as they successfully compromised Unitronics' PLC devices, affecting global entities in the US, Europe, and Australia. This attack targeted devices made in Israel regardless of their location or use. Mark Plemons, senior director of Threat Intelligence at Dragos, notes that, "prior to this attack, the CyberAv3ngers had announced intentions to target Israeli technology companies. They likely scanned for publicly accessible Unitronics' devices and accessed them using default passwords available online. Fortunately, the group lacks specific operational technology capabilities, so the attack was limited to altering the PLC devices' HTML menu pages with anti-Israel commentary. The incident underscores the importance of fundamental security measures in OT systems, including adhering to the SANS five critical controls for OT cybersecurity." 2023 has seen an increase in hacktivist activities, particularly driven by the Ukraine-Russia and Israel-Hamas conflicts. These groups, including pro-Russia and pro-Hamas hacktivists, have targeted critical infrastructure and spread misinformation. Despite their claims, most of these attacks have had minimal impact, often disrupting only organizational websites. However, they have achieved typical hacktivist goals: gaining notoriety, spreading misinformation, and attracting media attention to their causes. The Cyber Av3ngers' attack, while limited in impact, represents a successful OT attack and highlights the potential risks of insufficiently secured OT systems. Iran isn't the only government displaying an interest in infrastructure in what appears to be a staging in battle space preparation effort, China's People's Liberation Army Cyber Operators have intruded into infrastructure in several countries, with special attention to the United States," the Washington Post reports. The incursions, US officials say, are part of a broader effort to develop ways to sew panic and chaos or snarl logistics in the event of a US-China conflict in the Pacific. The staging forms part of the ongoing Volt Typhoon campaign. The latest US disclosures build on February's annual assessment by the Office of the Director of National Intelligence. The Post quotes CISA executive director Brandon Wales as saying, "It is very clear that Chinese attempts to compromise critical infrastructure are in part to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict, to either prevent the United States from being able to project power into Asia, or to cause societal chaos inside the United States to affect our decision-making around a crisis." That is a significant change from Chinese cyber activity from seven to 10 years ago that was focused primarily on political and economic espionage. Russia's war in Ukraine, like the war between Hamas and Israel, have both been hybrid wars, with significant action in cyberspace. CSO has an essay describing this spillover and how security teams should prepare for it. The essay argues that public and private sector organizations are both likely to become targets of cyberattacks mounted as contributions to such wars and that security teams should recognize this risk, understand that the risk is unlikely to be catastrophic, and apply sound risk management practices to deal with it. The essay states, "Cybersecurity teams must persistently simulate and collaborate with information sharing geared toward an adaptive defense posture that consistently tailors and retailers internal practices toward shifting geopolitical conditions." Much of the spillover CSO mentions sloshes into industrial control systems. The Aliquippa Municipal Water System incident should be understood not so much as an attack against a water utility as an attack against a target of opportunity. The CyberAv3ngers hit vulnerable PLCs. Those are used in many industrial applications; they're not exclusively or even primarily found in water and wastewater treatment and distribution facilities. So Unitronics' PLCs are widely used in a range of sectors that extend far beyond water treatment and distribution systems. The company lists categories of applications for their PLCs as including packaging, manufacturing, medical, food and beverage, material processing, oil and gas, and many others. We might add breweries to the list. Another attack has surfaced also in Pennsylvania in which a Unitronics PLC was hacked to display the same message that appeared on the water system's controller. SentinelOne observes, "The Full Pint Beer brewery in Pittsburgh shared images on social media on the 28th of November showing a similar defacement of a Unitronics PLC in use as part of their control system." If taken at face value, as the message probably should be, the target is Israel. Why that targeting should have manifested itself so specifically in western Pennsylvania is unclear. CyberScoop says that there are signs of other attacks on US water systems, but that so far those remain in the single digits. One of the lessons of the war in Gaza is the large role states not directly involved in a conflict can play in cyber operations. Iran's recent exploitation of vulnerable PLCs in US utilities and other facilities affords an example of this. And one of the lessons of Russia's hybrid war is not only the active participation of security and intelligence services in cyberattacks, but also the use of hacktivist auxiliaries and criminal groups acting effectively as privateers. The lesson from both wars is the importance of public-private cooperation for better security. A recent example of this sort of cooperation is afforded by Dragos's announcement of the expansion of its Community Defense program, initially piloted last year in response to Russian action in Ukraine. That program provides training, technical support, and information sharing to small and under-resourced utilities, especially those that deliver local water and electrical power services. There are also possibilities of latent threats in the software supply chain used by industrial control systems. A report from Fortress has found that 90% of software used to manage the US power grid contains code contributions from Russian or Chinese developers. Additionally the researchers found that software with contributions from Russian or Chinese developers is two and a quarter more times likely to have vulnerabilities and three times more likely to have critical vulnerabilities. Fortress notes that there is no evidence that these code contributions were part of a state sanctioned effort. They say Fortress experts see a clear correlation between the increased vulnerabilities in some contributions in the country of origin, but cannot yet establish a country of origin as the cause of the higher number. This isn't direct evidence of supply-chain corruption, but it suggests a risk that prudent operators might well seek to manage. [ Music ] Our guest is Nick Sanna from the FAIR Institute and Safe Security. Nick talks about the challenges the White House faces in attempting to harmonize critical infrastructure regulations.

Nick Sanna: Yeah, the first thing I would start with is that they had this request for information to see, is this a problem. And from our perspective, especially from the FAIR Institute's perspective, it's absolutely a problem. I don't understand why we need to rehash it again. There's been many studies conducted by many institutions that basically have documented that regulatory overlap is causing many CISOs to spend half their time just reporting on regulatory requirements versus actually managing security. So depending on the organization, again varies from between 60 and 70% in the organization. And so that has been widely documented by an organization like, you know, MIT, an article on Law Review, Bipartisan Policy Center, you know, GAO (Government Accountability Office) and, you know, FBI and the IRS. I mean, the number of organizations that have been saying that regulatory I'm going to say harmonization is a must has been well documented. So we were a bit surprised to see that yet another request for information to explain the problem. I think we need to move forward and start answering some question, who's going to enforce, you know, that harmonization? And so that's what I think the main subject should be.

Dave Bittner: Can you give us an example of where we're seeing this overlap and the kind of trouble that it introduces?

Nick Sanna: Yeah, both in government I'm going to say and private entities. You know, a CISO may be subject to multiple regulations, so they can be redundant. I know that if I think about the commercial sector as an example, you know, banks have multiple regulators. They need to report to the Federal Reserve and the OCC -- so that's treasury. And then FDIC. And then there's New York, you know, that is requiring some risk assessments to be done. And then the state of California, many state requirements. And so you find an organization that have like dozens of regulations, oftentimes redundant, slightly different. They keep the teams very busy trying to document the status of fear versus improving it. Similarly in government, as they have many different regulatory agencies asking for different pieces of information, oftentimes duplicate and redundant and no one way. In a setting where, you know, even at the Office of the National Cyber Director, and the saying that, you know, organizations should be regulated once and respond once and be able to report to many. So that's a nice objective, but it's still not a reality for many organizations on the ground.

Dave Bittner: When it comes to critical infrastructure, obviously you're concerned about safety. Are there any incidents here where beyond just the amount of time that it takes a CISO to deal with all these sorts of things, are there any contradictory regulations or issues along those lines?

Nick Sanna: I think the main contradiction I would say is that it is not clear in the industry what we're after. Are we trying to have an agreement or have a minimum level of compliance on best practices in cybersecurity? Or are we taking a risk-based approach? One is the checklist approach of what you should have implemented in critical infrastructure. There are a minimum set of things you need to do. But the question that asks which of the requirements should be prioritized; how much should be invested in meeting those requirements? That's where the risk-based approach comes in. And today as an industry, we focus a lot on the checklist approach -- which keeps us busy, going down the list, giving equal treatment or similar treatment to many security requirements, without understanding what really matters most, what is most effective among my best practices, where we should pile on and have more of a defense in depth strategy. You know, no single control is equivalent to another one. Any changes from company or organization in different contexts. And so I think that's the biggest disconnect. Many regulations say we should take a risk-based approach, but then when the inspector general in the case of government agencies shows up, they're asking you for a checklist on things like NIST 853 or NIST CSF, etcetera.

Dave Bittner: In terms of harmonizing all these regulations, what sort of challenges is the White House up against here?

Nick Sanna: Well, the first thing is that, apparently, every time there's a new regulation, there is no real check on is this regulation overlapping or potentially contradicted. And so, you know, in the cybersecurity strategy the White House just published a couple months ago, they say that, you know, they want to ask agencies to check whether there is an existing regulation before issuing another one on the same topic or a similar topic. But we need to make sure that there's an enforcement there, you know. The data was a recommendation, many executive orders have spoken about it, but that does not stem the problem. I think what needs to happen is for a government body -- and we recommend that it's the Office of Management and Budget, you know, OMB at the White House -- to come up with a directive that any new regulation must complete an analysis looking for potential overlap and redundancy and to avoid, you know, multiplication of regulation. And now we're going to step forward, I think that to avoid this problem from, you know, continuing to exist, we need to go to the root cause and add some more fundamental house cleaning to be done. And our recommendation would be for OMB to help create a database of all regulations starting from federal agencies, and then potentially applying, you know, intelligent techniques -- maybe AI or maybe a set of people -- to look to redundancy and try to propose harmonization there. It needs to come from a central body. OMB is in the best position to do that. And they can set an example for also state and local of their own regulation in the private sector. I think that would be a great example to lead the industry in helping reduce the busy work and help companies focus on what matters most, which is securing environment, you know, versus just checking boxes, and demonstrating they're actually doing the work.

Dave Bittner: Why do you think that OMB is the agency to best head this up? There are other agencies out there like CISA, for example, who specifically work with cyber. But what does OMB bring to the table?

Nick Sanna: I think CISA is a good agency as well, but their main focus is to help companies secure their environments from the technical perspective. And so they become an information sharing, you know, very, very good information sharing forum, and a forum that informs agencies on best practices. But I think OMB is in a particular good situation, because as of today, all regulatory requirements, or as much as possible, all the reports from the IG's and the data that is harvested by agencies to demonstrate regulatory requirement may get collected by Homeland Security and CISA, but then gets reported to the White House, at OMB. So there is a challenge to data that's existing. You know, our recommendation is let's not remove the process, a process that is operating, let's strengthen it and make it more efficient. So let's create this database. Let's have OMB do research on which, you know, regulations are redundant, try to come up with a rule that every agency should have one all-encompassing regulation, and then enforce it. And I think they're in the best position to have an overarching view across all agencies in government to make sure that everybody abides by that.

Dave Bittner: Which industries do you think you are facing the most difficulties here?

Nick Sanna: Well, I think the industry that have critical infrastructure have the largest number of regulations because they're the strictest one, you know. For example, some updates are recommendation, is a must do, you must have these controls, and it must be at this level of security, you cannot fail this, and it's not an option. And these are typically the most strictest control on top of another. Series of controls may apply to all other agencies indiscriminately.

Dave Bittner: What are your recommendations then for a CISO who's trying to keep up with all of these demands? Any tips or words of wisdom here?

Nick Sanna: I think CISOs are drowning in this is try to work with your inspector generals as they come in and examine. And in many cases, try to come up with a uniform approach. Although many agencies have been asked to try to consolidate their findings and make it compatible with something like the NIST Cybersecurity Framework. Be good at that, a central set of requirements, be pristine and try and map all the other work to that initial effort, so to minimize the disruption. And when they have a strong understanding that there are some issues that need to require attention, do a risk analysis and show that they're focusing on the biggest bars of risk on the biggest items that are at risk, versus on less material elements that may check the box and may not be significant in their context. So one, again, pick up one of the regulatory requirements, be really good at that, and show, you know, you are abiding by the spirit of having one regulation done well. And second, on top of it, prioritize also your regulatory work by having a risk assessment to show that you focus on what matters most.

Dave Bittner: What do you suppose is a reasonable timeline here for the White House to show some meaningful progress?

Nick Sanna: Listen, if they, within this administration, they're able to come out with a directive asking to -- and mandating, not just recommending, that no new regulation is issued unless a redundancy analysis is made, you know. And, second, to create a database of regulations that can be a first step into then harmonizing it. I think that would be a good step. So I think that that sets the timeline. If they were starting the work harmonization, I would say I would be elated by that. But, again, those are in government, sometimes they don't happen as quickly as you want.

Dave Bittner: Our thanks to Nick Sanna, from the FAIR Institute and Safe Security, for joining us. [ Music ] In today's Learning Lab, part two of a discussion on building automation systems that Dragos's Mark Urban had with colleagues Daniel Gaeta and Zach Spencer. [ Music ]

Mark Urban: Hi, everybody. Welcome to another episode of Learning Lab. And today we're going to talk about building automation systems. So I'm joined by specialists in the area, Daniel Gaeta and Zach Spencer, are here at Dragos as a solution architect and a strategic executive here at Dragos. Let's focus on building automation. I've been in networking for it seems like 100 years. But, you know, when you talk about network protocols, or talk about, hey, listen, that in building automation system, there is something that's controlling the heat and there's, you know, there's probably a sensor some place that's reading what the temperature is and there's a central control mechanism someplace else in the building. And these devices communicate to central control and to each other over a network and with proprietary or semi-proprietary protocols that are really specialty protocols that are like, hey, turn up the heat, you know, turn down the heat, or here's the temperature and all these readings. And if you think about it's not only temperature, but lock or unlock the door, or, you know, start or stop an elevator. If you start to think about building automation, like what kind of buildings are most sort of susceptible or are probably prime targets if you were going to be, you know, a cyber bad guy, where would you want to go?

Zach Spencer: Sure. Yeah, that's a great question. You know, when it comes to building automation systems in general, you know, almost every reasonably sized commercial building has a building automation system. That's not to say that building automation systems are always critical for their operation though. You can think of large retail, for example, will have a small building automation system in a big box store, for example. But losing access to that building automation system may not be mission-critical for that organization. When we think about industries such as pharmaceuticals, which heavily rely on their building automation systems, data centers, which heavily rely on the cooling systems within them to run their server racks, when we think about higher education being sort of a focal point for a large amount of personal identifiable information, and in healthcare as well for PII, and again, kind of to hit on the loss of use piece in healthcare, losing access to an entire wing or all of the cooling or heating within a hospital can really risk patient and employee safety. And so these are just a few examples of industries where the building automation system performs a mission-critical task for that organization, and if it's not completed properly by that system, can result, you know, any sort of operational and business impacts, but, as I mentioned, human safety issues as well, which I think is paramount. >> Yeah, and obviously safety piece, that's spot on, Zach, in that how important is a fire and life safety system. If that were to be deactivated and there were a fire, I mean, we're looking at a really critical situation really fast. Also, let's think about the number of split refrigerated systems that are responsible for cooling some of these larger hotels and other types of infrastructure in high-rises, that's a lot of refrigerant that can displace a lot of air. And safety systems are in place there and operating and completely reliant on those ICSOT networks to maintain reliability. And so anywhere these control systems touch the physical world, that's where this ICSOT cybersecurity becomes really important. And these building automation systems definitely touch the physical world and can really have a major impact to life safety, especially in the colder and hotter climates where the population is quite reliant on that heat in the cold climates and cooling in the hotter climates.

Mark Urban: Yeah, I can see it, you mentioned, Zach, I can see that being especially just, you know, with all those processors, all those, you know, things, probably less spinning anymore, but definitely grinding the electrons along their path and doing so very quickly and generating heat and requiring, you know, amounts of coolant. You mentioned pharmaceuticals and temperature sensitive labs that, you know, have to be very exacting in how those climates are controlled. If somebody turned, you know, my house if it dropped down to 62, you know, I might put on a sweater. But there are things that are a lot more susceptible or sensitive to changes in there that could cause big disruption. So I guess my summary would be -- but what you guys were saying is like the more kind of critical that those buildings are to the actual operation and producing revenue and executing the mission, or, you know, if they're also housing incredible, you know, intellectual property or secrets -- I can imagine the number of, you know, financial services buildings or government buildings or, you know, the pharma buildings where there's a lot of intellectual property. Is that a fair translation of kind of some of the things that you guys were seeing? >> Yeah, absolutely. I think that that sort of sums it up in a really great way, where you think about, like I say, either where those buildings or those networks are hypercritical. And as the, you know, interconnection of these building automation systems occurs within those facilities and then connection of those building automation systems to enterprise or corporate IT networks, that's where you really run into situations where creating a secure architecture around your building automation system becomes paramount, such that those operations can continue in a secure fashion. Have there been any kind of real attacks in this space? I mean, there's all this speculation in cyber of like what could happen, right? I mean, you just look at the fast growth in ransomware events across all industries. And definitely those threats are real. But specific to building automation, have we seen some actual attacks that have been in the public eye? >> Absolutely. There's been a number of direct and indirect building automation system exploits. And what do I mean by direct and indirect? One example of a real-world attack that's more indirect, I mean, we'll go back to at least 2013, where a major US retailer was breached, in this case through an HVAC contractor's network access to the corporate systems. And so that's just an example of how there were these interconnections before and this reliance on internet connectivity that we see today with secure remote access. But time and time again historically, we've seen major companies that have had breaches through the building automation systems, and in this HVAC contractors that were accessed, to ultimately pull out financial and exploit the financial systems to make a profit. And so that's more an indirect example. And a more direct example that's also more recently just even back in 2021, a building automation engineering firm in Germany was attacked by an adversary that ultimately penetrated the building automation systems through exposed ports. And they were in turn locked out of their systems and unable to control lighting, motion sensors, HVAC, etcetera. And ultimately what resulted was that those HVAC and systems were exploited by the attackers and they were in turn allowed to infiltrate further systems and make headway in terms of compromising that poor victim. But that's a more direct example where building automation systems themselves were targeted -- and I absolutely see a trend in that direction. Because whether or not you're controlling a building or a power plant, many of those control systems rely on the same ICSOP protocols. And so in order to even begin defending against some sort of a threat in this space, it's important to start thinking about monitoring your facility building automation systems network to understand what normal looks like and to be looking for potential threats. We've all seen in movies, right, we've seen like super smart hacker guy manipulating, you know, traffic signals and building controls to allow his group of, you know, 10 other people to, you know, break into the art museum, to restore a casino, and all those other things. But that's good moviemaking, but, you know, using those same techniques and, you know, and just being able to raise the temperature in the data center is a lot more subtle and can have a huge impact. It's never going to make a good movie, or maybe it could. But the subtlety in change in temperature or just stopping something from working, right, that's what ransomware is. If your bread-and-butter, if your revenue is built on processing transactions in a giant data center, then if you stop that ability to stop transactions, you stop generating revenue. So it's not as sexy as Ocean's Eleven, but it can have kind of dramatic consequences. But have there been things changing in the environment that make these risks more real, more risky, or higher profile? >> Yeah. We've sort of been alluding to it already. But it's this interconnection of these building automation systems and bringing them kind of to the forefront on these networks that is sort of allowing this sort of window of exploitation sort of in between where we decide that we want to break these systems out from where they were designed, their isolation on basically their own networks with, you know, protocols that were not typically accessible to, you know, through the Internet and things like that. And in between that time point and then the further time point somewhere down the line where we have a ton of resources being dedicated to securing these from the ground up and being designed with security in mind. And in that window, however long that is -- which is where we sit today -- is sort of the window of opportunity for threat actors. And so again, as we sort of bring them into interconnection on enterprise IT networks, for example, you know, there are open source Internet search engines that can show you literal building automation systems anywhere in the world that are connected to the open Internet right now. And this is something that any threat actor has access to today. By seeing that or by whether they're utilizing an existing exploit that has already been published and just hasn't been patched on a hospital's network, for example, or whether they're a large well-funded actor that is developing a new zero day exploit, they can utilize these open Internet search engines, for example, to find let's say a CCTV system that is exposed to the open Internet with certain attributes that make it a viable attack target for them, and then potentially either gain access to it to conduct surveillance on, you know, a target that's valuable to them, or to provide, as we keep talking about, sort of loss of use of let's say a physical security access control system for card access to, you know, at a datacenter or a healthcare facility or a financial institution, for example. To your point, they are very real risks that are, you know, unfortunately exploitable in this day and age with the amount of technology that we and threat actors have access to. We'll have some episodes coming up talking about the cybersecurity journey, but you can start by, hey, where am I? If you have mission-critical building automation systems, datacenters, things like that, you know, a good place to start is get some experts in to do an assessment. And I'll do a shameless plug here for the Dragos OT Cybersecurity Assessment as an example of that. And we have specialists in building control and datacenter areas. But that's because this is a complex area. Daniel had five things, you just mentioned 10 things, and navigating through that all can be a little bit daunting. So that's why we're here at Dragos to give you some information, and if you need some help with that, just give us a call. So Mark Urban with Daniel Gaeta and Zach Spencer. Thank you, gentlemen. [ Music ]

Dave Bittner: And that's Control Loop, brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at Sound design for this show is done by Elliott Peltzman, with mixing by Tré Hester. Our executive producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch, Mark Urban, and Monserrat Thomason. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]