Navigating China's infrastructure risks in the energy sector.

Dave Bittner: [Music] It's March 20th, 2024, and you're listening to Control Loop. In today's OT cybersecurity briefing, researchers at Georgia Tech describe a way to hijack web-based PLCs. A threat actor is targeting manufacturing entities in North America. The U.S. Department of Defense has launched its CORA program, and CISA issues ICS advisories. Our guest is Aura Sabadus from ICIS, sharing how energy insiders are approaching the renewed risks of China's ramp up toward potential attacks on critical infrastructure, and what the energy industry is saying about these risks. The Learning Lab is taking a break, but will return soon. [ Music ] Researchers at the Georgia Institute of Technology have published a report outlining a method to exploit browser-based control systems used in industrial facilities. The researchers state, "depending on the industrial process being controlled by the PLC, our attack can potentially cause catastrophic incidents or even loss of life." We verified these claims by performing a Stuxnet-style attack using a prototype implementation of this malware on a widely used PLC model by exploiting zero-day vulnerabilities that we discovered during our research. Our investigation reveals that every major PLC vendor, 80 percent of global market share, produces a PLC that is vulnerable to our proposed attack vector. The researchers developed proof-of-concept malware that resides in PLC memory, but ultimately gets executed client-side by various browser-equipped devices throughout the ICS environment. From there, the malware uses ambient browser-based credentials to interact with the PLC's legitimate web APIs to attack the underlying real-world machinery. The researchers emphasize that web-based PLCs have expanded the ICS attack surface, and organizations need to understand the risks that accompany increased accessibility. Researchers at eSentire are tracking a malware campaign by a threat actor tracked as Blind Eagle that's targeting Spanish-speaking users at manufacturing organizations in North America. Trend Micro, which has been monitoring this threat actor for several years, believes the group is based in Colombia and is probably financially motivated. The group has previously targeted users in South America and Spain, sending phishing emails that distribute a variety of remote-access Trojans. In this case, Blind Eagle is sending phishing emails that deliver RemcosRat and NJRat. The U.S. Department of Defense Information Network, part of the Joint Force Headquarters, on March 1st launched its Cyber Operational Readiness Assessment, CORA program following a successful nine-month pilot phase. Air Force Lieutenant General Robert Skinner, commander of the Joint Force Headquarters DOD Information Network, stated, "CORA is a vital aspect of continually understanding our cyber readiness through fusing many risk factors including access control, detecting anomalies, adjusting to adversary threat information, and executing cyber orders." Ultimately, the assessment provides commanders and directors a more precise understanding of their high-priority cyber terrain and their overall cybersecurity and defensive posture, enabling greater command and control and enhancing decision-making. The U.S. Cybersecurity and Infrastructure Security Agency last week issued 15 ICS advisories affecting products from Siemens, Delta Electronics, Softing, and Mitsubishi. Three of the vulnerabilities received CVSS scores of 9.8, affecting Siemens' Cinema Remote Connect server, Simatik, and certain rugged COM devices that use unpatched [music] Fortinet next-generation firewalls. One flaw received a CVSS score of 10, impacting Siemens' Sinteso EN and Cerberus Pro-N fire protection systems. [ Music ] I recently had the pleasure of speaking with Aura Sabadus, senior journalist with ICIS. Our conversation centers on the renewed risks of China's ramp-up toward potential attacks on critical infrastructure and what the energy industry is saying about these risks. [ Music ]

Aura Sabadus: I cover markets. I look at anything that tends to move prices, whether it's regulations, fundamentals, geopolitics. And more recently, I've started to take an interest in cyber risks because the experience of the last two years has shown, or at least has shown to me, that this could in the future become a serious risk to the industry. And then I started to do some research, look into it, and I realized that it's actually a big problem that goes underreported.

Dave Bittner: Well, let's talk about that. I mean, what is your reporting shown in terms of where we stand right now when it comes to critical infrastructure and the threats that are out there?

Aura Sabadus: I would say there are two risks. One is the physical attack. And of course, in Europe, we've seen recent attacks on the Nord Stream pipelines. These were the pipelines that were supposed to bring Russian gas from Russia to Germany via the Baltic Sea. More recently, the Baltic Connector, again, a pipeline linking Finland to Estonia, supposed to bring natural gas from one place to another. So really allowing the shipments, bidirectional shipments, again, was sabotaged, was damaged. And that in itself has raised questions regarding the safety of infrastructure. And then on the other hand, of course, it's the cyber attacks. And I've started to look into some data, and I was particularly interested to see how vulnerable the energy sector is, and also to talk to various companies in Europe. I tried to get some kind of information regarding the situation in the US, particularly in the light of the colonial pipeline attack, and more recently, the [inaudible 00:07:38] typhoon attack. And I realized that, as I said, it seems to be a very big problem. This is not something that is discussed by companies, probably understandably because they don't want to risk reputational issues. Clearly, consumers would be very worried to know that some of these companies have had breaches of data and potentially that customers' data could have been stolen. So this is one reason why they're not discussing. And then another reason is because of the money involved. And in many cases, there is a ransom involved, and many of these companies end up paying. I realized that the average cost to recover some of the lost data is around $4 million, which is astonishing. It's an awful lot of money that could be used for other purposes, such as deploying more renewable capacity or connecting more consumers to the grid, et cetera.

Dave Bittner: You know, it's interesting that you mention the physical damage or the potential of physical damage. And I think for those of us here in the U.S., I think we don't think about that as much. And it simply is a matter of geography and, you know, that we're a bit more isolated for that because of where we sit in the world. But it's an interesting thing to note that for folks in Europe, it is potentially more of a real threat.

Aura Sabadus: It's a big threat. Again, I don't think people realize this threat. And just to give you an example. Right now, the Western European countries depend largely on Norwegian gas. All this gas is shipped via subsea pipelines. Now, the whole North Sea is covered in pipelines, in cables. Imagine something happens to these pipelines or to these electricity or telecommunication cables, and you would see another energy crisis being replayed here in Europe. The same could happen to LNG terminals. Europe is now developing a lot of LNG regasification terminals to receive LNG primarily from the U.S. Again, these depend on sophisticated cyber infrastructure. And something happens to these terminals, this would contribute to a new energy crisis. Wind turbines, also decentralized electricity systems. We're talking more and more about decentralization, more and more about sophisticated metering systems, all of which depend on sophisticated IT software. So, if something happens, the risk is incredibly huge to the economies of these countries and to the consumers. And more worryingly, the Volt typhoon attack, which was discussed very recently, I believe, and the FBI said that it was a risk in a generation, shows that some rogue state or rogue actors could be planting malware, which sits dormant for years, and it's activated when it's needed for sabotage purposes or for rogue acts. As the FBI described, they are pre-positioning themselves to create a lot of havoc in the future, at the time when it serves certain purposes, whether these are Russian objectives or Chinese military objectives or criminal objectives, this is very, very worrying.

Dave Bittner: Can we talk about the various players internationally, one by one? Let's start with China here. I mean, you mentioned them. What is the specific threat and what sorts of techniques do they seem to be employing here?

Aura Sabadus: From what I understand, the Chinese have been less, let's say, less active or obvious, if compared, for example, with Russian actors. From my point of view, the danger, as far as China is concerned, is that these attacks are, let's say, benefiting from equipment or from malware that lies dormant. As I said, the Volt typhoon type of systems that could be used and which all of a sudden could flare up and create problems. From this point of view, I think that the U.S. perhaps is more vulnerable. Although, talking to various energy companies here in Europe, I understand that they do see attacks originating in Asia, and that would be primarily China, but also countries such as Vietnam. I was told Vietnam, Pakistan, for example, another player, and, of course, North Korea. So this is -- these are the Asian players. From a European perspective, however, I think that the more intrusive are the Russian players, either criminal gangs or state-sponsored attacks. And we have a couple of example. For example, last year, 22 Danish companies were subject to a coordinated attack. I read the report, and it appears that it was a Russian attack. It originated in Russia. Whoever was behind it, I mean, there are some suspicions that it was state-sponsored, appears to have had benefited from a lot of resources. They knew exactly what they were doing. They were not targeting random systems. They knew exactly, as I said, what they were doing, and they brought down 22 energy companies. And generally, this is what we see in Europe. But at the end of the day, the colonial pipeline attack also originated in Russia. Apparently, criminal, it was criminal activity. But ultimately, these are the main players, and there are indications that at least since the war in Ukraine started, these attacks have also increased quite substantially. For example, the International Energy Agency said that in 2022, there were around 1,000 attacks per week against energy companies, whether it's utilities or grid operated -- operations, and that's roughly double the amount of attacks compared to 2020, 2021.

Dave Bittner: When we're talking about criminal operations, we're primarily talking about ransomware?

Aura Sabadus: Yes. And what is interesting, and again, I think people don't realize, is that many of these groups could be associated or could be on sanction lists. So for example, as I understand, in the U.S., it's not illegal to pay ransom, but it is illegal to pay money to sanction groups. So imagine that it's a small utility or it's a small energy company that undergoes a data breach, they are desperate to recover that data. They are prepared to pay the money, but maybe they don't have enough resources or they don't realize that the group they are dealing with may be on a sanctions list. So what happens? You know, this opens a huge can of worms. It's becoming increasingly difficult to deal with these attacks and with these problems.

Dave Bittner: As you talk to the various organizations around the world, the folks who are responsible for this critical infrastructure, how are they rating their own ability to defend themselves?

Aura Sabadus: The bigger ones, I -- the bigger utilities would have the money to boost their cyber defenses. However, the smaller ones will always have issues, and the issues are not necessarily just related to the money that they need in order to boost these defenses, but also in the ability to secure or to hire skilled personnel. And in some cases, for example, I also spoke to Ukrainian companies, and of course, they are right on the front line, not just in terms of a kinetic war, but also in terms of hybrid war. In one company's case, they said that last year they had no less than 27 million attacks. Of course, probably most of these would have been DDoS attacks. But they said that in order to deal with these -- with this endless stream of attacks, they have to hire personnel to monitor their system 24 hours a day, 24 hours out of 24. So they need a lot of people. And you can imagine, it's a country at war. They may not have that much money in order to support these defenses. Similar situation with the smaller companies. Even in the wealthier Western Europe, it is a risk. And the other risk is obviously the fact that we're now integrating all systems. We don't have just the usual model where you have an integrated utility, you have the transmission lines, the distribution lines, and that's pretty much it. You also begin to integrate other objects such as electric vehicles or different small turbines, small solar panels. Now, these are all connected to the power system, to the big infrastructure. If a rogue actor penetrates some of these systems that are more vulnerable, they can infiltrate the bigger, the larger system. And, in fact, I believe that even with the colonial pipeline, I may be wrong here, if I remember correctly, it happened because of a breached personal email password. You know, it's very, very hard to patch up all these vulnerabilities and to make sure that the system is completely safe.

Dave Bittner: It almost seems like, to a certain degree, it's like protection money. You know, like it's not in the -- in terms of the criminals, it's not in their best interest to actually, let's say, turn out the lights. But the threat of turning out the lights can be very [laughter] profitable for them. If they turned out the lights, the response would probably be much stronger, you know, an international response, perhaps with, as they say, kinetic action versus the threat of turning out the lights, which can be very profitable for them.

Aura Sabadus: Sure. I mean, it probably also depends on what sort of criminal groups we're talking here. I mean, some of them can benefit from huge resources. Others probably are just rogue actors sitting somewhere, maybe, I don't know, in Vietnam or Pakistan or Eastern Europe, but they may not have the same resources the big -- the bigger actors have. But ultimately, there is criminal activity. I understand that around 40 percent of the attacks on energy companies are actually related to criminal activity. While, as you say, while it is in their interest to still keep the lights on and perhaps not create a big furore, international furore, they operate under the radar and they are still making money out of it. I don't see how smaller companies, energy companies, could clamp down on that.

Dave Bittner: Where do we stand in terms of international norms? You know, it strikes me that these are -- these threats are aimed at civilians, and that itself is noteworthy.

Aura Sabadus: Well, that's a very good question because I don't think that there is a coordinated approach, at least as far as Western countries are concerned. On the one hand, the civilian infrastructure, at least the energy infrastructure, doesn't seem to have been prepared for this. In fact, after Nord Stream, the Nord Stream attack happened I spoke to someone who knew the infrastructure and understands how the whole European gas infrastructure works, and he said, look, these pipelines were not built with cyber or physical attacks. I mean, certainly not with physical attacks in mind. Imagine someone would be planting a virus or malware similar to Volt typhoon that would lie dormant in these pipelines, and five years down the line, these pipelines would blow up. How can you track that? How do you know who did it? How do you know when it was planted? How can you protect against that? Unless there is greater coordination between energy companies and in particular infrastructure operators and the military, NATO I would say here, and, you know, carrying out joint exercises, which I believe they start to do, but potentially a bit too late, we are still going to face huge vulnerabilities. In terms of, as you say, in terms of standards, this is another big problem, because yes, the European Union has passed legislation. The US I believe also has its own legislation, and there is a national organization, I believe CISA, correct me if I'm wrong, but I believe that's in the US, that are looking and are advising companies. But ultimately I believe that there should be a coordinated international approach on how to minimize the threat, particularly in a context where the technology devolves -- evolves quite rapidly. We're now talking artificial intelligence, deep fakes, et cetera.

Dave Bittner: You mentioned NATO, do you feel like they would be the appropriate organization to lead an effort like this?

Aura Sabadus: Well, they certainly have cyber groups. I think one of them is based in one of the Baltic countries, but I may be completely wrong here. Sorry, it's not really my area of expertise, but just off the top of my head I remember reading that there is such a dedicated group, organization. Potentially yes, as a way to coordinate at the broader level, international level, but also the individual national defense groups of each country. There should be greater coordination at government level between defense, the defense industry, the IT sector and also the energy sector. I'm told that there are ways to report some of these incidents, probably some of the bigger energy companies are already doing it. For example in the UK they benefit from advice from, again, dedicated organizations affiliated with GCHQ. But again, what happens with the smaller countries, with the countries that perhaps don't have the same pot of money and the same expertise, level of [music] expertise that the more developed countries have.

Dave Bittner: Our thanks to Aura Sabadus from ICIS for joining us. [ Music ] [Music] And that's Control Loop brought to you by The CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at the cyberwire.com. Sound design for the show is done by Elliot Peltzman with mixing by Tre Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch, Mark Urban, and Monserrat Thomason. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]