Control Loop: The OT Cybersecurity Podcast 5.1.24
Ep 49 | 5.1.24

Critical infrastructure: Pending legislation and risks and rewards from AI.

Transcript

Dave Bittner: It's May 1st, 2024 and you're listening to "Control Loop." In today's cybersecurity briefing, Mandiant ties OT attacks to Sandworm. Russia-linked hackers target Texas water utilities. Belarusian hacktivists hit fertilizer company and CISA issues eight ICS advisories. Later in the show I speak with my "Caveat" podcast cohost, Ben Yelin about pending legislation with potential to affect critical infrastructure, as well as the Department of Energy's assessment of the potential risks and rewards from AI. The "Learning Lab" is on a hiatus this episode, and will be returning soon! [ Music ] Mandiant has published a report on the recent activities of Sandworm, a threat actor attributed to Russia's GRU. Mandiant now tracks the group as APT44 and notes that no other Russian government-backed cyber group has played a more central role in shaping and supporting Russia's military campaign. The threat actor has a much broader focus than the war in Ukraine, however, and the researchers are tracking operations from the group that are global in scope in key political, military, and economic hotspots for Russia. Mandiant report ties APT44 to several hacktivist groups that have claimed responsibility for attacks against OT systems in the United States and the European Union, including three water utilities in Texas, a wastewater treatment plant in Poland and a hydroelectric dam in France. These attacks don't seem to have had any serious affects, but the researchers note that continued advancements, and in the wild use of the group's disruptive and destructive capabilities, has likely lowered the barrier of entry for other state and nonstate actors to replicate and develop their own cyberattack programs. Sandworm has been responsible for several damaging attacks in the past, including the 2017 NotPetya attack and the destructions of Ukraine's energy grid in 2015 and 2016. "SecurityWeek" describes the January cyberattacks mentioned in Mandiant's report that hit water facilities in three small Texas towns. Mike Cypert, the City Manager of Hale Center, said their firewall received 37,000 login attempts over the course of 4 days, causing the city to unplug its SCADA system and switch to manual operations. In the town of Muleshoe, City Manager Ramon Sanchez said, the hackers managed to overflow the city's water system for about 45 minutes, but that the incident didn't pose any danger to the public. Lockney, the third city targeted, managed to for thwart the attackers before they gained access to the town's water system. Mandiant analyst, Dan Black, told CNN "The haphazardness is part of their pathological emphasis on psychological impact. They want to make it look like they're doing more than they're doing." On April 23rd, U.S. Representative Pat Fallon, a Republican from Texas and Ruben Gallego, Democrat from Arizona, sent a letter to Homeland Security Secretary, Alejandro Mayorkas requesting a briefing on these incidents. The representatives wrote, "As you may know, much of the American West is experiencing a historic long-term drought that makes fortifying water supplies from vulnerabilities like adversary disruption efforts all the more important. Should a hack similar to the Texas incident occur in Arizona or other states that may lack sufficient water supply, it could disrupt operations across the region with devastating effects." Belarusian hacktavists claim to have hacked Grodno Azot, Bekaus' state-run fertilizer manufacturer, in protest of President Lukashenko's regime, the record reports. The hackers say they disrupted the company's energy generation facility and wiped or encrypted hundreds of computers and servers. The group is demanding the release of political prisoners who were arrested for protesting Lukashenko's contested reelection in 2020. Grodno Azot confirmed that it was attacked, but said, "The situation has not affected, and will not affect, the production activities of the enterprise." The U.S. Cybersecurity and Infrastructure Security Agency last week issued eight ICS advisories for vulnerabilities affecting products from Hitachi systems, Siemens, Honeywell, Mitsubishi Electric, Rockwell Automation, and Chirp Systems, the most serious vulnerability affects Siemens' RUGGEDCOM APE1808 devices that are configured with Palo Alto Networks' Virtual Next Generation Firewall. These products may be vulnerable to a command injection flaw that could allow an attacker to execute arbitrary code with root privileges. [ Music ]

Dave Bittner: Ben Yelin is my cohost on the "Caveat" podcast, a law and policy cybersecurity podcast over on the CyberWire network. He joins us today to discuss several policy issues that may affect critical infrastructure. Well, Ben there's two stories here I wanted to get your take on; these are both stories having to do with critical infrastructure and, you know, motions to protect them from technology and some of the threats that we see on the horizon. This first story is about U.S. Representative Rick Crawford who's a Republican from Arkansas, who is -- who has teamed up with Representative John Duarte, a Republican from California, and they have introduced a house resolution that is looking to protect water and wastewater systems against cybersecurity threats. And they are doing this, the bill proposed to "establish a water risk and resilience organization under the EPA to develop these risk and resilience requirements for drinking water and wastewater systems." What do you make of this Ben?

Ben Yelin: I think this is a really interesting piece of legislation and I think it's really promising. As you said, the bill would create this taskforce and resilience organization. It's under the umbrella of the EPA.

Dave Bittner: Uh-hmm.

Ben Yelin: The EPA already does work analyzing risk and building in resiliency, so I'm excited it has to do with resiliency to adverse weather events; this is just another threat that the EPA has to wrestle with.

Dave Bittner: Okay.

Ben Yelin: For incidents against critical infrastructure.

Dave Bittner: Yeah, I was going to ask you that, you know, why EPA and not one of the other -- why not Homeland Security, you know?

Ben Yelin: I think it's because the EPA has regulatory authority over our water systems.

Dave Bittner: Awe, I see okay.

Ben Yelin: So, it's within their purview to promulgate these regulations.

Dave Bittner: So, they can have teeth?

Ben Yelin: Exactly.

Dave Bittner: Okay.

Ben Yelin: And so, you would have this organization, it would already be under the structure of the EPA, once it's in the administration, it would be tasked with proposing regulations, implementing those regulations to enhance the cybersecurity resilience of our water system. I think this threat is another one that probably seems abstract to people.

Dave Bittner: Uh-hmm.

Ben Yelin: But the current EPA Administrator, Michael Regan, the National Security Advisor, Jake Sullivan, they've mentioned in committee hearings that they are concerned about critical infrastructure, particularly water systems, as a vector for an unintentional or intentional disruption or.

Dave Bittner: Right.

Ben Yelin: Or whether it's some type of terrorist attack, there is a cyberattacks against our water or if it's some type of computer system failure that affects our water system.

Dave Bittner: Let me ask you this Ben.

Ben Yelin: Um-hmm.

Dave Bittner: Just, I'll throw you a curve ball. Where do you get your water from where you live? Do you know?

Ben Yelin: I live in Baltimore County and actually it is the Baltimore City Department of Public Works.

Dave Bittner: Right.

Ben Yelin: That in charge of water services for Baltimore County.

Dave Bittner: Yeah. Same for me here -- I live in Howard County which is another Baltimore suburb, but yes, we get our -- I'm old enough to [brief laughter], I'm old enough to remember people talking about referring to city water versus well water, right?

Ben Yelin: Yeah.

Dave Bittner: Like I was -- when I was a little kid, the neighborhood I lived in we were living there when they ran city water through the neighborhood.

Ben Yelin: And did it taste different?

Dave Bittner: I don't know. I was 6 probably, I mean, well, they got fluoride, right?

Ben Yelin: Yeah, fluoride's good.

Dave Bittner: So, you know we were getting -- so we were -- we had a well and we had septic, and it was a big deal that the county was running through, you know, city water. I remember them digging up the front yard to pullout the septic tank and.

Ben Yelin: Uh-hmm.

Dave Bittner: Disconnecting the pumps that were down in the basement to pump the water out of the well and, you know, all that kind of stuff. But, I get -- my point in asking you that is, I think most people or many people, don't really think about where their water comes from. It's one of those things that safe drinking water is something that most of us here in the U.S., and of course there are well-publicized exceptions.

Ben Yelin: Flint, Michigan, yes.

Dave Bittner: Yes. Most of us don't even think twice about the fact that the water that comes out of our spigots is safe and basically unlimited.

Ben Yelin: We only notice it in two circumstances; one when it's not available to us, like if there's a water main break.

Dave Bittner: Right.

Ben Yelin: Or two, I am a native Californian and there are a lot of droughts there, and when you have droughts, they're voluntary or mandatory water restrictions; those are unpleasant. You're instructed to limit your showers to whatever it is, under 5 minutes.

Dave Bittner: Right, right.

Ben Yelin: As someone who enjoys taking long, hot showers, that's a sacrifice to make. But, yeah.

Dave Bittner: Yeah.

Ben Yelin: That's something we take for granted and this is why it worries me, I mean, I think there are significant vulnerabilities with our water systems -- this is another example where I think the United States even relative to other countries has some advantages in that there are redundancies. We have a lot of distinct water systems where they're probably all -- and I'm actually not an expert in this, but they're all on different computer systems and.

Dave Bittner: Right.

Ben Yelin: Run different software, so it would be hard to institute some type of centralized attack that brought down all of the water systems in the United States.

Dave Bittner: Right.

Ben Yelin: But certainly, for each individual water system there are a lot of vulnerabilities.

Dave Bittner: Yeah.

Ben Yelin: And I think it is certainly a wise idea to get the Federal Government involved in figuring out ways to harden these systems against cyber incidents.

Dave Bittner: It's interesting, because I think many view that as being simultaneously a feature and a bug, you know, in that yes, the water system is diffuse, it is diverse.

Ben Yelin: Decentralized.

Dave Bittner: Decentralized, right, but on the flipside, that means you have a broad and diverse attack surface and there are water systems, you know, like we were describing for us, that handle entire communities, entire cities and the suburbs that surround them, they're water systems -- my understanding is, they're water systems that handle small townships, you know, a few thousand folks' homes.

Ben Yelin: Totally.

Dave Bittner: Yeah. And so, you think about the available funding for a small system like that to protect themselves from a cyberattacks, I think this sort of federal attention, and hopefully it will come with support and funding for the systems to protect them, because you know how much fun an unfunded mandate is for a small operator like that.

Ben Yelin: Yeah. Ask somebody who works for local government how much they love unfunded mandates.

Dave Bittner: Right.

Ben Yelin: And they'll tell you.

Dave Bittner: Right. Right. So, I mean, getting to back to this specific bill, what is the process for this to go through? I mean, I understand right now it's under review?

Ben Yelin: Yeah, so it has been given to two committees, both committees have jurisdiction over this, the Transportation Infrastructure Committee in the House, and the Energy and Commerce Committee. I don't know if they have hearings scheduled on this bill. This is congress and we have to remember that the vast majority of bills that get proposed go nowhere; they die in committee.

Dave Bittner: Right.

Ben Yelin: Or they never receive a committee hearing at all. So, usually when you're introducing a bill in congress these days, it's to raise awareness about something and maybe you can get some of it tucked into a major omnibus "must pass" spending bill at the end of the fiscal year.

Dave Bittner: Well, like you and I have talked about, these things I think become a lot easier for legislators to consider when there have been real-world examples and one of the things that the reporting is highlighted on this story, is there's an Iranian group who went after a Pennsylvania water facility. So, the people who are pushing this through, it's not just theoretical, right?

Ben Yelin: Yeah, not at all and I think the elephant in the room here is China. There was testimony by the FBI director about the scale of Chinese offensive cyber operations. Their capabilities have been enhanced over the past several years and we are concerned that they're going to get to the point that they can propagate an attack, a wide, broad scale attack on our water system.

Dave Bittner: Yeah.

Ben Yelin: So, that's actually why I think this is appropriate for federal action, is this is an international cybersecurity concern.

Dave Bittner: Right.

Ben Yelin: It has to do not just with protecting infrastructure here at home, but there's a foreign policy element to it as well. So, would I bet on this bill passing prior to the end of this congress? Not necessarily, although it is encouraging this is proposed and sponsored by two republicans, generally republicans are not fans of the EPA or regulations.

Dave Bittner: Right, right.

Ben Yelin: So, this -- you're kind of off to a good head start here.

Dave Bittner: Yeah. Before we wrap up this segment here today, I want to get your take on another story, the Department of Energy put out an Initial Assessment Report looking at the benefits and risks of artificial intelligence when it comes to critical energy infrastructure. So, an interesting report, like I say, it's an initial assessment which I guess means it's a first shot at this sort of thing.

Ben Yelin: Um-hmm.

Dave Bittner: What is your take on this sort of thing Ben?

Ben Yelin: So, it's a really interesting report. I think sometimes we over-emphasize the fears attended with artificial intelligence.

Dave Bittner: Um-hmm.

Ben Yelin: And under-emphasize the benefits, and it's good that this initial assessment really covers both. So, AI benefits that they mention in the report, improve operational awareness, predictive maintenance, resource exploration, improving system efficiency and response capabilities; those are all things that I think if you operate critical infrastructure, are very promising and we're already seeing some of these tools deployed. Then there are some significant risks. They identified four risk categories: Unintentional failure modes due to things like bias or misalignment; adversarial attacks, so that's either from sort of foreign adversary or domestic cyber criminals; hostile applications, so model-based attacks, autonomous control concerns; and then the AI software supply chain getting compromised for overly reliant on it and supply isn't able to meet demand on this, then we will have setup a reliance on these systems while not be able to actually use these systems. So, the recommendations from the report are that the Department of Energy should deepen engagement with the energy sector, taking into consideration these benefits and risks and continue to build updated assessments throughout 2024 and beyond. They did work with energy sector stakeholders and subject matter experts for this report. The plan is to continue working with them going forward, and also, there is broad alignment with the Federal Government's policies on artificial intelligence. The White House through the Office of Management and Budget, issued an executive order from the President focusing on enhancing AI safety, privacy and equity, and I think.

Dave Bittner: Yeah.

Ben Yelin: The goals identified here align with the goals identified in that executive order.

Dave Bittner: It seems like this -- this is one of the ways that that executive order is bearing fruit, right?

Ben Yelin: Yeah! This is just one sector where the general themes expressed in that executive order are being realized.

Dave Bittner: Yeah.

Ben Yelin: So, there's nothing here that's has significant teeth, I mean, this report in and of itself is doesn't promulgate any regulations or change policies in any way. I think it's just good for improved situational awareness for the Department of Energy and for companies that operate critical infrastructure, and I think outlining these risks, hopefully is further incentive for some of these companies to get involved in this engagement process, to figure out best ways to mitigate these risks so that we can still make the best use out of these technological tools.

Dave Bittner: One of the things that strikes me about this assessment, this report, is that the tone is very much one of collaboration, right? There's a lot of acknowledgement that there needs to be public private cooperation, collaboration that, you know, this isn't -- that it strikes me that the tone of this report is not the government coming down from on a high and saying this is the way it shall be. I mean, obviously there are cases where that has to be the way it is, but it seems to me like there's a good faith effort here from the government acknowledging that a lot of the knowledge and a lot of the effort to make something like this workable is going to come from industry.

Ben Yelin: Yeah. I mean, I think they have to rely on industry. The government itself operates a substantial amount of the critical infrastructure in this country, but the private sector controls the majority of it. So, you can't effectuate change without the cooperation of the private sector, and you don't want the private sector coming in as they have when regulations have been proposed at the State and Federal level saying, this is premature, this is going to increase cost on consumers, you know, this is the -- the proverbial heavy hand of the government stifling innovation. I think, in effort of collaboration of public-private partnership. The purpose of that is to stop this type of adversarial attitude from some of these companies. And so, I think it's an important first step in that regard.

Dave Bittner: My thanks to Ben Yelin for joining us. You can find the "Caveat" podcast on the CyberWire podcast network or wherever you find your podcasts. [ Music ] And that's "Control Loop" brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our Show Notes at thecyberwire.com. Sound design for this show is done by Elliott Peltzman with mixing by Tré Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch, Mark Urban, and Monserrat Thomason. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]