Hacktivism targeting OT devices.

Dave Bittner: It's May 15th, 2024, and you're listening to "Control Loop." In today's OT Cybersecurity Briefing, the U.S. Defense Department warns of Russian hacktivists targeting OT devices. Meanwhile, the U.S. government establishes a Safety and Security Board to advise the deployment of AI in critical infrastructure sectors. And vulnerabilities affect cyber-power UPS management software. Our guest today is Garret Bladow. He's a Distinguished Engineer at Dragos. We discuss active visibility in OT systems. [ Music ] The U.S. Defense Department and its partners in the UK and Canada have released an advisory outlining pro-Russian hacktivists targeting of OT devices in the U.S. and Europe. The Advisory states, "The authoring organizations are aware of pro-Russia hacktivists targeting and compromising small-scale OT systems in North America and European water and wastewater systems, dams, energy, and food and agriculture sectors. These hacktivists seek to compromise modular internet-exposed industrial control systems through their software components, such as human-machine interfaces, by exploiting virtual network computing remote access software and default passwords." The agencies note that the threat actors so far have used unsophisticated techniques to create nuisance effects, but they may be able to cause more damage against OT environments that are insecure or misconfigured. The U.S. Department of Homeland Security has established an Artificial Intelligence Safety and Security Board to advise the critical infrastructure community on the safe use of AI, FedScoop reports. The DHS stated, "The board will develop recommendations to help critical infrastructure stakeholders, such as transportation service providers, pipeline and power grid operators, and internet service providers, more responsibly leverage AI technologies." It will also develop recommendations to prevent and prepare for AI-related disruptions to critical services that impact national or economic security, public health, or safety. The board includes 22 representatives from software and hardware companies, critical infrastructure operators, public officials, the civil rights community, and academia. Researchers from Cyble have discovered eight vulnerabilities affecting power panel business software, an uninterrupted power supply management software product from CyberPower. Three of the flaws have been assigned a severity rating of critical. The researchers explain, "The exploitation of the vulnerabilities in vulnerable power panel could allow an attacker to potentially bypass authentication and obtain administrator privileges, which could be utilized for writing arbitrary files to the server for code execution, gaining access to sensitive information, impersonating any client to sending malicious data, and gaining access to the testing or production server." Cyble warns that there are more than 600 instances of power panel business exposed to the internet. CyberPower has issued patches for the vulnerabilities. U.S. Representative, Rick Crawford, a Republican of Arkansas, and Representative John Duarte, Republican of California, have introduced legislation that would establish a governing body to oversee water sector cybersecurity, the Arkansas Democrat Gazette reports. The congressman cited nation-state targeting of water systems for disruption and battle space preparation. Crawford told the Gazette, "We just need to harden these assets and make them less vulnerable and equip our operators so they know how to deal with it. Water operators at the municipal, county, and state level need to be prepared and properly trained and armed with the right things to prevent these things from happening." [ Music ]

Dave Bittner: Not long ago, I attended CyberCon in Bismarck, North Dakota, where I had the pleasure of catching up with Garrett Bladow. He's a Distinguished Engineer at Dragos. We discuss active visibility in OT systems. [ Music ] So you and I find ourselves here at Bismarck State College. We are here for CyberCon 2023, and you are presenting later this afternoon and have graciously agreed to give us a little preview of that presentation for our show here. What's the title of the presentation?

Garrett Bladow: It's "Going Active in OT," and I'm going to talk about sort of the benefits of asset visibility, which is one of the biggest challenges our customers have. They just don't know what's necessarily on their networks because they've evolved through 20 years of like static emplacements in oil and gas pipelines or manufacturing or energy grids.

Dave Bittner: Right.

Garrett Bladow: Right? And a lot of security solutions in the IT space are about scanning, right? I'm going to bring my Nessus scanner. I'm going to bring Nmap, and I'm going to use those tools to just poke everything out there and see what happens.

Dave Bittner: Yeah.

Garrett Bladow: But the challenge here is that IT/OT break again, right?

Dave Bittner: Right.

Garrett Bladow: IT is meant for that resiliency, right? They've built that into their ecosystem. They're expected to be poked all the time.

Dave Bittner: It's a feature.

Garrett Bladow: Yeah. It's a feature, not a bug.

Dave Bittner: Right.

Garrett Bladow: And, you know, the OT systems were built to be closed-loop systems.

Dave Bittner: Right.

Garrett Bladow: Right? And the devices that are out there, they're really good at their job, real-time measurement, sending data out, being as available and reliable as possible. What didn't happen was any encryption, any authentication, any of that sort of stuff. And then, you know, they were built for the use case they were built for, right? Measure these devices. Send those sensor readings back to a thing, right, and keep doing all of these real-time operations, and what happens if they get an interrupt, right? Something coming in from the side that says, hey, tell me your identification. Hey, tell me it again. No, really, tell me it again.

Dave Bittner: Right. Right.

Garrett Bladow: And it's like in one of the examples I have is one of the specific OT protocols, Ethernet Industrial Protocol, Ethernet IP, and it's great. It's got one call. You say, give me your ID. Everything comes back. You get the serial number, the product name, when it was last installed, when it was updated.

Dave Bittner: Right.

Garrett Bladow: You can even get the software that was installed on it and bring it back. The challenge is, you know, if you do that a million times in a row, the darn thing falls right over, because it's trying to do the measurements. It's trying to, you know, grab the stuff from the actuator, and then it's trying to answer your question, and you're just like, bug off.

Dave Bittner: You're like that toddler, like, mom, mom, mom.

Garrett Bladow: Exactly, yeah. And you know, and again, there are programs out there like Nmap or Nessus that people take off the shelf and try that. Not that they're bad technology at all. Heck, they're great for cybersecurity.

Dave Bittner: Right.

Garrett Bladow: But, you know, when you take that and take it off the shelf and just say, you know, beep, bop, boop, do that thing that I've asked you to do in IT, but against OT systems, there's all these unintended consequences because OT is IT plus physics.

Dave Bittner: Right. Can you give us sort of a simplified example of a system that would kind of fall victim to this? You know, what sort of workflow would this apply to?

Garrett Bladow: Right. So, you know, we'll look at oil and gas pipeline, right? A lot of them have these programmatic logic controllers, PLCs, and those devices are taking the measurements from the sensors or maybe they're moving an actuator, right? This is literally like I am opening the pipe. I am shutting the pipe, right? How much pressure is in that pipe? You know, much liquid or whatever is flowing through that pipe, right? All of that is happening, and it's trying to send that data back to some sort of historian or human machine interface, you know, for that control engineer/operator to say my pipeline is green today, right? Everything is working as I intended it to, and, oh, I need to shut that pipe. I'll hit the button. Boop. I can see that that button happened. The pipe shut, right? All of these things are going on in that real time, real-time-automated fashion, right. You know, all of these protocols are running this, and they're intended to be fast, loose, make sure. You know, it's availability, overall, right? That's the only thing that's really emphasized in that world, and now if an attacker should gain access into that environment, right, everyone thought their systems were air gapped. In six years of Dragos doing business and professional services and reviewing architectures and doing instant response, we have found exactly zero air gapped OT systems, right? And it doesn't take a lot of technical expertise to go in there and write a packet because they're mostly UDP, user datagram protocol, right?

Dave Bittner: Right.

Garrett Bladow: Just write one packet on the wire, and that's it. You don't even have to have a session. Poof. Shoot that out. That thing is now off its track and not necessarily, you know, working in the same working state that you have, right? They're all open. They're all read-write. There's not like I can put a lock on it and say stop listening, right? There's no firewalls on them.

Dave Bittner: So help me understand here. They're not built with any sort of adversarial communication in mind?

Garrett Bladow: Not at all, right? Again, this protocol that we're talking -- that I'm emphasizing, ethernet IP, it was it was built in 1991, right? Defense in depth was not a concept yet. Another one, Modbus, another protocol that's heavily used in the OT space, was built in 1979, right?

Dave Bittner: Right.

Garrett Bladow: We didn't even know that computers existed half the time, right?

Dave Bittner: Right.

Garrett Bladow: And, you know, these have evolved, and they've always evolved in that context in the OT world of don't worry. No one else has access to the system. It's closed. We'll never, you know, have to worry about an intruder in this system. We control everything, right? And now with the OT-IT convergence that we're seeing across the world, you know, that is not true anymore. The advent of industrial IoT, where I have a 4G LTE, 5G device, you know, it's now controlled wirelessly --

Dave Bittner: Right.

Garrett Bladow: -- and it's sending those same data. So I don't even control the wires that go to it anymore.

Dave Bittner: To what degree is it a challenge to know that the information you're getting back from a remote device is truth, is this ground truth? In other words, this device is telling me that the valve is open, but unless I have someone with eyes on, how do I know the valve is open? I suppose I know the valve is open if the other thing is measuring flow through the pipe, right? Is that generally how it works?

Garrett Bladow: That's typically how it works, yeah. It's a lot of redundancy in these systems --

Dave Bittner: Okay.

Garrett Bladow: -- to kind of you know give that control engineer that peace of mind that the system, as a whole, is working as its intended.

Dave Bittner: I see.

Garrett Bladow: But, again, from an attacker perspective, which is typically where I come at it from, that's one of the biggest impacts that can happen in a control system, right? We call that lack of visibility or lack of control, right? Lack of control is I've lost control of the entire device. Lack of visibility is I can't trust the data that's coming back from that.

Dave Bittner: I see.

Garrett Bladow: And it's very, very easy, from an attacker's perspective, if you're in the system to send the inputs back to something that's reading the console, you know, that the control engineer is looking at and, you know, you can make it look red when it's green or green and when it's red, and that includes even the, you know, the readings that are coming from a pressure sensor or that right? You can fake that funk if you know what you're doing from a protocol level. But again, you know, control engineers don't always look at one component. They always look at the system, and so that's the bigger challenge from an attacker perspective is how do I make everything look like it's supposed to across the entire ecosystem?

Dave Bittner: Yeah. So what are you proposing then? I mean, in your presentation today It's not just doom and gloom. You've got some solutions in mind, right?

Garrett Bladow: Right. So a lot of it is go to a vendor that knows what they're doing in the OT space, right? One of the things that our technology does is we've actually taken the write capacity out of it. It's only read at this point, right? And so, we are not able to go and change the values within a system and do things, even if an attacker would gain access to the software we're giving, you know, the control engineer. And, you know, a lot of it is really just understand the context of what you're doing. The biggest takeaway, and this is the last slide in my deck, is do not do this on production systems ever.

Dave Bittner: Do not do what on production systems?

Garrett Bladow: Do not do active identification or active, you know, looking for your assets when a system is in production.

Dave Bittner: Okay.

Garrett Bladow: There's always an unintended consequence to what you're doing.

Dave Bittner: Let me push back on you there a little bit. You know, I remember from in a previous career when I was in the digital video world, there was a saying, you know, never update your software in the midst of a project. The challenge was, we're always in the midst of a project. So is this a matter of regular scheduled downtime, those sorts of things?

Garrett Bladow: It is, but that's built into an OT system's lifecycle, right?

Dave Bittner: Yeah.

Garrett Bladow: If you're running a plant, an oil refinery, they're literally shut down for probably two months out of the year for health and safety and maintenance, not just of, you know, the pipe is worn, but it might be, you know, they're replacing pipes. They're replacing this PLC. They're doing all of these different things, and it's built into how they operate an operational technology platform. And so, what we're saying is, that's also the time when you start to do your active testing of the systems to make sure that they're working as you intended, and also, to find that PLC that someone stuck in the rack five years ago that you didn't know.

Dave Bittner: Right. Ultimately, where do you suppose we're headed here with this? I mean, what does the ideal future state look like to you?

Garrett Bladow: The ideal future state that I think we're headed to is that hybrid environment, right? Most of the OT security vendors in this world, they have some sort of sensor product, right, that's out there passively listening to the chatty protocol traffic that's happening. They'll identify assets. They'll make sure that everything is in, you know, quote unquote "normal state," right? And we can introduce an active component to that. Maybe as -- actively, I can send a, you know, give me your identification packet, right? But I don't even have to listen to it. I send that out, the thing -- the device burps out their identification, and my sensor picks that up, and I don't have to even further interrogate that or ask it more questions or even, you know, push its registers to the limit because I can do it with sort of one shot and use the rest of my technology in order to help and facilitate that sort of hybrid environment.

Dave Bittner: All right. Well, I think I have everything I need. Is there anything I missed?

Garrett Bladow: No. Not really. I think, at least for this product or this sort of concept. The one thing that I would like to talk a little bit about is sort of this, the new generations of threat intelligence and making sure that, you know, we're all in this together, right? So a lot of what we're doing is these shared threat intelligence environments and being able and participating in that. The nice thing about a lot of the technology that we've built there is that it is anonymous, right? You can provide anonymous data that's not going to get you in trouble with your regulators, or any of that sort of data, to help in the common defense of these systems. We're already seeing it pay dividends with Drago's Neighborhood Keeper, but, you know, if there's anything that you can participate in, in that sort of ilk, please, please do. The other part of that common defense is common action. One example that I really like to push is it's an electric utility concept of like the old lineman, right? The lineman in the truck, if there's a hurricane in Louisiana, North Dakota is going to roll truck down and help those people to bring back power in that environment, right? We're not busy. You know, it's spring here, right?

Dave Bittner: Right.

Garrett Bladow: Ice storm hits us in North Dakota, there's that mutual assurance where Louisiana is going to roll truck, come back up into North Dakota. What we're starting to see is that same concept being applied in the cyber environment, where there may be a large investor-owned utility that has the money to have an IT SOC, an OT SOC, you know, intel analyst sources, right, all of these things that come with actually being able to invest in your cybersecurity program. Or you might be that co-op that's out in McKinsey County, North Dakota, where you run the IT, the OT, and you mow the lawn on Saturday, all right? And this thing blips across your screen and you have no idea what it does, right? What we're trying to do in this mutual assurance is being able to click a button and say, help me. And having that investor-owned utility maybe in, you know, a different region in the United States, bring their expertise. Help that person get the data they need, and then at the end, they all press a button, right, and everyone goes back to being anonymous. That's one of those things things that we're really trying to push for common defense here at Dragos.

Dave Bittner: Our thanks to Garrett Bladow from Dragos for joining us. [ Music ] And that's "Control Loop," brought to you by N2K CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch, Mark Urban, and Montserrat Thomason. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]