The CyberWire Daily Podcast 10.15.21
Ep 1439 | 10.15.21

CISA and its partners warn of threats to water and wastewater treatment facilities. The curious case of Missouri teachers’ Social Security Numbers.

Transcript

Dave Bittner: A CISA-issued Joint Advisory warns of threats and vulnerabilities at water and wastewater treatment facilities. CISA issues 22 other industrial control system advisories. Andrea Little Limbago from Interos on trends in the human element of security. Our guest is Gidi Cohen from Skybox with Vulnerability and Threat Trends. And the governor of Missouri intends to prosecute the Saint Louis Post-Dispatch to the fullest extent of whatever the law turns out to be.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Friday, October 15, 2021. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency - that's CISA - yesterday published a joint advisory warning of ongoing malicious activity by both known and unknown actors directed against water and wastewater treatment facilities. The advisory, issued in conjunction with the FBI, NSA and EPA, emphasizes the threat of spearphishing as well as exploitation of outdated operating systems and vulnerable control system firmware. 

Dave Bittner: The advisory, while noting that the water and wastewater sector hasn’t seen a higher rate of attacks than other critical infrastructure sectors, takes note of five incidents at water facilities since March of 2019. Quote, "In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition - that's SCADA - servers displayed a ransomware message. In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds. In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the system's SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system. In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system. In March 2019, a former employee at Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer." 

Dave Bittner: So, in total, four ransomware attacks and one insider threat case. 

Dave Bittner: Control systems have been in the news elsewhere this week. CISA yesterday released more than 20 industrial control system advisories. Operators would do well to take a serious look at them. 

Dave Bittner: Finally, in a long and odd story, Missouri Governor Mike Parson has denounced the Saint Louis Post-Dispatch for what he characterized as the newspaper's hacking of the Department of Elementary and Secondary Education, DESE. The Post-Dispatch had found some teachers' Social Security Numbers coded into the html of a publicly accessible DESE website where citizens could check teachers' credentials. The paper informed DESE, waited until DESE had taken the information down, and then published its story. At a press conference yesterday, Governor Parson described the offending incident. 

Mike Parson: As many of you are aware, on October the 12, the Department of Elementary and Secondary Education, DESE, was made aware of a vulnerable on one of its websites storing personal information of Missouri teachers. Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code and viewed the Social Security number of those specific educators. 

Dave Bittner: He went on to say that he was referring the hacker, that is, the Post-Dispatch reporter, to the Cole County prosecutor for alleged violations of Missouri laws that prohibit tampering with computer data. 

Mike Parson: My administration has notified the Cole County prosecutor of this matter. The Missouri State Highway Patrol's digital forensic unit will also be conducting an investigation of all of those involved. 

Dave Bittner: Governor Parson added that dealing with the incident could cost the citizens of Missouri $50 million. 

Mike Parson: The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so in accordance with what Missouri law allows and requires. A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. 

Dave Bittner: What motivated the Post-Dispatch to do what it did? They were engaged in a political hatchet job, the governor says. 

Mike Parson: This individual is not a victim. They were acting against a state agency to compromise teachers' personal information in an attempt to embarrass the state and sell headlines for their news outlet. 

Dave Bittner: KMBC9 has made the governor's press conference available on the station's website, where you can listen to it and watch it in its entirety. Governor Parson has since doubled down via Twitter, claiming that the Post-Dispatch story places them on the wrong side of tampering with computer data, which is a Class A misdemeanor unless the tampering involves theft of $750 or more, in which case it becomes a Class E felony. 

Dave Bittner: The governor's tweet also points out that tampering with computer data, computer equipment or computer users is a civil tort. It's difficult to see why the governor believes a crime has been committed or even why the Post-Dispatch is reporting involved what might be seen as hacking. After all, the reporters simply inspected the site's HTML, and the paper responsibly disclosed what they found there to the responsible state office. 

Dave Bittner: The governor's Twitter thread insists that there's more going on than just that. As the governor or his writers put it, quote, "We want to be clear this DISA hack was more than a simple right click. The facts - an individual accessed source code and then went a step further to convert and decode that data in order to obtain Missouri teachers' personal information. This data was not freely available, and by the actor's own admission, the data had to be taken through eight separate steps in order to generate a Social Security number." 

Dave Bittner: Sic, as the editors say. No one commenting in the Twitter thread seems to have any idea of what those eight separate steps might have been. And the Post-Dispatch's story doesn't include any admission that we could find. Most of those covering or reacting to the governor's press conference aren't buying it. See Ars Technica for a representative discussion. Our staff has reached out to the governor's office for clarification. We'll let you know if we hear back from them. 

Dave Bittner: The team at Skybox Security recently published a report tracking trends in operational technology vulnerabilities. It's probably not surprising that OT threats are on the rise. Gidi Cohen is CEO of Skybox, and he joins us with highlights from their report. 

Gidi Cohen: So there are a lot of very, very important trends, but I would probably focus on a few important ones. One is what you call a threat debt. At the end of the day, organizations with their complex IT infrastructure - it can be cloud, virtual, physical environment - it is growing in its complex and exponential way. Organizations are accumulating sometimes hundreds of thousands or sometimes millions of vulnerabilities or unpatched systems that actually put organization at high risk. And this accumulation of what we call, again, threat debt is just growing over time. And with the acceleration of a number of vulnerabilities, acceleration of the level of exploitation, the number of vulnerabilities exploiting the world, ransomware attacks and other type of threat vectors, it seems organizations need to start taking vulnerability measure, right? Managing this exposure in much more serious ways than before. So I would say that this is probably the most glaring insight of trends we see over the last few years just intensifying in 2021. 

Dave Bittner: Was there anything in the data that you gathered that was surprising, anything that wasn't expected? 

Gidi Cohen: I would say that the - what seems to be one of the more interesting trends and more dangerous trends is actually to a subset of the vulnerabilities that we are tracking on OT, operational technology, environments that are looking at the technology used by health care facilities, by utilities, energy producers, manufacturing lines - right? - supply chain-related vulnerabilities. And they - there's a specific acceleration in number of exposures, number of vulnerabilities being found in those environments. So as our report showed, about 46% year-over-year growth of the number of new vulnerabilities reported on those environments is actually a very scary number because it accumulates fast, and in a lot of those environments, there's not an easy fix or easy remediation to those type of exposures. 

Dave Bittner: So what are your recommendations, then, based on the information that you've gathered here? What sort of tips do you have for security professionals? 

Gidi Cohen: I would say, first of all, take vulnerability management much more seriously than before. I mean, the concept of scanning and finding vulnerability, that's 25 years ago - right? - mid-'90s. And organizations since - ever since are scanning and getting more and more piles of reports that they're not doing anything about. Why? Because it's complex. It requires a lot of collaboration, requires a lot of work into additional approaches to try to fix everything, resulting in fixing nothing, or fixing everything but way too late in terms of exposure. So we believe that probably the best investment an organization can make in actually tightening down their cyber risk is putting a vulnerability measure program together, which will provide visibility, prioritization, track and drive remediation in a much more surgical and intelligent way, such that an organization could - does not need to sweat every time there's a new vulnerability, as they can focus on what's critical, where they're most - you know, where they're the most exposed and, therefore, if they fix or mitigate those vulnerabilities where they have the biggest return on investment in risk reduction. So basically, putting a real vulnerability measurement program in place with commitment to execute on its finding on an ongoing basis. 

Dave Bittner: That's Gidi Cohen from Skybox. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for "Interview Selects," where you get access to this and many more extended interviews. 

Dave Bittner: And I'm pleased to be joined once again by Andrea Little Limbago. She is vice president of research and analysis at Interos. Andrea, it's always great to have you back. You know, we often talk about all of the ones and zeros and the electronic stuff, and I know on the research side of the house, that's something that you are obligated to deal with a lot yourself. 

(LAUGHTER) 

Dave Bittner: But there is a human side to this, and that's really important as well, yes? 

Andrea Little Limbago: No, absolutely. And this is something that - you know, we saw RSA a few years ago highlight the human element as their core theme. And it is something that we're increasingly seeing integrated, which is great - you know, better late than never is sort of how I look at it. But at the same time, we still have a long ways to go. So there are some interesting aspects that we're starting to see. You know, we're finally, I think, as an industry moving a bit away from the notion of the - you know, the human is the weakest link and just sort of relying on that is just the truth but then just kind of taking that as it is and not thinking about, well, what can we do about that? And so, you know, I feel like it's almost been, like, a copout that's been used to explain why we're not, you know, evolving our technology and be able to point at the human instead of the technology as being what's, you know, fallible. And so while certainly, you know, humans make errors, but at the end of the day, that is something we need to take account of and then build systems that know that these kind of errors, know these kind of behaviors are what humans do and build the technology to take that into account and build the defenses accordingly. 

Dave Bittner: Yeah, I think that's a really fascinating aspect, you know, this notion of using the human element as an excuse. You know, I think it's still important to have guardrails on things. You know, high walkways have railings, right? 

Andrea Little Limbago: (Laughter) That's right. Don't drink a hot coffee 'cause it's going to tell you how hot it is. 

Dave Bittner: Right, right. 

Andrea Little Limbago: (Laughter) Which might have been going too far. But yeah, I mean, absolutely. And that's where we are seeing, you know, it change away from that. And part of it, I do think, is that we are bringing some more disciplines into the, you know, cybersecurity infosec community, which is great. And then, you know, those folks that have been in the community and helping it grow for a long time are really evolving, you know, what they are doing as far as, you know, perhaps integrating usability, for instance, user experience as part of the software that's being built for security. And that's something that is so essential. I mean, we've seen usability and user experience be such a big deal on the tech side. It's how everything from, you know, using your finances more simply to every aspect of your life to calling a taxi. But security was kind of a bit behind on that, but that is changing. We really are starting to see a larger drive, towards, you know, design and usability, both then everything from, you know, how we're training, falls into areas of, you know, gamification for training, as opposed to just having us click through PowerPoint slides and assuming everyone's going to actually be reading those... 

Dave Bittner: Right, right. 

Andrea Little Limbago: ...And (laughter) listening to them. So there's a lot of elements going on there. We're leveraging where technology still matters, but technology becomes part of the solution to help humans understand and help, you know, inform human behavior and to build those guardrails in there, as well. 

Dave Bittner: Are you optimistic that we'll be able to move past this mode of kind of finger pointing at each other and, you know, each side blaming the other for the security breaches? 

Andrea Little Limbago: You know, I actually am. And I think in many ways, there are days where it's very hard to be optimistic within, you know, information security just with a constant barrage. But this is an area where I am. I do see, you know, whether it's at conferences and looking at how they're - you know, they have tracks for the human element now, looking at really some of the technical talks that still are very, very technical, but they also, you know, integrate, you know, social science and technical aspects from other fields, as well, to, you know, really help lead to greater innovation. And there's just, I think, a growing demand for that, both on, you know, the consumer side for wanting just easier tools and easier ways to figure it out and frustration, as well. I mean, you can just think about, you know, how hard it used to be to find some of the privacy tools in our phones. And some of that still is hidden. But, you know, it is starting to become, you know, almost a competitive advantage by some of the big tech companies, basically saying that they provide privacy better than you, and here's how easy it is for you. And so when the market pressures start pushing it, I think that is a good sign for us. 

Dave Bittner: Yeah, absolutely. All right. Well, Andrea, Little Limbago, thanks for joining us. 

Andrea Little Limbago: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Michael DeBolt from Intel 471. We're discussing their research "How Groove Gang is Shaking Up the Ransomware-As-A-Service Market to Empower Affiliates." That's Research Saturday. Do check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing cyber wired team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.