Most OT systems include legacy equipment not designed to be connected to the internet nor defend against malicious cyberactivities. This is particularly worrying because more and more utilities, petrochemical installations, factories and so on are remotely managed. Hence, several activities are executed over the web using an IT network to connect to the OT side, enabling monitoring, instrumentation and control, OT asset management/maintenance, and in some cases, process operations and maintenance. An interesting, and even more troublesome point, is that this happens not only in the civilian but even in the military world.
The catastrophic impacts of this situation are pointed out in a recent joint advisory by the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA). According to this advisory, “Over recent months, cyber-actors have demonstrated their continued willingness to conduct malicious cyber-activity against critical infrastructure (CI) by exploiting internet-accessible
operational technology (OT) assets”. “Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression”. NSA and CISA also warned that “Combined with readily available information that identifies OT assets connected via the internet (e.g.: Shodan, Kamerka), are creating a ‘perfect storm’ of easy access to unsecured assets, use of common, open-source information about devices, and an extensive list of exploits deployable via common exploit frameworks,”
The NSA/CISA advisory points out that several cyberattack attempts have been observed in the wild. The attackers goals include: Deploy of commodity ransomware on both IT and OT networks; communicate with controllers and downloading modified control logic; use vendor engineering software and program downloads; and modify control logic and parameters on programmable logic controllers (PLCs) that monitor and control physical processes in industrial environments.
Impacts of the attacks include shutting down an OT network, a partial loss of view for human operators, lost productivity and revenue, or, in the worst-case scenario, adversary control and disruption of a complete industrial plant. According to the advisor, the attackers adopt spearphishing to obtain initial access to the organization’s IT network, before escalating their privileges to the OT network. The critical point here is that an attack that is successful against an industrial plan can easily be replicated against the control system of a ship, of a pipeline or a drone. The most dangerous attacks drop some malware in the OT network to be activated when needed. The integration of ICT and OT is a powerful and flexible technology and this is simultaneously the reason of its success and of the huge impacts of malicious attacks. If you now how to attack the PLC that open/close a valve you can attack a civil engine, a military engine, a pipeline and a gas distribution system because they all use the same PLC.
To throw some oil on the fire, WIRED reports that, according to an FBI notification sent to victims of the breaches in May, a Russia’s GRU military intelligence agency has carried out many of the most aggressive acts of hacking in history including the hacking-and-leaking operation to influence the outcome of the 2016 US presidential election. Now GRU has been hitting US networks again, in several previously unreported intrusions that targeted government agencies and critical infrastructures.
This broad hacking campaign against US targets has been implemented since December 2018 until at least May 2020, by the hacker group known as APT28 or Fancy Bear. The FBI warns that Fancy Bear primarily attempted to break into mail servers and VPN servers but it has also targeted the US energy sector according to some technical details in the notice. This is even more troubling because usually the GRU group hacking critical infrastructures was Sandworm. This is the group that planted malware on the networks of US electric utilities in 2014 and was behind the first blackouts due to cyberattacks in Ukraine in 2015 and 2016. Maybe the two groups are joining their efforts or new group is born.
Links
https://threatpost.com/nsa-urgent-warning-industrial-cyberattacks-triconex/157723/
https://arstechnica.com/information-technology/2020/07/russias-gru-hackers-hit-us-government-and-energy-targets/
