At a glance.
- Responses to the Aliquippa water authority attack.
- Dragos offers perspective on water utility cyber incidents.
- Predatory Sparrow disrupts Iran’s gas stations.
- An analysis of cyberattacks against Danish energy infrastructure.
- Energy Department offers $70 million in funding for cybersecurity research.
- MITRE launches a threat model for critical infrastructure embedded devices.
- US Department of Homeland Security’s Annual Threat Assessment.
- Chinese operators intrude into infrastructure.
- Cyber phases of hybrid wars spread beyond the theaters of operation.
- Supply chain vulnerabilities in the electrical sector.
Responses to the Aliquippa water authority attack.
The Associated Press outlines State and Federal responses to the suspected Iranian attack against the Aliquippa water authority in western Pennsylvania. The Environmental Protection Agency withdrew a proposed cybersecurity auditing rule in October after it was challenged by Arkansas, Missouri, and Iowa. Several other bills are tied up in Congress. The AP explains, “One bill would roll out a tiered approach to regulation: more requirements for bigger or more complex water utilities. The other is an amendment to Farm Bill legislation to send federal employees called ‘circuit riders’ into the field to help smaller and rural water systems detect cybersecurity weaknesses and address them.” States are also applying for grants from a $1 billion federal cybersecurity program provided by a 2021 federal infrastructure law.
Meanwhile, Dragos is offering free access to its online support and vulnerability detection software to water and electric utilities that bring in under $100 million in revenue.
Dragos offers perspective on water utility cyber incidents.
To be sure, recent incursions by Iran's CyberAv3ngers into US and European municipal water systems represent a threat to industrial controls, but that may not have been the point of these most recent attacks. The control systems hit were Israeli-made, and Dragos thinks the point being made was political and persuasive, and that the incidents didn't immediately represent a serious attempt at physical disruption. "The #CyberAv3ngers hacktivist group activity targeting critical utilities in the US/Europe is less about making an impact on OT, and more about driving geopolitical agendas," Dragos tweeted at the end of December.
Thus there can be a fine line between sabotage and influence operations.
Predatory Sparrow disrupts Iran’s gas stations.
Iran itself hasn’t been immune to cyber attacks affecting control systems.
On December 18th, about seventy percent of Iran's gasoline stations went out of operation due to what Iranian media at first described as a “software problem,” the AP reports. Reuters subsequently reported that Iran's Oil Minister Javad Owji attributed the outages to a cyberattack. Iranian media attributed the attack to Predatory Sparrow, a group Iran attributes to Israel (and about which Israel had no comment). Predatory Sparrow itself said in its Telegram channel, “This cyberattack comes in response to the aggression of the Islamic Republic and its proxies in the region.”
The disruptions appear to have affected gas station point-of-sale systems, the Times of Israel reports. Predatory Sparrow claims to have accessed “the payment systems of the impacted gas stations, as well as each station’s central server and management system."
An analysis of cyberattacks against Danish energy infrastructure.
Forescout has published an analysis of two waves of cyberattacks that hit Denmark's energy sector in May 2023. While the Danish CERT for critical infrastructure, SektorCERT, attributes the incidents to Russia's Sandworm threat actor, Forescout thinks the evidence for this is lacking. The researchers write, "Evidence suggests that the two waves of attacks on Danish infrastructure reported by SektorCERT were unrelated. It also suggests that the second wave was simply part of a mass exploitation campaign against unpatched firewalls, not part of a targeted attack by Sandworm or another state-sponsored actor. Our data reveals that the campaign described as the 'second wave' of attacks on Denmark, started before, and continued after, the period reported by SektorCERT, targeting firewalls indiscriminately in a very similar manner, only changing staging servers periodically. We see a prevalence of exploitation attempts in Europe, where nearly 80% of publicly identifiable and potentially vulnerable firewalls are located."
Chinese operators intrude into infrastructure.
In what appears to be a staging and battlespace preparation effort, China's People's Liberation Army cyber operators have intruded into infrastructure in several countries, with, the Washington Post reports, special attention to the United States. The incursions, US officials say, are "part of a broader effort to develop ways to sow panic and chaos or snarl logistics in the event of a U.S.-China conflict in the Pacific." The staging forms part of the ongoing Volt Typhoon campaign. The latest US disclosures build on February's annual assessment by the Office of the Director of National Intelligence.
The Post quotes CISA Executive Director Brandon Wales, as saying, “It is very clear that Chinese attempts to compromise critical infrastructure are in part to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict, to either prevent the United States from being able to project power into Asia or to cause societal chaos inside the United States — to affect our decision-making around a crisis. That is a significant change from Chinese cyber activity from seven to 10 years ago that was focused primarily on political and economic espionage.”
Vulnerability in Bosch thermostats.
Bitdefender has identified a high-severity vulnerability in Bosch smart thermostats that can allow attackers to send commands to the thermostat and replace its firmware. The flaw is in the unit’s Wi-Fi microcontroller, which acts as a network gateway for the thermostat’s logic microcontroller. The vulnerability enables malicious commands to be sent to the thermostat, indistinguishable from legitimate cloud server commands.
Energy Department offers $70 million in funding for cybersecurity research.
The US Energy Department’s Office of Cybersecurity, Energy Security, and Emergency Response is offering $70 million in funding to “support research into technologies designed to increase resilience and reduce risks to energy delivery infrastructure from a variety of hazards, including cyber and physical threats, natural disasters, and climate-change fueled extreme weather events.” The DOE adds, “This new competitive funding opportunity will be available to public and private sector stakeholders, universities, and DOE’s National Laboratories and will help advance next-generation innovations that strengthen the resilience of America’s energy systems, which include the power grid, electric utilities, pipelines, and renewable energy generation sources like wind or solar.”
MITRE launches a threat model for critical infrastructure embedded devices.
MITRE, in collaboration with Red Balloon Security and Narf, has announced a new threat model framework called “EMB3D,” designed to provide “a common understanding of the threats posed to embedded devices and the security mechanisms required to mitigate them.” MITRE explains, “EMB3D provides a cultivated knowledge base of cyber threats to devices, including those observed in the field environment or demonstrated through proofs-of-concept and/or theoretic research. These threats are mapped to device properties to help users develop and tailor accurate threat models for specific embedded devices.”
The organization adds, “For each threat, suggested mitigations are exclusively focused on technical mechanisms that device vendors should implement to protect against the given threat, with the goal of building security into the device. EMB3D is intended to offer a comprehensive framework for the entire security ecosystem—device vendors, manufacturers, asset owners, security researchers, and testing organizations.”
The threat framework is currently in a pre-release review period, and is expected to be released in early 2024.
US Department of Homeland Security’s Annual Threat Assessment.
The US Department of Homeland Security last week released its Annual Threat Assessment for 2024, predicting that “[d]omestic and foreign adversaries likely will continue to threaten the integrity of US critical infrastructure—including the transportation sector—over the next year, in part because they perceive targeting these sectors would have cascading impacts on US industries and the American way of life.”
The DHS notes an increase in racially motivated domestic violent extremists calling for physical attacks against the energy sector. Foreign adversaries, meanwhile, are seeking “to develop or improve existing capabilities that can disrupt industrial control systems that support US energy, transportation, healthcare, and election sectors.”
The report also draws particular attention to three expected areas of Russian activity against the US to emanate from Russia's war against Ukraine: influence operations, privateering by cyber criminals and disruption by hacktivist auxiliaries, and cyberespionage by intelligence services. Iran and China are also prominently mentioned among the cyber threats expected to be active against the US this year. Much of Iran's activity can be expected to be connected to the war between Hamas and Israel. China represents a major continuing threat. Tensions over Taiwan are expected to continue and probably increase, but most of China's activity in cyberspace will in all likelihood be directed toward long-term political and (especially) economic competition with the US and other rivals.
Cyber phases of hybrid wars spread beyond the theaters of operation.
Russia's war in Ukraine, like the war between Hamas and Israel initiated by Hamas's October 7th terror attacks, have both been hybrid wars, with significant action in cyberspace. CSO has an essay describing this "spillover" and how security teams should prepare for it. The essay argues that public and private sector organizations are both likely to become targets of cyberattacks mounted as contributions to such wars, and that security teams should recognize this risk, understand that the risk is unlikely to be catastrophic, and apply sound risk management practices to deal with it. "[C]ybersecurity teams must persistently simulate and collaborate with information sharing geared toward an adaptive defense posture that consistently tailors and re-tailors internal practices toward shifting geopolitical conditions."
Supply chain vulnerabilities in the electrical sector.
There are also possibilities of latent threats in the software supply chain used by industrial control systems. A report from Fortress has found that 90% of software used to manage the US power grid contains code contributions from Russian or Chinese developers. Additionally, the researchers found that “software with contributions from Russian or Chinese developers is 2.25 times more likely to have vulnerabilities and three more times likely to have critical vulnerabilities.” Fortress notes that there’s no evidence that these code contributions were part of a state-sanctioned effort: “Fortress experts see a clear correlation between the increased vulnerabilities in some contributions and the country of origin but cannot yet establish if the country of origin is the cause of the higher number.”
This isn’t direct evidence of supply chain corruption, but it suggests a risk that prudent operators might well seek to manage.
CISA ICS advisories.
The US Cybersecurity and Infrastructure Security Agency (CISA) last week issued nine ICS advisories for vulnerabilities affecting equipment from Rapid Software, Horner Automation, Schneider Electric, and Siemens.