- The U.S. government on Thursday issued a cybersecurity alert to operators of critical infrastructure, outlining "immediate actions" that should be taken during a "time of heightened tensions" to avoid being compromised by a cyberattack.
- Recommendations include disconnecting from the internet any operational systems that do not need connectivity for safe and reliable operations, and planning for "continued manual process operations" should the industrial control systems (ICS) become unavailable or need to be deactivated due to hostile takeover.
- Security experts say it is significant that the National Security Agency (NSA) joined the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) on the alert, and that the alert was not related to a specific incident. The warning could be a nod to tensions with several adversaries of the United States, they said, including Russia, China and Iran.
The utility sector has become accustomed to a daily barrage of hacking and phishing attempts, but experts say the new alert from the U.S. intelligence community may signal a more concentrated threat to ICS.
"If the NSA is coming out of the shadows to speak up in a joint alert with CISA, you want to listen and take action," Evan Dornbush, CEO and founder of Point3 Security, said in a statement.
According to the alert, older operational technology that was not designed with security in mind, combined with new systems that can help hackers identify internet-connected ICS, are creating a "perfect storm" of easy access to unsecured assets and "an extensive list of exploits."
"Civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression," the alert said. While the utility sector was not specifically mentioned, the alert does reference a 2015 cyberattack in Ukraine that caused more than 200,000 people to lose power.
"Although I am not aware firsthand of any significant increase in attacks targeting utilities, the fact that the US [Computer Emergency Readiness Team] released that briefing at a strategic level, without any specific indicators of compromise, heavily implies that there is a rise in these attacks and that multiple groups are targeting industrial control systems," Bill Swearingen, a cyber strategist at IronNet Cybersecurity, told Utility Dive in an email. "This is a 'trend attack' that we'll likely continue to see."
The alert's recommendations focused on the need for critical infrastructure providers to: have a resilience plan for operational technology systems; exercise an incident response plan; undertake network hardening activities; and implement a "continuous and vigilant" system monitoring program.
The advisory "is particularly interesting because it appears to be tied to ongoing campaigns targeting industrial control systems," Phil Neray, vice president of internet of things and industrial cybersecurity at security firm CyberX, said in an email.
The alert also "explicitly mentions the need for organizations to protect against sophisticated living-off-the-land tactics such as modifying the control logic in process controllers," said Neray, "which is exactly what we saw in the Triton attack."
The Triton attack is a reference to malware used in 2017 to breach the safety systems of a petrochemical plant in Saudi Arabia. More recently, there have been reports that the perpetrators of that attack have been scanning the U.S. power grid for vulnerabilities.
"Cyber campaigns are an ideal way for nation-states to apply pressure on the global stage, because they offer the advantage of plausible deniability plus the rules of engagement are undefined," Neray said.
The alert warned of attacks "at this time of heightened tensions." That could mean tensions with several nations, said Jamil Jaffer, senior vice president of strategy, partnerships and corporate development at IronNet.
"We know the Russians have sought and gained sustained access to American critical infrastructure, and we know the Iranians have tried also," Jaffer said in an email. "Given all this, while it's not clear what specific heightened tensions the alert is referring to, certainly there are plenty of potential challenges globally at this time.
The U.S. government has alleged Russian hackers targeted COVID research facilities and also indicted Chinese nationals for a hacking campaign that includes intellectual property theft. "We are publicly naming and shaming these countries for COVID[-19] research attacks as well, and so this could be a nod to that," Swearingen added.
CLARIFICATION: A previous version of this story did not give Jamil Jaffer's full title. He is senior vice president of strategy, partnerships and corporate development at IronNet.