- Citing "heightened tensions" between the two nations, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned of the potential for Chinese cyberattacks and recommended owners of critical infrastructure, including the power sector, "disable unnecessary ports, protocols, and services" to limit the threat.
- The CISA alert regarding possible state-sponsored attacks is "what the cybersecurity community has been warning about for some time," said Marty Edwards, vice president of operational technology (OT) security for Tenable. COVID-19 has increased the threat, he said, as more employees work from home and the country's reliance on critical infrastructure "has gone into hyperdrive."
- CISA's warning and recommended mitigation measures align with a new staff report from the Federal Energy Regulatory Commission, which called for owners and operators of bulk-power system equipment to improve their compliance with mandatory Critical Infrastructure Protection (CIP) reliability standards "as well as their overall cybersecurity posture."
According to CISA, China "has a history of using national military and economic resources to leverage offensive cyber tactics in pursuing its national interests." The agency warned that attacks could target industries considered critical to U.S. national and economic interests, including: new energy vehicles, power equipment, next generation information technology (IT), biotechnology, robotics, financial services, defense and other sectors.
CISA said the U.S. intelligence community has identified the Chinese People’s Liberation Army and Ministry of State Security "as driving forces behind Chinese state-sponsored cyberattacks–either through contractors in the Chinese private sector or by the PLA and MSS entities themselves."
"This is what we’ve been warned about," said Edwards, who also served as director of the government's Industrial Control Systems Cyber Emergency Response Team under President Obama. "For years, we've seen steady momentum of new, targeted attacks against the U.S. that seek to compromise the systems we rely on to function as a modern society. ... This dependence is extremely lucrative to cybercriminals looking to wreak havoc."
CISA's alert contained several recommended mitigation measures, including for critical infrastructure managers to patch systems and equipment promptly and to enhance monitoring of network and email traffic. The recommendations also called for disabling access to critical systems when feasible.
"Review network security device logs and determine whether to shut off unnecessary ports and protocols," CISA said. "Monitor common ports and protocols for [command and control] activity. Turn off or disable any unnecessary services or functionality within devices."
Utilities can implement a "least-privilege model for critical assets relatively quickly that locks down communications to only necessary ports for authorized devices and users," said Rick Moy, vice president of sales and marketing at cybersecurity firm Tempered.
Along with preventing hackers from breaching systems, Moy said network segmentation is key to containing the spread and impact of any malware or adversary that does get into a utility's system. The segmentation approach also acts effectively as virtual patching of commonly used exploit techniques, he said, "which is a faster way to mitigate broad swaths of remote access vulnerabilities.
FERC report finds 'potential compliance infractions'
FERC's new staff report includes recommendations for bulk-power system operators to better secure the grid, including for critical infrastructure owners to ensure that all cyber assets are properly identified and that all substation cyber systems are properly categorized as high, medium, or low impact.
The annual report is based on lessons learned from non-public CIP audits of registered entities and in addition to assessing compliance includes recommendations regarding voluntary cybersecurity practices.
In performing the audits, FERC staff said they found most of the cybersecurity protection procedures adopted by registered entities "met the mandatory requirements" of the CIP standards. "However, there were also potential compliance infractions found. Additionally, staff observed practices that could improve security, but are not required by the CIP Reliability Standards," the report concluded.
The report's recommendations include inspecting all physical security perimeters periodically, ensuring that backup and recovery procedures are updated in a timely manner, and regularly evaluating the security controls implemented by third parties.
Utility infrastructure is not necessarily more vulnerable than any other critical system, but they may be targeted more often, said Katie Teitler, senior analyst at TAG Cyber.
Utilities are "great targets of opportunity for threat actors because the resulting damage is widespread and public," Teitler said in an email. "If you're a malicious actor and you want the world to know you've succeeded in a cyber attack, shut down the power to millions of people."
But protecting OT environments "does come with different challenges" than protecting IT, Teitler said.
SCADA systems that control large parts of utilities' infrastructure "are often legacy, with vulnerabilities that haven't been patched or can't be patched easily," Teitler said. Also, the growing number of wireless devices connected to utilities' networks "increases and expands the network attack surface, making it hard for utilities to manage."
Firmware vulnerabilities are also harder to identify and fix than software vulnerabilities, especially with critical infrastructure where downtime is often not an option, she said.
Teitler said CISA's recommendation to disable unnecessary ports, protocols, and services "is obviously a step in the right direction," but she also said utilities need to look at OT-specific cyber security monitoring and management technologies that identify system anomalies, stop lateral movement when an attacker reaches the internal network, and prevents network changes and installation of malware.
"This means network analysis, intrusion detection, vulnerability scanning and remediation, and all the other things that have become foundational in IT security," Teitler said.