Dumb Devices/Smart Adversaries – Real Threats in Critical Infrastructure

Dumb Devices/Smart Adversaries – Real Threats in Critical Infrastructure

Dumb Devices/Smart Adversaries – Real Threats in Critical Infrastructure

Adam Sewall

The rapid advancement of technology has brought about numerous benefits and conveniences to our lives.

However, it has also opened up new avenues for malicious actors to target critical infrastructure systems. In recent years, the number and complexity of cybersecurity threats targeting critical infrastructure have risen at an alarming pace. Hacktivists, insider threats, and foreign adversaries pose significant risks to our critical systems. The consequences of a successful cyberattack on critical infrastructure could be catastrophic, leading to widespread disruption and potentially endangering human lives. In fact there are actual cyber kinetic events where a cyber attack has caused a kinetic or physical event to occur. The Stuxnet worm as well as attacks on the Ukraine power grid and Russian gas pipelines are well-known [1]. Therefore, it is crucial for cybersecurity professionals to stay ahead of these threats and develop effective strategies to mitigate them.

?

Understanding the Threat Landscape

Critical infrastructure, such as Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS), are the backbone of our modern society. These systems are responsible for the operation of essential services, including power grids, water treatment facilities, transportation networks, and more. However, as these systems become increasingly interconnected and reliant on the Internet of Things (IoT), they also become more vulnerable to cyberattacks. The expanding attack surface presents a significant challenge for cybersecurity professionals who must find ways to protect a diverse range of devices and systems, each with its own unique vulnerabilities.

One of the primary reasons for the expanding vulnerabilities in critical systems is the lack of standardized security protocols and practices. Many critical infrastructure systems were designed and implemented before the advent of modern cybersecurity threats. As a result, they often lack essential security features and are not equipped to handle sophisticated attacks. Furthermore, the integration of legacy systems with new technologies creates compatibility issues that can be exploited by malicious actors. To compound the problem, the long lifespan of critical infrastructure systems means that they may remain in operation for many years, further increasing their vulnerability to emerging cyber threats.

Given the dire consequences of a successful cyberattack on critical infrastructure, there is an urgent need for comprehensive risk assessment and mitigation strategies. Cybersecurity professionals must be proactive in identifying potential vulnerabilities and developing strategies to mitigate them. This involves assessing the threat landscape, understanding the specific risks faced by critical infrastructure systems, and implementing appropriate security measures.

A crucial component of risk assessment is understanding the evolving threat landscape. Hacktivists, who seek to promote their ideological or political agendas, present one category of threat. Their attacks may range from simple defacement of websites to more sophisticated attempts to disrupt critical services.

Insider threats also pose a significant risk, as individuals with privileged access to critical systems may intentionally or unintentionally compromise their security. Additionally, foreign adversaries conducting cyber espionage or sabotage activities present an ever-increasing menace. It is essential for cybersecurity professionals to remain vigilant and adapt their defenses to counter these diverse threats.

Mitigating the risks to critical infrastructure requires a comprehensive approach that leverages a combination of people, tools, and processes. Passive scanning, for example, helps identify vulnerabilities without disrupting critical operations, allowing for a more thorough risk assessment. Reporting mechanisms should be established to facilitate the timely communication of potential threats and vulnerabilities to relevant stakeholders. It is also crucial to develop and enforce robust security policies that align with industry best practices. Regular security audits and assessments should be conducted to ensure compliance with these policies and identify any gaps in the existing defense mechanisms.

Furthermore, cybersecurity professionals should leverage the latest tools and technologies to enhance the protection of critical infrastructure systems. Intrusion detection and prevention systems, firewalls, and encryption techniques can provide an additional layer of defense against cyber threats. Continuous monitoring of critical systems can help detect any unusual activities or anomalies that may indicate a potential breach. Additionally, the implementation of secure coding practices and regular software updates can mitigate the risk of exploiting known vulnerabilities.

To illustrate the importance of risk assessment and mitigation, this paper will provide real-world use cases of attacks on SCADA, ICS, and other critical infrastructure systems. By examining these cases, cybersecurity professionals can gain valuable insights into the tactics and techniques employed by malicious actors. The paper will also highlight successful defensive measures taken in response to these attacks, allowing readers to understand how to effectively protect critical infrastructure.

In conclusion, the rising cybersecurity threats to critical infrastructure necessitate a proactive approach to risk assessment and mitigation. This paper aims to educate cybersecurity professionals on the risks and processes involved in protecting critical infrastructure from cyber threats. By raising awareness of SCADA, ICS, and Operational Technology (OT) threats, sharing best practices, and providing real-world examples, we can empower cybersecurity professionals to develop effective strategies and ensure the security of critical infrastructure systems now and in the future.

Rising Cybersecurity Threats to Critical Infrastructure

In today's interconnected world, the threats to critical infrastructure are mounting at an alarming pace. From power grids to, gas pipelines, transportation systems and water treatment plants, these vital systems

that underpin our society are increasingly vulnerable to cyberattacks. The rise of hacktivists, insider threats, and foreign adversaries has created a perfect storm of potential risks that cannot be ignored.

One of the key threats faced by critical infrastructure is the increasing sophistication of cyber attackers. Gone are the days of simple malware and viruses. Today's cyber criminals have developed sophisticated techniques and tools that can undermine the very foundations of our critical systems. They can exploit vulnerabilities in SCADA and ICS to gain unauthorized access, manipulate data, and disrupt operations. They are now using Artificial Intelligence (AI) as a force multiplier and using Machine Learning (ML) and Deep Learning (DL) to find, observe and identify targets. This new breed of attackers often has significant financial and technical resources at their disposal, making them formidable adversaries. To put this in perspective China, Russia, North Korea, Iran and others have invested considerably in offensive cyber operations, research and intelligence operations to meet their ideological goals. As an example the

U.S. Congressional Research Service describes how the Russian GRU, FSB and others such as the FSO have focused on specific Tactics, Techniques and Procedures (TTP’s) to infiltrate critical infrastructure [2]. Numerous active units are identified and attributable exploits used within Ukraine, Georgia, Crimea and the U.S. are referenced.

Furthermore, the interconnectedness of critical infrastructure also poses a significant threat. As these systems become more interconnected, the potential attack surface expands, providing cyber criminals with more opportunities to exploit vulnerabilities. Attackers can target one system and use it as a stepping stone to infiltrate other interconnected systems, creating a domino effect of destruction. This interconnectedness also means that a single breach can have far-reaching and cascading impacts, amplifying the severity of the threat.

Another pressing concern is the growing reliance on third-party vendors and suppliers. Many critical infrastructure organizations outsource various aspects of their operations to external vendors, which opens up new avenues for cyber threats. These vendors may not have robust cybersecurity measures in place, making them potential weak links in the overall security chain. Attackers can exploit vulnerabilities in these third-party systems to gain access to the core infrastructure, causing widespread disruption and damage.

While the threats to critical infrastructure are increasing, so too are the vulnerabilities within these systems. SCADA and ICS, which are the backbone of critical infrastructure, were not originally designed with cybersecurity in mind. As a result, they often lack basic security controls and are riddled with vulnerabilities that can be easily exploited by attackers.

One significant vulnerability is the lack of network segmentation in SCADA and ICS systems. In many cases, these systems are connected to the same network as other operational systems, creating a single point of failure. If an attacker gains access to one system within the network, they can potentially compromise the entire infrastructure. This lack of isolation between critical and non-critical systems poses a significant risk that must be addressed.

Additionally, legacy systems pose a significant challenge. Many critical infrastructure organizations continue to rely on outdated and unsupported systems that are no longer receiving security updates. These systems often have known vulnerabilities that attackers can exploit with relative ease. The challenge lies in upgrading these systems without disrupting critical operations, as any downtime can have severe consequences for public safety and the economy. Balancing the need for security with the need for continuous operation is a delicate and complex task.

The Urgent Need for Risk Assessment and Mitigation

Given the gravity of the threats and vulnerabilities facing critical infrastructure, it is clear that a proactive approach to risk assessment and mitigation is essential. Waiting for an attack to occur is not an option.

Instead, cybersecurity professionals must be equipped with the knowledge and tools to identify potential risks, assess their likelihood and impact, and develop strategies to mitigate them.

Risk assessment is the foundation of any effective cybersecurity strategy. By identifying and evaluating potential threats, vulnerabilities, and their potential impact, organizations can prioritize their resources and implement targeted security measures. This process involves conducting thorough assessments of the various components of critical infrastructure, including SCADA and ICS systems, to identify potential weak points. It also requires a deep understanding of the threat landscape and the evolving tactics employed by cyber attackers.

Mitigation strategies must address the unique challenges posed by critical infrastructure. This includes implementing stringent access controls, robust authentication mechanisms, and continuous monitoring of the network for any suspicious activities. It also involves developing incident response plans that can be activated at a moment's notice to minimize the impact of any successful attack. Regular training and awareness programs for employees are vital to ensure that everyone within the organization understands their role in maintaining a secure infrastructure.

Furthermore, collaboration and information sharing among critical infrastructure organizations are crucial. By pooling their collective knowledge and experiences, these organizations can develop best practices and strategies to combat the evolving threat landscape. Sharing information about successful attacks and defensive measures can help others learn from past mistakes and better prepare for future threats.

In conclusion, the threats to critical infrastructure are growing at an exponential rate, and the consequences of a successful cyberattack can be catastrophic. The solution lies in raising awareness of SCADA, ICS, and other operational technology threats and equipping cybersecurity professionals with the tools and knowledge to assess and mitigate these risks. By implementing best practices, utilizing advanced defense mechanisms, and fostering collaboration, we can strive to protect our critical infrastructure from the evolving threats of the digital age.

Vulnerabilities in Critical Systems

In today's interconnected world, the threat landscape for critical infrastructure is constantly evolving. No longer can we rely on traditional security measures to protect our SCADA systems, which are the backbone of many critical industries such as energy, water, and transportation. Hackers and cybercriminals have set their sights on these systems, exploiting vulnerabilities in an attempt to disrupt operations and cause widespread chaos.

To understand how hackers infiltrate SCADA systems, we must first grasp the fundamental components and architecture of these critical systems. SCADA systems are responsible for monitoring and controlling various industrial processes, allowing operators to make real-time decisions based on the data collected. However, these systems often lack proper security controls, leaving them susceptible to attack.

One common method employed by hackers is known as a “man-in-the-middle” (MITM) or “Adversary In The Middle” (AITM) attack. By intercepting the communication between the SCADA devices and the control center, hackers can manipulate or modify the data being transmitted. This can lead to unauthorized control of critical infrastructure or the injection of malicious commands that can sabotage the system.

Another technique used by hackers is the exploitation of software vulnerabilities. SCADA systems are often built on outdated or legacy software, which may have known security flaws. Hackers can exploit these vulnerabilities to gain unauthorized access, escalate privileges, or execute malicious code. The consequences of such actions can range from shutting down a power grid to compromising the safety of a nuclear facility.

Furthermore, social engineering tactics play a significant role in the infiltration of SCADA systems. Hackers often target unsuspecting employees or contractors, tricking them into divulging sensitive information or granting unauthorized access. By exploiting human weaknesses, hackers can bypass even the most advanced security controls and gain a foothold within the critical infrastructure.

To mitigate these risks, cybersecurity professionals must adopt a multi-layered approach to SCADA security. This includes implementing strong access controls, regularly patching and updating software, and conducting thorough vulnerability assessments. Additionally, network segmentation and isolation can help limit the potential damage caused by an attack, preventing the lateral movement of hackers within the system.

Insider Threats

While external threats often grab the headlines, insider threats pose an equally significant danger to critical infrastructure. Employees, contractors, and vendors with privileged access to SCADA systems have the potential to wreak havoc if their intentions are malicious or if their credentials are compromised.

Insider threats can take various forms, ranging from employees intentionally sabotaging systems to individuals inadvertently causing accidental damage. These threats can be challenging to detect and prevent, as insiders often possess legitimate access privileges and can easily blend in with regular operations.

One common type of insider threat is the disgruntled employee looking to exact revenge or gain a competitive advantage. These individuals may have intimate knowledge of the system's vulnerabilities and weaknesses, enabling them to exploit these for their own benefit. A single insider with malicious intent can cause significant damage, disrupting operations and compromising the integrity of critical infrastructure.

Another type of insider threat is the careless or uninformed employee who unintentionally exposes the system to risk. This can occur through the accidental installation of malware, the mishandling of sensitive data, or the failure to adhere to proper security protocols. Even well-intentioned employees canunknowingly create vulnerabilities that hackers can exploit.

To address these insider threats, organizations must implement robust access controls and privileged user monitoring. This includes regularly reviewing and revoking unnecessary access privileges, conducting background checks on employees with access to critical systems, and implementing strict monitoring of

privileged user activities. Additionally, ongoing training and awareness programs can help educate employees about the risks and consequences associated with insider threats.

Least privilege access within a Zero Trust framework is critical. Cyberleaf deploy tools such as Threat Locker and others to enable Zero Trust at the kernel level and apply a Zero Trust architecture that is multifactorial. Via a multifactorial architecture, the application itself is aware of how to apply ring fencing, white fencing and permissions as well as specific correlation searches within a Security, Information, and Event Management (SIEM) platform.

Nation-State Threats

In an increasingly interconnected world, the rise of foreign adversaries poses a significant threat to the security of critical infrastructure. Nation-states and state-sponsored actors have recognized the potential for cyber attacks to disrupt rival nations’ economies, military capabilities, and essential services. As a result, governments and organizations must remain vigilant in protecting their critical infrastructure from these persistent and sophisticated threats.

Foreign adversaries often employ advanced persistent threats (APTs) to infiltrate and compromise SCADA systems. These APTs are designed to remain undetected for an extended period, allowing the attackers to gather intelligence, conduct reconnaissance, and plan their next moves. Their motivations can range from espionage and intelligence gathering to sabotage and disruption.

One of the challenges in defending against foreign adversaries is their vast resources and technical expertise. Nation-states often have access to cutting-edge technologies, talented hackers, and significant financial resources. This enables them to develop highly sophisticated attack techniques that can bypass traditional security measures and exploit zero-day vulnerabilities.

Furthermore, foreign adversaries often employ tactics such as supply chain attacks to gain access to critical infrastructure. By compromising suppliers or vendors, attackers can inject malicious code into trusted software or hardware components, providing a backdoor into the SCADA system. This form of attack can be challenging to detect, as the compromised components may have seemingly legitimate origins. An important note and point of differentiation from Ransomware and other exploits is that foreign adversaries often want access to critical infrastructure to remain hidden for long periods of time. Think years and with no IP traffic or external communication once deployed. This makes them harder to discover and if they are true Zero Day attacks more difficult to identify if there is no communications to a Command and Control facility (C2).

To counter these threats, governments must collaborate with cybersecurity professionals to develop comprehensive defense strategies. This includes implementing strong network segmentation, regularly updating and patching software, and conducting regular penetration testing (PenTesting). Additionally, intelligence sharing and international cooperation can help detect and mitigate attacks from foreign adversaries.

In conclusion, the risks to critical infrastructure from cyber threats are ever-increasing, and it is crucial for cybersecurity professionals to be proactive in their approach to mitigating these risks. By understanding the infiltration tactics used by hackers, addressing the dangers posed by insider threats, and assessing the impact of attacks from foreign adversaries, we can take significant steps towards securing our critical infrastructure. Through a combination of awareness, best practices, and a commitment to ongoing improvement, we can protect our SCADA systems and ensure the resilience of our critical infrastructure in the face of evolving cyber threats.

How Hackers Exploit OT Vulnerabilities

SCADA systems are the backbone of many industries, including power generation, water management, and manufacturing. These systems are responsible for the control and monitoring of industrial processes, making them an enticing target for cybercriminals seeking to disrupt or exploit critical infrastructures.

To fully comprehend the threats posed to SCADA systems, it is essential to first understand their structure and functionality. SCADA systems consist of three primary components: the human-machine interface (HMI), the supervisory system, and the field devices. The HMI serves as the window into the system, allowing operators to visualize and control the industrial processes. The supervisory system acts as the central control unit, collecting data from the field devices and providing instructions to the industrial equipment. The field devices, such as sensors and actuators, facilitate the communication between the physical processes and the supervisory system. Hackers exploit vulnerabilities in SCADA systems through various attack vectors, including network- based attacks, device- and software-based attacks, and social engineering. Network-based attacks exploit weaknesses in the network infrastructure, such as un-patched vulnerabilities, misconfigurations, or weak authentication mechanisms. These attacks often involve techniques like port scanning, network sniffing, and man-in-the-middle attacks to gain unauthorized access to the SCADA network.

Device- and software-based attacks target the individual components of the SCADA system, taking advantage of vulnerabilities in the HMI software, the supervisory system, or the field devices. For instance, a hacker may exploit a buffer overflow vulnerability in the HMI software to gain control over the system. Similarly, an attacker could target a weak or default password on a field device to manipulate or disrupt the industrial processes. Social engineering, on the other hand, relies on manipulating individuals within the organization to divulge sensitive information or grant unauthorized access. Phishing emails, impersonation, and physical intrusion are common techniques employed by hackers to exploit the human element of the SCADA system. By tricking employees into clicking malicious links or disclosing their credentials, attackers can gain a foothold within the network and escalate their privileges.

To protect SCADA systems from such infiltration's, cybersecurity professionals must adopt a comprehensive and multi-layered approach. First and foremost, implementing a robust security policy that includes regular patching and updates is crucial to eliminating known vulnerabilities. Additionally, employing strong access control mechanisms, such as two-factor authentication and role-based access controls, can significantly reduce the risk of unauthorized access.

Furthermore, network segmentation and isolation can limit the impact of potential breaches by containing an attack within a specific segment of the SCADA network. By separating critical assets and introducing firewalls and intrusion detection systems, cybersecurity professionals can effectively mitigate the risks associated with network-based attacks.

In terms of device and software security, it is imperative to conduct regular vulnerability assessments and PenTests to identify and address weaknesses proactively. SCADA systems should be built with security in mind from the ground up, incorporating secure coding practices and rigorous testing procedures.

Additionally, implementing strict change control procedures and maintaining an up-to-date inventory of authorized devices can prevent unauthorized modifications or additions to the system.

Addressing the human element of the SCADA system is equally important. Regular security awareness training and education programs can arm employees with the knowledge to identify and report potential social engineering attempts. Establishing a culture of cybersecurity within the organization can foster a sense of responsibility and vigilance, ensuring that employees remain the first line of defense against infiltrations.

In conclusion, protecting SCADA systems from infiltration requires a thorough understanding of the vulnerabilities hackers exploit. By comprehensively assessing the risks associated with network-based attacks, device- and software-based attacks, and social engineering, cybersecurity professionals can implement the necessary countermeasures to safeguard critical infrastructure. Through the adoption of best practices, policies, and defensive methodologies, we can mitigate the risks posed to SCADA systems and ensure the resilience of our critical infrastructures in the face of cybersecurity threats.

?

Concerns, Risks and Drivers

The current threats to Critical Infrastructure (CI) from hacktivists, insider threats and significantly foreign adversaries continues to grow at an exponential and alarming pace. A recent non-classified and public report from the Canadian Centre for Cyber Security (the Cyber Centre) indicates this rise in threats, attacks and focus on CI [3]. CI in and of itself is comprised of Network components, “air-gapped” components that include IP connected devices as well as ICS/OT, Industrial IoT (IIoT) and SCADA.

Supervisory control and data acquisition (SCADA) serves as the backbone of many critical infrastructures, including water supply systems, oil pipelines, transportation and electricity. SCADA delivers essential functions, such as monitoring data from pumps, valves and transmitters. Over the years and through many generations, SCADA has undergone a significant evolution from the typically isolated environment to a highly interconnected network.

“Although this conversion has benefits for SCADA, such as enhanced performance efficiency and the cost reduction of heavy equipment, it has also made SCADA more vulnerable to various cyber-attacks. Several SCADA security approaches are still provided by IT-based systems that are possibly not efficient enough to deflect the risks and threats originating from SCADA field operations. As a result, it is critically important to analyze cyber risks associated with the industrial SCADA system.” [4]

?

Waterleaf [5] and Cyberleaf [6] Cybersecurity as a Service (CsaaS) work directly with various government agencies reveals a prevalent and alarming problem including a lack of knowledge of what is deployed, how “it” is connected on an aggregate basis, and how it is secured. Speaking with the CTO, CISO and ISSM of a state agency we asked them several important questions. Their responses are

disturbing, as shown in Table 1. This is unfortunately not uncommon, the lack of visibility and knowledge as to the assets that are within the OT and Information Technology (IT) network. Without this knowledge protecting such assets is not a viable option.

Table 1: State agency responses to questions regarding cybersecurity

?

Question:

How many sensors do you have deployed and how they are being monitored?

Response:

“…we are not sure…somewhere between 40,000 to 60,000 sensors connected with god knows what and to whatever infrastructure was deployed at the time…”

Question:

When were these sensors deployed and what are the age of the sensors?

Response:

“…well this is 2023 so over the last 20 plus years…”

Question:

How are they being maintained and repaired?

Response:

“…Well a private contractor maintains these often under contract from the OEM…”

Question:

How is security managed with the OEM and the contractor? Who checks the process of security from the personnel to the equipment used to update, login, check and maintain the firmware as well as the integrity of data itself as well as any review of the software and firmware such as a Software Bill of Materials or (SBOM)?

Response:

“…well no one…but some of these are global OEM’s so we trust them…”

As stated this unfortunately is not unique for this agency and it is precisely why adversaries have targeted and utilize low hanging, unprotected infrastructure for their targets and attacks.

Confluence of ICS/OT/IIoT and IT

As the demands to control multiple aspects of industrial systems including critical infrastructure for more efficient utilization of that infrastructure increase so does the level of connectivity. However these connected elements are disparate in the approach of connectivity, system management and awareness.

The confluence of ICS, OT, and IIoT with IT over a common infrastructure refers to the integration and interconnectedness of traditionally separate domains within industrial environments.

10?????? This convergence aims to leverage the benefits of IT technologies and practices to enhance the efficiency, functionality, and flexibility of industrial processes while also introducing new challenges and considerations. Let's break down the components and provide some examples:

1.?????? Industrial Control Systems (ICS): These are systems used to control and monitor industrial processes, often found in sectors like manufacturing, energy, and utilities. They include Distributed Control Systems (DCS) and SCADA systems.

2.?????? Operational Technology (OT): OT encompasses the hardware and software used to monitor and control physical devices, processes, and infrastructure in industrial settings. It's focused on the specialized technologies that ensure industrial processes run effectively and safely.

3.?????? Industrial Internet of Things (IIoT): IIoT involves the interconnection of industrial devices, sensors, and machines to collect and exchange data. This data can be used for real-time monitoring, predictive maintenance, and process optimization.

4.?????? Information Technology (IT): IT refers to the technologies and practices used to manage and process digital information. This includes networks, servers, software applications, and data storage.

The confluence of these domains means that the technologies and principles of IT are being applied to ICS, OT, and IIoT. Examples of this convergence include:

??????? Smart Manufacturing: In a smart manufacturing environment, data from sensors embedded in industrial equipment and machinery can be collected and analyzed to optimize production processes, reduce downtime, and enhance quality. IT technologies like data analytics, cloud computing, and machine learning are integrated into the traditional industrial processes.

??????? Predictive Maintenance: By combining data from sensors on industrial equipment with analytics and machine learning, companies can predict when machinery is likely to fail and schedule maintenance proactively. This minimizes unplanned downtime and reduces maintenance costs.

??????? Energy Management: Converging IT and OT in energy management allows real-time monitoring and control of energy consumption in industrial facilities. Smart grids and connected devices can help regulate energy usage based on demand and availability.

??????? Supply Chain Optimization: IT tools can be used to monitor and optimize supply chain processes, ensuring that materials are available when needed in the production process and minimizing excess inventory.

??????? Cybersecurity Challenges: With the convergence of IT and OT, there is an increased need for robust cybersecurity measures. Traditional IT security practices must be adapted to the unique requirements of industrial systems to protect against cyber threats.

????? Remote Monitoring and Control: IT enables remote monitoring and control of industrial processes, allowing experts to manage operations from distant locations. This has become particularly important in situations where physical presence is limited, such as during the COVID-19 pandemic.

Overall, the confluence of ICS/OT/IIoT and IT over a common infrastructure offers the potential for increased efficiency, flexibility, and innovation in industrial settings, but it also requires careful consideration of security, interoperability, and the unique challenges of industrial processes.

To be clear standard methodologies practices and tools cannot be used on many of these elements. An example of this is the disparate nature of ICS/OT and SCADA. Many are built on proprietary and arcane systems. Still others are up to 15 years old. This means that security was not built into the systems, code is vulnerable as well as the ability to see or discover the systems; what is know as active scanning can break or take these systems off line.

Initial Steps and Key Action Items

Initial Steps:

??????? Identify Assets via the use of tools that can identify, map and organize the components on the OT and IT connected networks. Utilize active querying for OT this involves the use of specialized? technology to interact with and retrieve information directly from industrial devices, such as PLC’s Remote Terminal Units (RTUs), and other components. Unlike passive monitoring, which observes network traffic, active querying initiates communication with devices in their native language to gather specific information.

??????? This gives you a moment in time when you can see what is in the OT environment and delivers a Baseline inventory.

??????? Identify and inventory the firmware versions, patches, updates as well as software versions.

??????? Run tools that can do a vulnerability test and or automated PenTest for the externally facing or internally facing IT infrastructure that connects to the OT environment.

??????? Check that policies such as least privilege/Zero Trust and Multi-Factor Authentication (MFA) are in fact being used via an internal audit.

??????? Schedule a PenTest designed for OT environments.

??????? Utilize the findings from the PenTest and the audit to have an analysis with action items. Key Action Items:

??????? Schedule asset and inventory reviews.

????? Create the Baseline and update as needed.

??????? Run an initial and scheduled vulnerability scans specific for OT.

??????? Run an initial and follow on PenTests.

??????? Create a plan of action and or Plan of Action and Milestones (POAM)

In summary, the first steps have to be the complete and proper categorization, analysis and development of a known architecture, infrastructure and network topology. Once this is done an analysis of what is running including a Software Bill of Materials (SBOM) which is highly recommended as well as a pen test (red team) of the connected network.

Utilize scheduled vulnerability assessments, red team pen testing and analysis of topologies as well as architecture to make sure that it follows your Risk Management Framework (RMF) and is both resilient and visible to your defensive teams [7].

Be aware that internal obstacles to testing and analysis may exist. Over years of research and engagements with critical infrastructure and ICS/OT managers has shown common reactions when discussing threats, architecture, defensive strategies and protection of these networks – “We have never had an incident.”

Given the nature of obfuscation by design and the desire to remain hidden until needed, there is a level of education and communication needed to engage in productive dialogues. We have heard comments such as “No one can get to the network” as they are “air gapped.” Unfortunately, in our experience nothing is truly air gapped, with few exceptions. For the most part we have never found with hundreds of PenTests a true air gapped network. While there are networks that are air gapped from the public internet and even the protected LAN, these networks have communications with people and devices that can and have been compromised. We cannot share the examples of exploits here, however the ability to breach into the presumed “air gapped” ICS/OT network is both feasible and with a dedicated adversary part of their mission set. If the target is valuable enough then the adversary will work harder to enable access. This includes boots on the ground intelligence operations as well as penetration to the supply chain that is supporting the ICS and OT environment.

As for SBOM’s many products included FEDRAMP [8] approved products have never had the SBOM reviewed and analyzed. Analysis and reviews of SBOM’s for customers has shown compromised code, outdated and vulnerable code, and examples of Mandarin/Chinese comments in code developed by U.S. and German developers in the code repositories. Needless to say that a real review of the SBOM on all applications is critical to security.

Policies and Defensive Behaviors

Several policies and frameworks from federal and state governments, as well as organizations such as the U.S. National Institute of Standards and Technology (NIST) [9], the Cybersecurity Maturity Model Certification (CMMC) [10], and the Center for Internet Security (CIS) [11], are driving defensive cybersecurity behaviors across various sectors. These policies aim to establish guidelines, best practices, and requirements for enhancing cybersecurity posture. Notable examples include:

1.?????? NIST Cybersecurity Framework [12]: The NIST Cybersecurity Framework is a widely recognized guideline for improving critical infrastructure cybersecurity. It offers a set of standards, guidelines, and best practices to help organizations manage and reduce cybersecurity risks. It focuses on five core functions: Identify, Protect, Detect, Respond, and Recover.

2.?????? NIST Special Publications (800 Series) [13]: NIST has developed a series of special publications that provide detailed guidance on various aspects of cybersecurity, including risk management, security controls, and privacy. These publications offer practical recommendations for securing information systems and data.

3.?????? CMMC (Cybersecurity Maturity Model Certification) [10]: CMMC is a framework developed by the U.S. Department of Defense (DoD) to ensure that contractors and suppliers in the defense industrial base have appropriate cybersecurity controls in place. It defines different levels of cybersecurity maturity and requires organizations to meet specific requirements based on the sensitivity of the information they handle.

4.?????? CIS Critical Security Controls [11]: The CIS Critical Security Controls (formerly known as the SANS Top 20) is a set of guidelines that provide actionable and prioritized best practices for improving an organization's cybersecurity posture. These controls cover a wide range of security measures, from basic hygiene to advanced threat detection and response.

5.?????? Federal and State Data Protection Laws: Various federal and state regulations, such as the U.S. Health Insurance Portability and Accountability Act (HIPAA) [14] and the European Union General Data Protection Regulation (GDPR) [15], impose requirements for protecting sensitive data in specific industries and regions. These laws drive organizations to implement cybersecurity measures to safeguard personal and sensitive information.

6.?????? Federal Risk and Authorization Management Program (FedRAMP) [8]: FedRAMP is a government-wide program that standardizes the security assessment, authorization, and continuous monitoring processes for cloud products and services used by federal agencies. It ensures that cloud services meet rigorous security standards.

7. State-Specific Cybersecurity Regulations: Some states have enacted their own cybersecurity regulations, often targeted at specific industries like finance and healthcare. For example, New York's Department of Financial Services has implemented 23 NYCRR 500 – Cybersecurity Requirements for Financial Institutions [16].

8.?????? Executive Orders and Directives: Presidential executive orders and directives can shape cybersecurity priorities for federal agencies and their contractors. These orders can mandate specific actions, standards adoption, and risk management practices.

9.?????? National Cyber Strategy: National cyber strategies outline a country's approach to cybersecurity and set the direction for defensive and offensive cyber activities. They guide policy decisions related to critical infrastructure protection, international cooperation, and cybersecurity research.

These policies and frameworks collectively drive defensive cybersecurity behaviors by providing clear guidelines, standards, and expectations for organizations across different sectors. They promote a proactive approach to cybersecurity, emphasizing risk management, threat detection, incident response, and overall resilience against cyber threats.

?

Drivers of Attacks on Critical Infrastructure

Cybersecurity offensive activities can be driven by various external events, often with the intent to achieve political, economic, military, or strategic objectives. While it's challenging to predict specific events, certain geopolitical developments and trends can influence the occurrence of offensive cyber activities. Certainly cybersecurity events like the Russian/Ukraine war, the Israel/Hamas war, expansion of China into the Pacific and into Taiwan are in the news today, as well as related events coming from

Iran and North Korea. Notable examples include:

1.?????? Geopolitical Tensions and Conflicts: Ongoing conflicts, such as the Russia – Ukraine war and the Israel – Hamas war and others have clearly led to offensive cyber activities. State-sponsored or state-affiliated threat actors have launched cyber attacks to gain an advantage, gather intelligence, disrupt infrastructure, or create chaos. Examples of these are listed further on in this paper.

2. State-Sponsored Cyber Espionage: Tensions between nations drive state-sponsored cyber espionage activities aimed at collecting sensitive information, trade secrets, and military intelligence. China is infamous for this as well as Russia. The Chinese Thousand Talents Plan [17] is infamous in penetrating both businesses and academia. Just recently two US Navy sailors were arrested for spying for China and sending critical information back to the Chinese government [note this is not related to the Thousand Talents). These activities can be part of broader intelligence-gathering efforts. And as correlated to critical infrastructure are designed to stay hidden.

3.?????? Proxy Cyber Attacks: In some cases, state actors will use proxies to carry out cyber attacks, providing them with plausible deniability. These proxies could be individuals, groups, or other nations that conduct attacks on behalf of the sponsoring state. A recent trend is adopting the venture capital model from Russia in particular out to their satraps in Syria, Lebanon, Turkey and Eastern Europe. Under this model investments are made into cyber criminals businesses that give them seed funding, tools and training to further their ideologies via cyber attacks.

4.?????? Global Political Developments: Events like changes in leadership, elections, or international agreements can influence offensive cyber activities. Cyber attacks might target political candidates, organizations, or institutions to influence outcomes. A glaring example is the declassified attack on Hillary Clinton. The cyber attacks on Clinton's campaign and the Democratic National Committee (DNC) preceding the 2016 U.S. presidential election were attributed to a Russian intelligence agency known as the GRU (Main Intelligence Directorate). The GRU is one of the main intelligence agencies in Russia, responsible for foreign military intelligence. The cyber attacks, which involved hacking and releasing sensitive emails, were part of a broader Russian influence campaign aimed at disrupting the U.S. election process and undermining confidence in democratic institutions.

?? The U.S. intelligence community and various cybersecurity firms conducted investigations and analyses that led to the attribution of these attacks to the GRU. One of the most notable incidents involved the hacking and subsequent release of DNC emails via platforms like WikiLeaks. These disclosures led to a significant political and media controversy during the 2016 election campaign.

?? The U.S. Department of Justice later indicted several individuals believed to be associated with the GRU for their involvement in these cyber attacks. It's important to note that attributing cyber attacks to specific entities or organizations can be a complex process, involving technical analysis, intelligence sources, and geopolitical context.

5.?????? Resource Competition: Geopolitical tensions can extend to economic competition. Cyber attacks targeting industries, research institutions, or critical infrastructure could be carried out to gain a competitive edge.

6. National Security Concerns: Governments might engage in offensive cyber activities to preempt perceived threats or to counter potential attacks on their own critical infrastructure.

7.?????? Ideological Conflicts: Ideological or cultural conflicts might motivate hacktivist groups or individuals to launch cyber attacks as a form of digital protest or to spread their message.

8.?????? Regional Instability: Instability in a particular region, such as the Middle East, could lead to offensive cyber activities as nations or groups seek to disrupt adversaries' capabilities or gain leverage.

9.?????? Cyber Arms Race: As nations invest in building their cyber capabilities, there could be a cyber arms race where offensive cyber tools and techniques are developed and deployed in response to perceived threats.

10.?? Disinformation Campaigns: Offensive cyber activities can be used to spread disinformation or influence public opinion. Manipulating information or leaking sensitive documents can be part of broader information warfare strategies.

11. Critical Infrastructure Attacks: Tensions between nations can lead to attacks on critical infrastructure, such as energy, transportation, and communication systems, with potentially severe consequences.

12. Retaliation and Deterrence: Offensive cyber activities might be used as a means of retaliation or deterrence against perceived aggressors or adversaries.

It's important to note that the attribution of cyber attacks to specific actors is often challenging due to the use of techniques like plausible deniability, false flag operations, and proxy involvement. As a result, accurately determining the motivations and origins of offensive cyber activities can be complex and require thorough investigation and analysis.

Critical Infrastructure Threats

There have been several instances of cyberattacks and attempted breaches targeting critical infrastructure in the United States. Notable examples include:

1.?????? Volt Typhoon (2023): This is an ongoing and perhaps one of the more pervasive challenges we in the US, NA and our allies are facing. Of Chinese origin this is targeting American Electric Utilities since early 2023 and has been discovered in telecommunications networks, emergency management services and satellite services [18].

2.?????? Energy Sector (2021): A ransomware attack disrupted Colonial Pipeline's operations, causing fuel shortages in parts of the U.S. East Coast. The company temporarily shut down its pipeline system as a precaution [19].

3.?????? Water Sector (2021): An attempted cyberattack targeted a water treatment plant in Oldsmar, Florida. The attacker attempted to alter the levels of sodium hydroxide (lye) in the water supply. The attempt was thwarted, and no harm occurred [20]. (Note that this was an open RDP port and investigations may show that this was an "overzealous employee".) However the open port should be a wake up call.

4.?????? Electric Grid Sector (2015, 2016, 2021): Ukrainian power companies experienced cyberattacks that caused widespread power outages in two separate incidents. The attacks were attributed to Russian threat actors. In 2021, multiple attacks were launched by Russia preceding the kinetic

35?????????????????????? attack in Ukraine [21].

5.?????? Transportation Sector (2016): Ransomware disrupted the ticketing systems of San Francisco's public transportation agency, causing fare payment issues [22].

6.?????? Healthcare Sector (2020): Ransomware affected the operations of Universal Health Services, one of the largest hospital chains in the U.S. Patient care was not compromised, but the attack disrupted various IT systems [23].

7.?????? Financial Sector (2017): A data breach at Equifax, one of the major credit reporting agencies, exposed sensitive personal and financial information of millions of Americans [24].

8.?????? Government Systems (2015): Hackers believed to be linked to China breached the US Office of Personnel Management OPM's systems, compromising the personal data of millions of federal employees and security clearance applicants [25].

9.?????? Industrial Manufacturing Sector (2014 and onwards): A sophisticated cyber espionage group called DragonFly or Energetic Bear is believed to be associated with Russia targeted various energy and industrial control organizations. They conducted reconnaissance and gained access to critical systems [26].

10. Aviation Sector (2018): Boeing disclosed that some of its computers were affected by the WannaCry ransomware, causing concerns about potential impacts on manufacturing and safety systems [27]. And in Nov 2023 Boeing was hit by the Russia-affiliated group, LockBit, claiming responsibility for the attack.

11. Nuclear Power Plants (2016): A Wolf Creek nuclear power plant in Kansas experienced a breach. While the breach did not affect plant operations, it raised concerns about the security of critical infrastructure [28].

These examples highlight the various sectors of critical infrastructure that have been targeted by cyberattacks or attempted breaches in the United States. It's important to note that the threat landscape is continuously evolving, and new threats and attacks can emerge at any time.

As a result of the preceding and dozens of others, Waterleaf International is working to improve cybersecurity measures and resilience to protect critical infrastructure from cyber threats. We do so working with our partners on the government, academia and enterprise cybersecurity sides.

How are Attacks Promulgated?

Cyber attacks occur in several different ways. Many attacks use automated communications software robots (“bots”) in networked configurations (“botnets”) to compromise or infect other systems. Other attacks search for devices left unprotected, or configured with well-known factory login credentials. Many modern attacks leverage multiple methods which compromise networks of IoT devices. The further growth of AI and the adoption of Adversarial ML (AML) and others have enabled adversaries to poison the input of algorithms designed to run critical infrastructure such as traffic management systems aka Intelligent Transportation Systems (ITS). Waterleaf International/Cyberleaf have published presentations on the tactics used by adversaries (in this case for ITS and connected vehicles) [29]. NIST has also released a document that gives examples of exploits using AI into Critical Infrastructure [30]. This is critical reading to understand the taxonomy and to be able to dive deeper into learning how to defend against these threats.

Methodologies of attack

Attackers and notably foreign adversaries search for unencrypted devices, confirm the types of devices and connections then begin an exploit that results in an attack on a network, ICS/OT or exfiltration of data. Search tools, including the notable Shodan search engine [31], are used to discover via active port scanning vulnerabilities that then are leveraged for attacks on IOT/ICS-OT.

Many and recent (2020-2023) large-scale cyber-attacks, that leverage insecure Internet of Things (IoT) devices then perform malicious processes on the Internet. Notably we see an increase of IoT-tailored malware/botnets [32]. The botnets propagate using automation, and more recently using ML/AI, by scanning the Internet for vulnerable, exploitable IoT devices that can then be utilized for further malicious activities [33].

SSH botnets (ones that can ID and deliver brute force attacks) are also used to breach weaker SSH connections via default TCP/IP port 22 [34]. The “Rapper Bot” targets ARM, MIPS, SPARC and x86 systems, the architectures most typical with IOT malware [35].

Once the IIOT device is identified and often correlated to specific known, least known and unknown vulnerabilities, then the exploit function is started. The exploit may be a beacon or other component to be used at a later date. C2 is often established or a timed approach or “Tactics, Techniques and Procedures” (TTP’s) are used for further exploitation. The end result is the compromise of the IIOT functionality and or the exfiltration of data controlled or with access to the compromised IIOT device.

Botnets

Examples of mitigation of botnets are abundant. The principles of such cyber attacks are fairly basic. Telnet servers that communicate with IOT and similar devices often use TCP/IP ports 23 and 2323. Telnet is an insecure, legacy application which sends messages in clear text. This is obviously a security vulnerability, and in the OT world still open in some cases. Many bots and augmented bots use well- known ports, and if able to connect to an open server on one of these ports, the bots determine if they can install the Tsunami DDoS botnet, aka Kaiten. The threat actors may also install other malware families such as ShellBot, XMRig CoinMiner, and Log Cleaner [36].

Malicious Activities and Use Cases

The “LiGhT’s Modded perlbot v2” version of ShellBot [34], [37] offers various features which are largely categorized in Table 2. Commands that can be used for malicious purposes include DDoS commands such as TCP, UDP, and HTTP Flooding. It also includes a variety of commands that allows control over infected systems so that they can be used in other attacks such as reverse shell, log deletion, and scanner.

Table 2

?APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices, including the following [38]:

??????? Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;

??????? OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX- SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and

??????? Open Platform Communications Unified Architecture (OPC UA) servers [39].

The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.

The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.

In addition, the APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel. Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions [40].

APT Tool for Schneider Electric Devices

The APT actors’ tool for Schneider Electric devices has modules that interact via normal management protocols and Modbus (TCP 502) [41]. Modules may allow cyber actors to:

??????? Run a rapid scan that identifies all Schneider PLCs on the local network via User Datagram Pro- tocol (UDP) multicast with a destination port of 27127 (Note: UDP 27127 is a standard discovery scan used by engineering workstations to discover PLCs and may not be indicative of malicious activity);

??????? Brute-force Schneider Electric PLC passwords using CODESYS and other available device pro- tocols via UDP port 1740 against defaults or a dictionary word list (Note: this capability may work against other CODESYS-based devices depending on individual design and function, and this report will be updated as more information becomes available);

??????? Conduct a denial-of-service attack to prevent network communications from reaching the PLC; Sever connections, requiring users to re-authenticate to the PLC, likely to facilitate capture of cre- dentials;

????? Conduct a “packet of death” attack to crash the PLC until a power cycle and configuration recov- ery is conducted; and

??????? Send custom Modbus commands (Note: this capability may work against Modbus other than in Schneider Electric PLCs).

Protecting Legacy Assets and Current Deployments of ICS/OT

The first steps in protecting legacy assets and ICS/OT deployments need to include the adoption, integration and utilization of a Risk Management Framework (RMF). For SCADA/OT, the latest version of NIST SP 800-82 is recommended [42]. An RMF establishes the baseline of process and guidance that sets the recommendations for cybersecurity controls and policies that enable the responsible party to have clarity and structure to managing, securing and operating their environment. Without an RMF it is impractical to manage such a complex environment.

After an RMF is in-place, obtaining an inventory of potential targets within the cyber-environment is a critical next-step. There are numerous commercial and custom tools that utilize passive scanning as well as integration to the network components (LAN based) that can assist in this process (e.g. Tenable [43]). A comprehensive vulnerability analysis designed for ICS/OT/IOT is also essential. Complete inventory and vulnerability analysis combined with PenTesting will establish a baseline of what needs to be protected.

The following is a set of industry-standard guidelines for defensive measures, or “Tactics, Techniques, and Procedures (TTPs). These TTPs are compliant with our recommendations and policies as well as those of numerous agencies we work with:

????? Policy, Planning, and Response

?? Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cyber- security, and operations.

?? Maintain known-good offline backups for faster recovery upon a disruptive attack, and con- duct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.

?? Establish an IR services agreement for Digital Forensics and Incident Response (DFIR) so that in the event of an incident the plan, personnel and procedures are known and practiced.

?? Utilize a SIEM/SOAR/SOC with threat intelligence and AI/ML/DL that is connected to the SOAR and able to FIND/FIX/FINISH – threat hunt with Incident Response capabilities.

??????? Architecture and Operations

?? Isolate and OT/IIOT and ICS/SCADA systems and networks from corporate and internet net-

5?????????????????????????????? works using strong perimeter controls, and limit any communications entering or leaving these perimeters.

?? Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.

?? Robustly protect management systems by configuring Device Guard, Credential Guard, and

10?????????????????????????????? Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.

?? Implement robust log collection and retention from ICS/SCADA systems and management subnets.

?? Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral move- ment. For enhanced network visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial Control Systems Network Protocol Parsers (ICSNPP) [44].

?? Ensure all applications are only installed when necessary for operation. And, if not needed af- ter operation then ensure removal.

? Utilize frequent vulnerability scans and PenTesting including Red Team/Purple Team exer- cises.

?? Utilize a SIEM/SOAR and SOC that has both segregated connectivity and multi tenancy for integrity and visibility.

??????? Authentication and Access Control

?? Enforce MFA for all remote access to ICS networks and devices whenever possible.

?? Use hardware based tokens also known as HSMs (hardware security modules) certified to at least Level 2 of Federal Information Processing Standard (FIPS) 140-2 [45] for MFA. AITM exploits are able to defeat some application based MFA (rare but it has happened) and have defeated SMS/Text based MFA.

???? ? Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords. Use device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.

?? Ensure OPC UA security is correctly configured with application authentication enabled and explicit trust lists [39].

?? Ensure the OPC UA certificate private keys and user passwords are stored securely [39].

?? Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates.

?

Impact of AI on Cyber offense and defense

?Two important areas will be covered briefly here Adversarial Machine Learning (AML) and Generative Adversarial Networks (GAN). According to the NIST taxonomy:

“…AML is concerned with studying the capabilities of attackers and their goals, as well as the design of attack methods that exploit the vulnerabilities of ML during the development, training, and deployment phase of the ML lifecycle. AML is also concerned with the design of ML algorithms that can withstand these security and privacy challenges. When attacks are launched with malevolent intent, the robustness of ML refers to mitigations intended to manage the consequences of such attacks…” [30]

?The goals of AML depend on the operators for example it can identify and mitigate vulnerabilities in machine learning algorithms and models to learn, teach and prevent them from being exploited by adversarial attacks. The intent of these attacks can (and have) cause models to malfunction, misclassify data, or reveal sensitive information.

AML utilizes ML algorithms to deceive models through malicious input. Many organizations use this approach defensively for testing or improving the robustness of models against attacks. For example at Cyberleaf AML techniques are used to protect AI systems from being manipulated or misled/poisoned by malicious inputs. This is critical for ITS, EV Charging, autonomous driving systems, connected vehicles as well as critical infrastructure that may be using data which can be poisoned by adversaries.

GANs are a class of AI algorithms designed by a combination of two models, the generator and the discriminator, these are trained simultaneously through what is known as an adversarial processes. The generator's task is to produce data (which can be images, videos, etc.), while the discriminator's task is to evaluate the authenticity of the generated data against real data.

GANs are primarily used for generating realistic data that is designed to be indistinguishable from actual data. This can be and is not limited to, art creation, photo-realistic images generation, complex data sets, LiDAR, RADAR,videos, video game environments, and more.

In general there are two classes or types of AI systems: Predictive and Generative. Any AI system includes at least: data, which may come from multiple sources, a model, and processes for training, testing, and deploying ML models as well as infrastructure design/architecture to run or utilize them.

Generative AI (GAI) systems, including large language models (LLM) such as OpenAI’s ChatGPT [46], Microsoft’s CoPilot [47] and Google’s Bard [48], can be linked to web content. Non public GAI may access web and learned content as well as curated and special use-case data such as corporate documents, research and databases when they are adapted to specific domains and use cases.

The data-driven approach of ML introduces a plethora of additional security and privacy challenges throughout various steps of ML operations other than “standard or known” security and privacy threats faced by many systems. This is the vulnerability that we further reference and can be exploited by GAN’s.

These security as well as privacy challenges include the potential for adversarial manipulation of training data, adversarial exploitation of model vulnerabilities to adversely affect the performance of the AI system, and even malicious manipulations, modifications or mere interaction with models to exfiltrate sensitive information about people, resources, systems or other data points represented in the data, which can be about the model itself, or proprietary enterprise data. Think of university research data, public data sets, ITS, Traffic Management, pipeline control systems, autonomous driving and many others.

We have seen these attacks in real-world conditions with capabilities, sophistication, exponential growth rates and potentially massive impact. Such attacks are increasing beyond what was deemed possible even a year ago.

?

Conclusion

Cybersecurity defense requires planning, diligence and training at advanced and deeper levels than ever before. The very tools which are part of our 21st century complex infrastructure are able to be used against us as both a nation and at deeply personal level. The functionality of automation, reduction in operational costs and the investments to deliver reliable services such as fuel, electricity, water, health care, safe access to roadways, air travel and more have become vulnerable to sophisticated and dedicated adversaries.

Therefore the process of defense and protection need to adopt, integrate and apply both the strategic elements of defense in depth inclusive of layered defenses and the constant iteration of change to these aforementioned defensive measures.

Training and education for both executives, technology professionals from both systems engineering, computer science and other disciplines as well as the technicians, administrators and IT professionals needs to be continuous and current.

Cyber defense teams both internal and external need to be integrated, trained and tested so that the functional disciplines of preparation, integration, testing and defense are at the highest levels of capabilities while being able to weigh the cost benefit of protection.

The advent and now reality of AI to be used by adversaries and to increase the frequency, intensity and complexity of attacks as well as the global geopolitical environment have created an almost perfect storm of rapidly expanding threat vectors to the already growing attack surfaces.

With diligence and absolute honesty of what we face combined with continued intellectual pursuits of countermeasures, utilization of AI and communication across the industry we will maintain safe critical infrastructure. This as noted is not an easy or simple task it is however a critical mission to protect our vital interests and the citizens, friends, neighbors and family that depend on us to do so.

References

[1]????? K. Zetter (2014). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon. Crown Publishing. ISBN 978-0770436179

[2]????? A. Bowen (2022). Russian Cyber Units. Congressional Research Service. IF11718 Russian Cyber Units. https://crsreports.congress.gov Accessed Dec 2023.

[3]????? Canadian Centre for Cyber Security (2023). The cyber threat to Canada’s oil and gas sector. Government of Canada Communications Security Establishment. https://www.cyber.gc.ca/en/guidance/cyber-threat-canadas-oil-and-gas-sector Accessed Dec 2023.

[4]????? M. Alanazi, A. Mahmood, M. J. M. Chowdhury (2023). SCADA vulnerabilities and attacks: A review of the state‐of‐the‐art and open issues. Computers & Security, vol. 125. ISSN 0167-4048.

[5]????? Advanced Network and Cybersecurity Solutions – Informed by Data Sciences (2023). Waterleaf International. https//waterleafinternational.com Accessed Dec 2023.

[6]????? Maximize Cyber Protection. Minimize Cost & Complexity (2023). Cyberleaf Managed Cybersecurity Service. https//cyberleaf.io Accessed Dec. 2023.

[7]????? Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (2018). NIST SP 800-37 Rev. 2. https://doi.org/10.6028/NIST.SP.800-37r2 Accessed Dec 2023.

[8]????? U.S. General Services Administration (2011). FEDRAMP: Securing Cloud Services For the Federal Government. https://www.fedramp.gov/ Accessed Dec 2023.

[9]????? U.S. Department of Commerce (2023). National Institutes of Standards and Technology (NIST). https://www.nist.gov/ Accessed Dec 2023.

[10]?? CMMC: managing digital risk for the defense industrial base (DIB) and Beyond (2023). The Cyber AB. https://cyberab.org/ Accessed Dec 2023.

[11]?? Creating Confidence in the Connected World (2023). Center for Internet Security (CIS). https://www.cisecurity.org/ Accessed Dec 2023.

[12]?? The NIST Cybersecurity Framework 2.0 (2024). NIST CSWP 29 (Initial Public Draft). https://doi.org/10.6028/NIST.CSWP.29.ipd Accessed Feb 2024.

[13]?? NIST Information Technology Laboratory (2018). NIST Special Publication 800-series General Information. https://www.nist.gov/itl/publications-0/nist-special-publication-800-series-general- information Accessed Dec 2023

[14]?? U.S. Department of Health & Human Services. (1996). Health Insurance Portability and Accountability Act of 1996. Public Law 104-191. https://www.hhs.gov/hipaa/index.html Accessed Dec. 2023.

[15]?? European Parliament & Council of the European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://gdpr-info.eu/ Accessed Dec. 2023.

[16]?? 23 NYCRR 500 (2022). Official Compilation of Codes, Rules and Regulations of the State of New York. Title 23: Financial Services. Chapter I: Regulations of the Superintendent of Financial Services. Part 500: Cybersecurity Requirements for Financial Services Companies.. https://govt.westlaw.com/nycrr/ Accessed Dec 2023.

[17]?? Thousand Talents Plan (2023). Wikipedia. https://en.wikipedia.org/wiki/Thousand_Talents_Plan Accessed Dec 2023.

[18]?? Joint Cybersecurity Advisory (2023). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. National Cybersecurity Center. U/OO/156893-23. PP-23- 1143. June 2023 Ver. 1.1.

https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_PRC_State_Sponsored_Cyber_Li ving_off_the_Land_v1.1.PDF Accessed Dec 2023.

[19]?? J. Easterly (2023). The Attack on Colonial Pipeline: What We’ve Learned & What We’ve Done Over the Past Two Years. Cybersecurity and Infrastructure Security Agency (CISA). https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve- done-over-past-two-years Accessed Dec 2023.

[20]?? A. Greenberg (2021). A Hacker Tried to Poison a Florida City's Water Supply, Officials Say. Wired Magazine. https://www.wired.com/story/oldsmar-florida-water-utility-hack/ Accessed Dec 2023.

[21]?? CISA (2021). Cyber-Attack Against Ukrainian Critical Infrastructure. Alert Code IR-ALERT-H-16- 056-01. https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01 Accessed Dec 2023.

[22]?? S. Gallagher (2016). Muni system hacker hit others by scanning for year-old Java vulnerability. Ars Technica. https://arstechnica.com/information-technology/2016/11/san-francisco-transit- ransomware-attacker-likely-used-year-old-java-exploit/ Accessed Dec 2023.

[23]?? L. Newman (2020). A Ransomware Attack Has Struck a Major US Hospital Chain. Wired Magazine. https://www.wired.com/story/universal-health-services-ransomware-attack/ Accessed Dec 2023.

[24]?? J. Fruhlinger (2020). Equifax data breach FAQ: What happened, who was affected, what was the impact? CSO Online. https://www.csoonline.com/article/567833/equifax-data-breach-faq-what- happened-who-was-affected-what-was-the-impact.html Accessed Dec 2023.

[25]?? B. Koerner (2016). Inside the Cyberattack That Shocked the US Government. Wired Magazine. https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/ Accessed Dec 2023.

[26]?? Threat Group Cards: A Threat Actor Encyclopedia (2023). Electronic Transactions Development Agency (ETDA). https://apt.etda.or.th Accessed Dec 2023.

[27]?? D. Gates (2018). Boeing hit by WannaCry virus, but says attack caused little damage. The Seattle Times. https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus- fears-it-could-cripple-some-jet-production/ Accessed Dec 2023.

[28]?? C. Miller (2022). Throwback attack: Russia breaches Wolf Creek Nuclear Power facility. Industrial Cybersecurity Pulse. https://www.industrialcybersecuritypulse.com/facilities/throwback-attack- russian-breaches-wolf-creek-nuclear-power-facility/ Accessed Dec 2023.

[29]?? C. Collins, A. Sewall (2023). Cyber Risk in Smart Transportation. ISC Security Congress 2023. Oct 18-23, 2024. https://events.isc2.org/sessions/2597/view . Accessed Jan 2024.

[30]?? A. Vassilev, A. Oprea, A. Fordyce, H. Anderson (2024). Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations. NIST AI 100-2 E2023. https://doi.org/10.6028/NIST.AI.100-2e2023 . Accessed Jan 2024.

[31]?? Shodan: Search Engine for the Internet of Everything (2023). Shodan.io . https://www.shodan.io/ Accessed Dec 2023.

[32]?? M. Antonakakis, et.al (2017). Understanding the Mirai Botnet. Proc. 26th USENIX Security Symposium. 1093-1110. Vancouver, BC, Canada. ISBN 978-1-931971-40-9

[33]?? B. Toulas (2023). Hackers infect Linux SSH servers with Tsunami botnet malware. Bleeping Computer. https://www.bleepingcomputer.com/news/security/hackers-infect-linux-ssh-servers-with- tsunami-botnet-malware/ Accessed Dec 2023.

[34]?? Sanseo (2023). ShellBot Malware Being Distributed to Linux SSH Servers. ASEC AhnLab. https://asec.ahnlab.com/en/49769/ Accessed Dec 2023.

[35]?? J. Slavio, R. Tay (2022). So RapperBot, What Ya Bruting For? FortiGuard Labs Threat Research. https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery Accessed Dec 2023.

[36]?? Kaiten aka: STD (2021). Fraunhofer Malpedia. https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten Accessed Dec 2023.

[37]?? E. Salas (2023). ShellBot’s Attack. Medium Cyberguard: Malware and Vulnerabilities Analysis. https://medium.com/@enyel.salas84/shellbots-attack-795dc725b73f

[38]?? Joint Cybersecurity Advisory (2022). APT Cyber Tools Targeting ICS/SCADA Devices. Cybersecurity & Infrastructure Security Agency (CISA). Product ID: AA22—103A. https://www.cisa.gov/sites/default/files/publications/AA22- 103A_APT_Cyber_Tools_Targeting_ICS_SCADA_Devices.pdf Accessed Dec 2023.

[39]?? The OPC Foundation (2008). The Industrial Interoperability Standard – Unified Architecture. https://opcfoundation.org/ Accessed Dec 2023.

[40]?? CVE-2020-15368 Detail (2020). NIST Information Technology Laboratory. National Vulnerability Database (NVD). https://nvd.nist.gov/vuln/detail/CVE-2020-15368 Accessed Dec 2023.

[41]?? Schneider Electric (2022). APT Cyber Tools Targeting ICS/SCADA Devices. Schneider Electric Security Bulletin SESB-2022-01 V1.1. https://www.se.com/in/en/download/document/SESB-2022- 01/ Accessed Dec 2023.

[42]?? Guide to Operational Technology (OT) Security (2023). NIST SP 800-82 Rev. 3. https://doi.org/10.6028/NIST.SP.800-82r3 Accessed Dec 2023.

[43]?? Tenable Cloud Security (2023). Threats have evolved. Get ahead of cyber risk. https://www.tenable.com/ Accessed Dec 2023.

[44]?? ICS Network Protocol Parsers (2023). Cybersecurity & Infrastructure Security Agency (CISA). https://www.cisa.gov/resources-tools/services/ics-network-protocol-parsers Accessed Dec 2023.

[45]?? National Institute of Standards and Technology (NIST) (2001). Security requirements for cryptographic modules: Federal Information Processing Standards Publication 140–142 (FIPS PUB 140–142). National Institute of Standards and Technology (NIST). https://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf Accessed Dec 2023.

[46]?? OpenAI (2022). ChatGPT. https://chat.openai.com/ Accessed Dec 2023.

[47]?? Microsoft (2023). Your everyday AI companion. https://copilot.microsoft.com/ Accessed Jan 2024.

[48]?? Google (2023). A conversational AI tool by Google. https://bard.google.com Accessed Jan 2024.

Author Bio

Adam Sewall is the Founder & CEO of Waterleaf International/Cyberleaf. He has been a successful senior executive and entrepreneur in network and cyber for more than 20 years. He has experience in cybersecurity from offensive and defensive cyber as well as development of Side Channel Analysis and integration of complex cyber defense for network operations on a global basis. He has been an SME addressing vulnerabilities, resiliency and system defense for critical infrastructure, ICS/OT as well as ground based launch platforms with the NCCOE and next gen networks.

His technical background includes work in RF engineering, SDR, mobile s/w development, hardware engineering, cybersecurity and telecommunications architecture. His project management and operations background include multiple certifications in technical fields, numerous telecom standards and the successful integration of complex infrastructure as well as global deployments of software and communications networks.

Adam founded Waterleaf International LLC as an advanced systems integrator comprised of engineers and scientists designing, building and operating smart citie and complex network infrastructure. Waterleaf? launched Cyberleaf managed Cyber Security as a Service (CSaaS) in 2021 to meet the needs for advanced cyber defense for network and ICS/OT environments. Waterleaf developed the worlds first commercial low latency microwave networks for the High Frequency Trading (HFT) markets and is a prime contractor for the US DoD and other agencies.

Prior executive positions include President and CEO of T3 Communications, a next generation CLEC; SVP, Bus Dev and Operations at Fastmobile; Entrepreneur-in-Residence/Venture Partner at Comventures (now Fuse Capital) a $2B California-based venture capital fund; CEO of Spectrum Wireless, an OEM/ODM of wireless hardware for last mile solutions (routing at the edge); and Executive positions at T-Mobile and Verizon Wireless.

He holds a BS Degree from SUNY and has completed graduate studies and certificates in engineering, finance, mathematics and economics at Stevens Institute, Columbia and Pace Universities. MSEE (2024) University Colorado, Boulder. He also serves on various company boards and has been a fundraiser for community causes over the course of his professional career.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了