“Imagine A Time” – Ambush of Critical Infrastructure In the Waiting
F. Charlene Watson
Cybersecurity Resiliency Planning & Operational Technology SME
I am a devoted fan of all things RUSH. You know, the rock band? Those of you of my generation know who I am talking about. Their self-titled album “RUSH,” “Fly By Night,” the Rock Opera Albums of “2112” and “Hemispheres” and “Caress of Steel” are some of my favorites, to name a few. Of these I have named, most are from the 1970’s. However, I thoroughly enjoyed and appreciated their 80’s, 90’s and 2000’s albums of which they had great recordings of live concerts such as “Exit Stage Left.” But the one I am thinking about the most these days was released in 1989 called “A show of Hands.” On it, there was a song titled “Manhattan Project,” which was about what impact the development of the atomic bomb had to the world as we knew it in 1945. Written by the late, (and greatest) Lyricist and percussionist of all time, (in my opinion), Neil Peart, (Wikipedia, n.d.), it is filled with references to the nations racing to build the bomb and what happened when it was finally dropped for the very first time. The lyrics of the song begin with:
Imagine a time
When it all began
In the dying days of a war
A weapon that would settle the score
Whoever found it first
Would be sure to do their worst
They always had before
-Rush, Manhattan Project, Album: A Show of Hands
As we move into 2025, increasingly I am finding myself going back to the lyrics of this song repeatedly on Operational Technology Cyber Resiliency/Security and all things critical Infrastructure.
“When it all began…In the dying days of a war… A weapon that would settle the score”
Since Stuxnet?(Wikipedia, n.d.), in 2010, we (humanity) have been in a mad dash to take advantage of this new threat, defend against this new threat, or most likely, take advantage of AND defend against it. One of the earliest recorded attacks on Operational Technology (OT) occurred in 2000 with the spread of the ILOVEYOU virus, even though it primarily targeted Information Technology systems because: 1. It had widespread impact, (Griffiths, 2020), 2. It caused significant disruption of services (private and government)?(Brock, 2000), 3. It drained resources, (Brock, 2000), 4. It was “A Wake Up Call,” (Brock, 2000) showing the need for improved preparedness, ?alert, coordination, detection, response, resiliency coordination capabilities of all private, civilian, and government sectors.
“If Beijing believed that a major conflict with the United States were imminent, it would consider aggressive cyber operations against U.S. critical infrastructure and military assets. Such a strike would be designed to deter U.S. military action by impeding U.S. decision making, inducing societal panic, and interfering with the deployment of U.S. forces,”
On Sunday, January 12th, 2025, CBS 60 minutes aired their interview with retiring Federal Bureau of Investigation (FBI) Director Christopher Wray stated succinctly, categorically, and in very plain English that another country has “pre-positioned” itself to “lie in wait, to be in a position to wreak havoc and inflict real-world harm at a time and place of their choosing,” (Rucker & Bramhall, 2025). Director Wray’s statement, corroborated by the ANNUAL THREAT ASSESSMENT OF THE U.S. INTELLIGENCE COMMUNITY, dated February 4th of last year which stated that:
“China remains the most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks…” and that “If Beijing believed that a major conflict with the United States were imminent, it would consider aggressive cyber operations against U.S. critical infrastructure and military assets. Such a strike would be designed to deter U.S. military action by impeding U.S. decision making, inducing societal panic, and interfering with the deployment of U.S. forces,” (Office of the Director of National Intelligence, 2024).
The report, available for anyone to read, also cited other Nation-State Threat Actors who “Would be sure to do their worst” such as:
And if last year’s U.S. Intelligence report isn’t convincing enough, The Global Cybersecurity Outlook 2025 from the World Economic Forum stated that “escalating geopolitical tensions and increasingly sophisticated cyberthreats pose significant risks to critical infrastructure, which depends on networks of interconnected devices and legacy systems,” (World Economic Forum, January 13, 2025), adding that, “The ongoing conflict in Ukraine exemplifies these vulnerabilities, with critical sectors such as energy, telecommunications, water and heating repeatedly targeted by cyber and physical attacks. These attacks often focus on disrupting control systems and compromising data, highlighting the critical risks associated with operational technology (OT) infrastructure, (emphasis added).”
"These attacks often focus on disrupting control systems and compromising data, highlighting the critical risks associated with operational technology (OT) infrastructure," (emphasis added).
“Whoever found it first…Would be sure to do their worst…They always had before…”
But is this really happening? The answer is – YES. As early as spring 2022, almost three years ago, the company Dragos warned of a group that had the “ ‘breadth of knowledge’ that's ‘beyond’ any previously witnessed,” (Starks, 2022). According to Dragos, CHERNOVITE, developed from? “a new ICS-tailored malware (named) PIPEDREAM is the seventh known ICS-specific malware following STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, and TRISIS,” (Dragos, Inc, 2022), and is a “highly capable offensive ICS malware framework.”
Finally, last year, Open AI confirmed that they “terminated accounts associated with state-affiliated threat actors,” (Open AI, 2024). According to their own announcement, “In partnership with Microsoft Threat Intelligence, (they)…disrupted five state-affiliated actors that sought to use AI services in support of malicious cyber activities” specifically naming the groups: Charcoal Typhon, Salmon Typhon, Crimson Sandstorm, Emerald Street, and Forrest Blizzard, (Open AI, 2024). Below is a list of how these state threat actors used Artificial Intelligence.
“The hopeful depend on a world without end…Whatever the hopeless may say…”
Operational Technology (OT) systems, integral to critical infrastructure such as energy, water, and transportation, are increasingly under siege by cyber threat actors. These attackers, as highlighted in the recently released?Secure by Demand?(Cybersecurity Infrastructure Security Agency, 2025)?guide—authored by CISA and its global partners—now focus on exploiting vulnerabilities in specific OT products rather than targeting individual organizations. This shift is particularly dangerous because vulnerabilities in OT products often span multiple victims and critical infrastructure sectors. Once compromised, these products serve as entry points to control systems, enabling attackers to cause widespread disruption. The vulnerabilities in many OT products—such as weak authentication, insecure default settings, limited logging, and legacy protocols—emphasize a lack of security-by-design in their development. This oversight places an immense and costly burden on asset owners to defend themselves against these threats. The?Secure by Demand?guide outlines twelve (12) key principles for OT owners and operators to prioritize when obtaining digital products. These include strong authentication measures, secure communications, robust configuration management, logging, and comprehensive vulnerability management. By adhering to these principles, asset owners can mitigate risks, bolster system resilience, and shift the responsibility back to manufacturers to develop secure products from the outset.
The guide underscores the urgency of these measures, particularly considering the growing sophistication of cyber threats. Malware frameworks like PIPEDREAM and state-affiliated adversaries, such as those highlighted in recent incidents involving AI-enabled cyber operations, prove how Nation-state and other Threat Actors are actively exploiting OT vulnerabilities. Additionally, geopolitical tensions have heightened the risks, with adversaries pre-positioning themselves in critical infrastructure systems to inflict real-world harm at a time of their choosing. The report emphasizes that these threats are not hypothetical—state-affiliated actors from nations like China, Russia, Iran, and North Korea have already shown the capability and intent to exploit OT vulnerabilities for strategic gain.
“The big shots, try to hold it back…Fools try to wish it away …”
Its clear, though, that simply adopting secure-by-design principles will not suffice in high-stakes environments like Department of Defense (DoD) programs and civilian critical infrastructure no matter how helpful and instructional this new guide is. The successful implementation of these principles needs the direct engagement of?qualified Control Systems Security Specialists (DOD 8140.03 Work Role ID: 462 Certification Index Qualifications)?(Department Of Defense, n.d.). These specialists have the expertise needed to navigate the complexities of OT environments, ensuring that security measures are effectively implemented and aligned with DoD standards. Their involvement is critical for addressing the unique challenges posed by OT systems, particularly in securing operational lifecycles, mitigating risks from state-sponsored actors, and supporting compliance with regulatory mandates.
The path forward requires more than just adherence to the?Secure by Demand?principles—it demands a concerted effort to ensure that OT procurement, deployment, and management are aligned with robust cybersecurity standards. This includes incorporating secure-by-design elements such as strong threat modeling, secure controls, and logging as default features in OT products. It also requires holding manufacturers accountable for vulnerabilities and ensuring they provide ongoing support, such as prompt updates and patches, for the lifecycle of their products.
For Department of Defense programs, and critical infrastructures too, the stakes are even higher. The engagement of Control Systems Cybersecurity designers and specialists with DOD 8140.03 qualifications or the equivalent of the civilian market who’s Core KSATs (Knowledge, Skills, Abilities, and Tasks), are essential, (Department Of Defense, n.d.). These professionals bring the specialized skills needed to address the intricacies of OT systems, from securing legacy equipment to implementing advanced authentication and encryption measures. Their expertise ensures that DoD and civilian projects stay resilient against emerging threats and aligned with the highest standards of operational security. By enforcing these standards and integrating the expertise of qualified specialists, OT operators can ensure that their systems are prepared to withstand the challenges ahead.?History has shown that adversaries will exploit any vulnerability they can find—because, as the song lyrics remind us, "They always had before."
REFERENCES
?
Engineering Flight Chief at United States Air Force
1 个月Manhattan Project was first released on Power Windows. A show of hands was a live album.