“Imagine A Time” – Ambush of Critical Infrastructure In the Waiting

I am a devoted fan of all things RUSH. You know, the rock band? Those of you of my generation know who I am talking about. Their self-titled album “RUSH,” “Fly By Night,” the Rock Opera Albums of “2112” and “Hemispheres” and “Caress of Steel” are some of my favorites, to name a few. Of these I have named, most are from the 1970’s. However, I thoroughly enjoyed and appreciated their 80’s, 90’s and 2000’s albums of which they had great recordings of live concerts such as “Exit Stage Left.” But the one I am thinking about the most these days was released in 1989 called “A show of Hands.” On it, there was a song titled “Manhattan Project,” which was about what impact the development of the atomic bomb had to the world as we knew it in 1945. Written by the late, (and greatest) Lyricist and percussionist of all time, (in my opinion), Neil Peart, (Wikipedia, n.d.), it is filled with references to the nations racing to build the bomb and what happened when it was finally dropped for the very first time. The lyrics of the song begin with:

Imagine a time

When it all began

In the dying days of a war

A weapon that would settle the score

Whoever found it first

Would be sure to do their worst

They always had before

-Rush, Manhattan Project, Album: A Show of Hands

As we move into 2025, increasingly I am finding myself going back to the lyrics of this song repeatedly on Operational Technology Cyber Resiliency/Security and all things critical Infrastructure.

“When it all began…In the dying days of a war… A weapon that would settle the score”

Since Stuxnet?(Wikipedia, n.d.), in 2010, we (humanity) have been in a mad dash to take advantage of this new threat, defend against this new threat, or most likely, take advantage of AND defend against it. One of the earliest recorded attacks on Operational Technology (OT) occurred in 2000 with the spread of the ILOVEYOU virus, even though it primarily targeted Information Technology systems because: 1. It had widespread impact, (Griffiths, 2020), 2. It caused significant disruption of services (private and government)?(Brock, 2000), 3. It drained resources, (Brock, 2000), 4. It was “A Wake Up Call,” (Brock, 2000) showing the need for improved preparedness, ?alert, coordination, detection, response, resiliency coordination capabilities of all private, civilian, and government sectors.

“If Beijing believed that a major conflict with the United States were imminent, it would consider aggressive cyber operations against U.S. critical infrastructure and military assets. Such a strike would be designed to deter U.S. military action by impeding U.S. decision making, inducing societal panic, and interfering with the deployment of U.S. forces,”

On Sunday, January 12th, 2025, CBS 60 minutes aired their interview with retiring Federal Bureau of Investigation (FBI) Director Christopher Wray stated succinctly, categorically, and in very plain English that another country has “pre-positioned” itself to “lie in wait, to be in a position to wreak havoc and inflict real-world harm at a time and place of their choosing,” (Rucker & Bramhall, 2025). Director Wray’s statement, corroborated by the ANNUAL THREAT ASSESSMENT OF THE U.S. INTELLIGENCE COMMUNITY, dated February 4th of last year which stated that:

“China remains the most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks…” and that “If Beijing believed that a major conflict with the United States were imminent, it would consider aggressive cyber operations against U.S. critical infrastructure and military assets. Such a strike would be designed to deter U.S. military action by impeding U.S. decision making, inducing societal panic, and interfering with the deployment of U.S. forces,” (Office of the Director of National Intelligence, 2024).

The report, available for anyone to read, also cited other Nation-State Threat Actors who “Would be sure to do their worst” such as:

• “PRC (Peoples’ Republic of China) operations discovered by the U.S. private sector probably were intended to pre-position cyber-attacks against infrastructure in Guam and to enable disrupting communications between the United States and Asia…”
• “Moscow will continue to employ all applicable sources of national power to advance its interests and try to undermine the United States and its allies…Moscow views cyber disruptions as a foreign policy lever to shape other countries’ decisions and continuously refines and employs its espionage, influence, and attack capabilities against a variety of targets,”
• “Russia maintains its ability to target critical infrastructure, including underwater cables and industrial control systems, in the United States as well as in allied and partner countries.”
• “Tehran’s opportunistic approach to cyber-attacks puts U.S. infrastructure at risk for being targeted, particularly as its previous attacks against Israeli targets show that Iran is willing to target countries with stronger cyber capabilities than itself.”
• “Pyongyang’s cyber forces have matured and are fully capable of achieving a variety of strategic objectives against diverse targets, including a wider target set in the United States and South Korea.”

And if last year’s U.S. Intelligence report isn’t convincing enough, The Global Cybersecurity Outlook 2025 from the World Economic Forum stated that “escalating geopolitical tensions and increasingly sophisticated cyberthreats pose significant risks to critical infrastructure, which depends on networks of interconnected devices and legacy systems,” (World Economic Forum, January 13, 2025), adding that, “The ongoing conflict in Ukraine exemplifies these vulnerabilities, with critical sectors such as energy, telecommunications, water and heating repeatedly targeted by cyber and physical attacks. These attacks often focus on disrupting control systems and compromising data, highlighting the critical risks associated with operational technology (OT) infrastructure, (emphasis added).”

"These attacks often focus on disrupting control systems and compromising data, highlighting the critical risks associated with operational technology (OT) infrastructure," (emphasis added).

“Whoever found it first…Would be sure to do their worst…They always had before…”

But is this really happening? The answer is – YES. As early as spring 2022, almost three years ago, the company Dragos warned of a group that had the “ ‘breadth of knowledge’ that's ‘beyond’ any previously witnessed,” (Starks, 2022). According to Dragos, CHERNOVITE, developed from? “a new ICS-tailored malware (named) PIPEDREAM is the seventh known ICS-specific malware following STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, and TRISIS,” (Dragos, Inc, 2022), and is a “highly capable offensive ICS malware framework.”

Finally, last year, Open AI confirmed that they “terminated accounts associated with state-affiliated threat actors,” (Open AI, 2024). According to their own announcement, “In partnership with Microsoft Threat Intelligence, (they)…disrupted five state-affiliated actors that sought to use AI services in support of malicious cyber activities” specifically naming the groups: Charcoal Typhon, Salmon Typhon, Crimson Sandstorm, Emerald Street, and Forrest Blizzard, (Open AI, 2024). Below is a list of how these state threat actors used Artificial Intelligence.

• Chinese Affiliated Threat Actors Charcoal Typhoon and Salmon Typhoon used OpenAI's platform to investigate different companies and cybersecurity tools, troubleshoot, and write code, and produced material that might be intended for phishing schemes, and also made use of OpenAI's services to translate technical documents, collect publicly accessible data on intelligence agencies and regional cyber threats, assist with programming, and research techniques for disguising system processes.
• Iran Affiliated Threat Actor Crimson Sandstorm turned to OpenAI for help with scripting related to app and web development, creating content that could be used in spear-phishing efforts, and studying methods for malware to avoid detection.
• North Korea Affiliated Threat Actor Emerald Sleet used OpenAI's tools to research defense specialists and organizations in the Asia-Pacific region, review publicly known vulnerabilities, get assistance with simple programming tasks, and draft content that might support phishing activities.
• And finally, Russian Affiliated Threat Actor Forest Blizzard primarily utilized OpenAI's services for researching satellite communication systems and radar imaging technologies, along with receiving support for coding-related tasks.

“The hopeful depend on a world without end…Whatever the hopeless may say…”

Operational Technology (OT) systems, integral to critical infrastructure such as energy, water, and transportation, are increasingly under siege by cyber threat actors. These attackers, as highlighted in the recently released?Secure by Demand?(Cybersecurity Infrastructure Security Agency, 2025)?guide—authored by CISA and its global partners—now focus on exploiting vulnerabilities in specific OT products rather than targeting individual organizations. This shift is particularly dangerous because vulnerabilities in OT products often span multiple victims and critical infrastructure sectors. Once compromised, these products serve as entry points to control systems, enabling attackers to cause widespread disruption. The vulnerabilities in many OT products—such as weak authentication, insecure default settings, limited logging, and legacy protocols—emphasize a lack of security-by-design in their development. This oversight places an immense and costly burden on asset owners to defend themselves against these threats. The?Secure by Demand?guide outlines twelve (12) key principles for OT owners and operators to prioritize when obtaining digital products. These include strong authentication measures, secure communications, robust configuration management, logging, and comprehensive vulnerability management. By adhering to these principles, asset owners can mitigate risks, bolster system resilience, and shift the responsibility back to manufacturers to develop secure products from the outset.

The guide underscores the urgency of these measures, particularly considering the growing sophistication of cyber threats. Malware frameworks like PIPEDREAM and state-affiliated adversaries, such as those highlighted in recent incidents involving AI-enabled cyber operations, prove how Nation-state and other Threat Actors are actively exploiting OT vulnerabilities. Additionally, geopolitical tensions have heightened the risks, with adversaries pre-positioning themselves in critical infrastructure systems to inflict real-world harm at a time of their choosing. The report emphasizes that these threats are not hypothetical—state-affiliated actors from nations like China, Russia, Iran, and North Korea have already shown the capability and intent to exploit OT vulnerabilities for strategic gain.

“The big shots, try to hold it back…Fools try to wish it away …”

Its clear, though, that simply adopting secure-by-design principles will not suffice in high-stakes environments like Department of Defense (DoD) programs and civilian critical infrastructure no matter how helpful and instructional this new guide is. The successful implementation of these principles needs the direct engagement of?qualified Control Systems Security Specialists (DOD 8140.03 Work Role ID: 462 Certification Index Qualifications)?(Department Of Defense, n.d.). These specialists have the expertise needed to navigate the complexities of OT environments, ensuring that security measures are effectively implemented and aligned with DoD standards. Their involvement is critical for addressing the unique challenges posed by OT systems, particularly in securing operational lifecycles, mitigating risks from state-sponsored actors, and supporting compliance with regulatory mandates.

The path forward requires more than just adherence to the?Secure by Demand?principles—it demands a concerted effort to ensure that OT procurement, deployment, and management are aligned with robust cybersecurity standards. This includes incorporating secure-by-design elements such as strong threat modeling, secure controls, and logging as default features in OT products. It also requires holding manufacturers accountable for vulnerabilities and ensuring they provide ongoing support, such as prompt updates and patches, for the lifecycle of their products.

For Department of Defense programs, and critical infrastructures too, the stakes are even higher. The engagement of Control Systems Cybersecurity designers and specialists with DOD 8140.03 qualifications or the equivalent of the civilian market who’s Core KSATs (Knowledge, Skills, Abilities, and Tasks), are essential, (Department Of Defense, n.d.). These professionals bring the specialized skills needed to address the intricacies of OT systems, from securing legacy equipment to implementing advanced authentication and encryption measures. Their expertise ensures that DoD and civilian projects stay resilient against emerging threats and aligned with the highest standards of operational security. By enforcing these standards and integrating the expertise of qualified specialists, OT operators can ensure that their systems are prepared to withstand the challenges ahead.?History has shown that adversaries will exploit any vulnerability they can find—because, as the song lyrics remind us, "They always had before."

REFERENCES

1. Brock, J. L. (2000, May 18th). Director, Governmentwide and Defense Information, Accounting and Information Management Division. (S. o. Institutions, Interviewer) Government Accountability Office. Retrieved January 15, 2025, from https://www.gao.gov/assets/t-aimd-00-181.pdf
2. Cybersecurity Infrastructure Security Agency. (2025, January 13). Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products. Retrieved January 15, 2025, from www.cisa.gov: https://www.cisa.gov/resources-tools/resources/secure-demand-priority-considerations-operational-technology-owners-and-operators-when-selecting
3. Department Of Defense. (n.d.). DoD Cyber Exchange - Public. Retrieved January 15, 2025, from public.cyber.mil: https://public.cyber.mil/dcwf-work-role/control-systems-security-specialist/
4. Dragos, Inc. (2022). Chernovite. Retrieved January 15, 2025, from www.dragos.com: https://www.dragos.com/threat/chernovite/
5. Griffiths, J. (2020, May 2). ‘I Love You’: How A Badly-Coded Computer Virus Caused Billions In Damage And Exposed Vulnerabilities Which Remain 20 Years On. Retrieved January 15, 2025, from ksltv.com: https://ksltv.com/436653/i-love-you-how-a-badly-coded-computer-virus-caused-billions-in-damage-and-exposed-vulnerabilities-which-remain-20-years-on/
6. Office of the Director of National Intelligence. (2024). ANNUAL THREAT ASSESSMENT OF THE U.S. INTELLIGENCE COMMUNITY. United States of America. Retrieved January 15, 2025, from https://www.dni.gov/files/ODNI/documents/assessments/ATA-2024-Unclassified-Report.pdf
7. Open AI. (2024, February 14). Disrupting malicious uses of AI by state-affiliated threat actors. Retrieved January 15, 2025, from www.openai.com: https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
8. Rucker, K., & Bramhall, B. (2025, January 13). ‘In position to wreak havoc’: FBI director warns of China threat before retirement. Retrieved January 15, 2025, from san.com: https://san.com/cc/in-position-to-wreak-havoc-fbi-director-warns-of-china-threat-before-retirement/
9. Starks, T. (2022, April 13). Feds warn about foreign government-connected hackers aiming to disrupt vital industrial systems. Retrieved from cyberscoop.com: https://cyberscoop.com/cisa-doe-fbi-nsa-pipedream-chernovite-ics/
10. Wikipedia. (n.d.). Neil Peart. Retrieved January 15, 2025, from www.en.Wikipedia.org: https://en.wikipedia.org/wiki/Neil_Peart
11. Wikipedia. (n.d.). Stuxnet. Retrieved January 15, 2025, from en.wikipedia.org/wiki/Stuxnet: https://en.wikipedia.org/wiki/Stuxnet
12. World Economic Forum. (January 13, 2025). Global Cybersecurity 2025 Insight Report January 2025. 2025 World Economic Forum. Retrieved January 15, 2025, from https://www.weforum.org/publications/global-cybersecurity-outlook-2025/

?