An Overall Look at Critical Infrastructure of the U.S. and How it is Under Attack (Part III)
Michael Reyes
Navy Vet | Industrial Consultant | Cybersecurity Engineer | ICS/OT | CISSP | GRID | (ISC)2 CC | NSE 3 | GRC | TryHackMe Top 4%
This is the final part of the three-part series that I had been working on. It has been a minute but I wanted to finish and post the work that I had completed, but never got to sharing. Comments and critiques are welcomed.
In this final article, we come to discuss some of the Alerts that were published by CISA, their implications, and the recommendations that came from them.
For ease, for those who prefer to read on Medium.com, all three parts are linked below:?Part I, Part II, and Part III links.
While the majority of the examples provided have dealt with a single sector of the United States' critical infrastructure, it can be shown that the same vulnerabilities exist in every sector that employs an ICS. This can be illustrated by reviewing some of the Alerts published by the Cybersecurity and Infrastructure Security Agency (CISA) through its National Cyber Awareness System. The Alerts are meant to “provide timely information about current security issues, vulnerabilities, and exploits” and are issued by CISA as Joint Cyber Security Advisories, for the analytic efforts come from not just CISA, but various other intelligence and governmental agencies – the Federal Bureau of Investigation (FBI), the Environment Protection Agency (EPA), the National Security Agency (NSA), etc. (CISA, n.d.). To begin, we can review the most recent CI sector-based Alert, Ongoing Cyber Threats to U.S. Water and Wastewater Systems (AA21-287A), which the common Tactics, Techniques, and Procedures (TTPs) that were being used by the various threat actors targeting the IT and OT devices, systems, and networks.
CISA Alert AA21-287A, Ongoing Cyber Threats to U.S. Water and Wastewater Systems
The most prevalent technique used is Spear phishing, which is scam email, or electronic (i.e., SMS text message), communication that is targeted towards a specific individual or organization, although there are also massive spam campaigns that occur to conduct non-targeted phishing, as well (Kaspersky, n.d.). These electronically delivered social engineering traps are meant to help establish a foothold, or initial access, within a network by having the digital communication contain malicious links or attachments, which will attempt to execute hidden malicious software, or code, on the target’s systems. In order to help these malicious correspondences seen as legitimate; a great deal of effort is made by the attackers to customize the messages so that they appear to be from trusted sources to reduce any suspicion and increase the likelihood that a link will be clicked on, or a file opened.?It is this cleverness and subterfuge that gives spear phishing such a high success rate against many organizations around the globe.
Alert AA21-287A also dives into the issue of outdated or unsupported operating systems and software. The alert calls out how many WWS facilities two big issues:
Part of the issue is attributed to WWS facilities being resourced by municipal systems, often inconsistently, leaving some facilities unable to consistently employ high cybersecurity standards – whether that be funding, training, or personnel not available. Having outdated and unsupported software means that patches and updates have not been installed, or that a vendor may have stopped supporting either the equipment or software entirely – thus leaving unnecessary vulnerabilities available as attack vectors.
CISA Alert AA20-049A, Ransomware Impacting Pipeline Operations
To help show that other CI sectors are not immune to the vulnerabilities that exist within WWS facilities, Alert AA20-049A Ransomware Impacting Pipeline Operations helps illustrate how effective spear phishing is in gaining a foothold with an organization, regardless of industry. After initial access is gained, the disabling method used most commonly is a ransomware attack, which encrypts the data on the target systems or servers, rendering it inaccessible as the target does not have the decryption key. Whether it is the Master Boot Record (MBR) or randomized MS Office documents and PDF files, the end result of a ransomware attack is normally to attempt to hold the files/systems hostage so that monetary compensation can be demanded from the victim. The willingness to target a CI facility comes in part from the fact that these entities will have the financial ability to pay the large ransom demanded.
In addition, this alert discusses the growing issue of CI facilities failing to “implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks” (CISA, 2020). This closing of the “gap” between IT and OT systems is what is allowing ransomware to have such a devastating effect on the ICS SCADA systems and their HMIs, forcing full facility shutdowns – zeroing out any essential production or processing. This particular attack against the undisclosed natural gas compression facility did not impact the PLCs that dealt with manipulating and reading physical processes, but that did not occur due to any sophisticated countermeasures or protections by the CI facility – but because the ransomware attack had a self-imposed limited scope of Windows-based systems. (CISA, 2020). This close call illustrates how close a CI facility came to having its OT operational capabilities directly impacted by a “simple” monetary-focused ransomware attack, caused directly by beginning to merge the IT/OT systems.
Alert (AA21-131A) Darkside Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
While CISA alerts tend to provide varying levels of detail concerning individual and sector-wide incidents based on the various attack vectors used, many of the CI facilities mentioned are kept confidential, nor is their direct public information available to allow for deeper inspection and analysis. In a counterpoint to this norm, the attack perpetrated against Colonial Pipeline, which occurred on Thursday, May 6, 2021, was a very public and open example of how quickly an IT network breach can cause severe OT systemic issues leading to cascading failures of downstream facilities. While the Alert failed to disclose how initial access was maintained, later disclosures by cybersecurity firm Mandiant Senior Vice President Charles Carmakal showed that hackers had gained initial access on April 29, 2021, through the use of a compromised Virtual Private Network (VPN) account password (Turton & Mehrotra, 2021). This VPN account was an unused account, left active, that had no Multi-Factor Authentications (MFAs) protections turned on “the report said, adding the password has since been discovered inside a batch of leaked passwords on the dark web, suggesting that an employee of the company may have reused the same password on another account that was previously breached” (Lakshmanan, 2021).?
Once inside, the specific servers targeted were Colonial Pipeline’s Level 3 Info Servers, which were used in their SCADA stack, meaning that the downstream lower Level OT servers and networks were vulnerable as these critical OT systems were “accessible by IT personnel, internet-connected gateways, remote admin access, and other systems”, Figure 1 - Colonial Pipeline SCADA Stack (Virsec, n.d.).
Again, in this particular case, the ICS/OT systems remained unaffected at the time the ransomware attack was discovered, Colonial Pipeline believed it was prudent to take their entire Level 2 and below systems offline to fully contain the ransomware malware. And, while prudent from an operational standpoint, the repercussions of this action were felt across the United States, as the company provides “about 45% of fuel for the East Coast, including gasoline, diesel fuel, heating oil, jet fuel and fuel used by the military” (Kaspersky ICS CERT, 2021). That translates to about 2.5 million barrels of fuel on a daily basis, starting from the Gulf Coast to states across the Southern Eastern Seaboard (Turton & Mehrotra, 2021). This caused many gas stations to either run out of fuel or have extended long lines – driven by citizens being panicked at the idea that the pipeline would be shut down for an unspecified period. While the entire pipeline resumed operation approximately five days later, this attack fully exemplifies how quickly having a combination of poor implemented – or nonexistent – security features and protocols can create escalating cascading waves of panicking by the general populace when critical infrastructure is threatened or disabled by foreign adversaries, even on a short-term basis.
Implications
As the world has become more connected and integrated, so too has the critical infrastructure that operates underneath it and supports it. This integration has provided new opportunities for both the criminal element, as nation-state-funded APTs, to target CI facilities for research, intelligence, data, financial gain, or simply to cause damage to the equipment or populace that depends on its continued function. This is evident in the CISA 2020 warning given using Alert AA20-205A, NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems. Alert AA20-205A specifically called out how, across all sixteen critical infrastructure sectors within the U.S., the desire by CI facilities to modernize with internet-accessible OT assets allows for each entity to:
This leads to the closing of the traditionally present “air-gap” that completely separated IT systems from OT systems and their critical operating components. This increased interconnectivity is now creating an increased desire by attackers to use spear phishing or brute force attacks to gain entry, and then deploy ransomware to the internal servers – in the hopes that the spread of the malware will extend to critical OT systems, thus increasing the likelihood of a full ransom payment so victims can get their servers and files back. This is why, at least one research source has found that “ransomware attacks rose by 62% in 2020, with ransom demands rising 225%” (SecurIcon Team, 2021). The discussion provided by reviewing the Colonial Pipeline attack is a perfect example that illustrates the potential fallout from even just one CI facility succumbing to an attack that did not even directly affect OT networks, but simply required them to be shut down to ensure infrastructure safety.
领英推荐
Recommendations and Lessons Learned
To counteract these ever evolving it is necessary for the owners of the critical infrastructure of the U.S. to adopt a heightened state of awareness, as well as utilize the many sources and services that exist providing recommendations to help mitigate the incoming threats, such as Alert AA21-131A DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks. While the targeted malware here is Darkside, the mitigation strategies listed within the alert can be applied to protect the networks from other various attack vectors. To start, in looking at the Colonial Pipeline breach, the entire incident could have been avoided if the organization had simply required MFA in remote accessing both its IT and OT networks.
In addition, better security administration protocols in place, such as requiring that unused active user required to be disabled shortly after the account is no longer needed could have also prevented the incident. Equally useful would have been to combine the MFA with restricting, or limiting, remote access to resources over the network to other accounts that are deemed to be operationally necessary, and even then – the Principle of Least Privilege should be applied to limit potential attack spread. Furthermore, the implementation of application allowlisting, where a security policy is used to permit only allowed known programs to be executed on a system, to help prevent unauthorized malware execution. Lastly, consistent, potentially most importantly, all users must be subjected to rigorous spear phishing training programs to “discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spear phishing emails” (CISA, 2021).?
In Conclusion
Since before the discovery of Stuxnet, critical infrastructure around the world has been under attack, with the integration of IT and OT systems and networks helping to ensure that the attacks are not only going to increase, year over year but that each intrusion carries with it the potential to seriously damage equipment or the public that the CI is meant to serve. While many CI facility owners and operators appear to be behind the curve, with having to not only update operational equipment, but also address the ever-expanding cybersecurity concerns, there are resources that exist, such as the CISA National Cyber Awareness System and its published Alerts that provide insight on not only what new threat vectors exist, but also what strategies can be implemented to mitigate these very serious threats.
References for Article
CISA. (n.d.). National Cyber Awareness System. Retrieved from Cybersecurity & Infrastructure Security Agency (CISA): https://www.cisa.gov/uscert/ncas
CISA. (2020, October 24). Alert (AA20-049A) - Ransomware Impacting Pipeline Operations. Retrieved from Cybersecurity and Infrastructure Security Agency (CISA) National Cyber Awareness System: https://www.cisa.gov/uscert/ncas/alerts/aa20-049a
CISA. (2020, July 23). Alert (AA20-205A) NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems. Retrieved from Cybersecurity and Infrastructure Security Agency (CISA) National Cyber Awareness System: https://www.cisa.gov/uscert/ncas/alerts/aa20-205a
CISA. (2021, May 11). Alert (AA21-131A) DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks. Retrieved from Cybersecurity and Infrastructure Security Agency (CISA) National Cyber Awareness System: https://www.cisa.gov/uscert/ncas/alerts/aa21-131a
CISA. (2021, October 25). Alert (AA21-287A) - Ongoing Cyber Threats to U.S. Water and Wastewater Systems. Retrieved from Cybersecurity and Infrastructure Security Agency (CISA) National Cyber Awareness System: https://us-cert.cisa.gov/ncas/alerts/aa21-287a
Kaspersky ICS CERT. (2021, May 21). DarkChronicles: the consequences of the Colonial Pipeline attack. Retrieved from Kaspersky ICS CERT: https://ics-cert.kaspersky.com/reports/2021/05/21/darkchronicles-the-consequences-of-the-colonial-pipeline-attack/
Kaspersky. (n.d.). What is Spear Phishing? - Definition. Retrieved from Kaspersky: https://usa.kaspersky.com/resource-center/definitions/spear-phishing
Lakshmanan, R. (2021, June 07). Hackers Breached Colonial Pipeline Using Compromised VPN Password. Retrieved from The Hacker News: https://thehackernews.com/2021/06/hackers-breached-colonial-pipeline.html
SecurIcon Team. (2021, June 9). Right-of-Breach Mentality Leads to Cyberattacks on Critical Infrastructure. Retrieved from SecurIcon: https://www.securicon.com/right-of-breach-mentality-leads-to-cyberattacks-on-critical-infrastructure/
Turton, W., & Mehrotra, K. (2021, June 4). Hackers Breached Colonial Pipeline Using Compromised Password. Retrieved from Bloomberg Cybersecurity: https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
Virsec. (n.d.). Virsec Analysis of the Colonial Pipeline Attack. Retrieved from Virsec: https://www.virsec.com/blog/virsec-analysis-of-the-colonial-pipeline-attack
#cybersecurity #ics #icssecurity #icssecurity #blueteam #cyberdefense #cyberrisk #cyberriskmanagement #cybersecurityawareness #cisa #criticalinfrastructure #criticalinfrastructureprotection #watertreatmentsystems #hacking #research #cyberattack #cyberintelligence