CISA Warns About Threat Actors Targeting Critical National Infrastructure

The US Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with other security agencies including the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA), recently issued a warning regarding the activities of pro-Russia hacktivists who are targeting operational technology (OT) systems and critical national infrastructure. Water and wastewater systems, dams, energy, and food, and agriculture, both in the USA and Europe, are among the industries at risk.

While these malicious actors employ relatively unsophisticated techniques, they pose a significant physical threat to small-scale critical infrastructure by targeting unsecure and misconfigured OT environments. Their modus operandi is to compromise modular, internet-exposed industrial control systems (ICS) through their software components, such as human machine interfaces (HMIs), by exploiting virtual network computing (VNC) remote access software and default passwords as well as weak passwords without multifactor authentication.

Recently, the hacktivists manipulated HMIs, causing water pumps and blower equipment to exceed their normal operating parameters. The hacktivists simply maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out operators. Not too terribly sophisticated but potentially lethal. Fortunately, while a minority of victims experienced inconsequential tank overflow events, most victims were able to revert to manual controls to quickly restore operations.

Mitigation Recommendations

To mitigate the risks arising from hacktivist activities, CISA recommends the following proactive measures for critical infrastructure organizations:

1. Strengthen Password Security: Immediately replace default passwords on all OT devices with robust, unique ones.
2. Minimize Internet Exposure: Disconnect OT systems from public networks where possible or employ strict access controls to limit exposure.
3. Implement Multifactor Authentication: Add this extra layer of security to OT network access.
4. Keep Software Updated: Regularly update virtual network computing (VNC) software to minimize vulnerabilities.

Additionally, our expert analysts at Radiflow strongly recommend the following crucial steps to strengthen your organization’s defense:

1. Disable VNC Access: Given the vulnerabilities associated with VNC, we urge organizations to curtail its usage altogether.
2. Establish an Allowlist: The allowlist should permit authorized device IP addresses only. It can be applied at specific times of the day to further obstruct malicious activity.
3. Log Remote Logins to HMIs: Watch for failed attempts and unusual login times.
4. Segment the Network: Apply robust network segmentation to fortify PLC and HMI infrastructure against unauthorized access.
5. Monitor Continuously: Utilize advanced monitoring tools to promptly detect and respond to anomalies that might be indications of a cyberattack.

Protecting Critical Infrastructure

This recent warning from CISA underscores the importance and urgency of cybersecurity for all critical infrastructure. It serves as a blunt reminder that even unsophisticated techniques can pose a significant physical threat to essential infrastructure and services, emphasizing the need to continuously strengthen cybersecurity defenses to safeguard critical assets.

For more information see: https://www.cisa.gov/resources-tools/resources/defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity