The U.S. Cybersecurity & Infrastructure Security Agency named the Chinese-sponsored threat group Volt Typhoon a force engaged in “disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.” CISA also said there is “high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions.”
The National Institute of Standards and Technology (NIST) defines operational technology as assets that are “programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment).”
See also: Industrial OT widely vulnerable to intrusion, survey finds
OT manages or controls other devices in the energy, waste, water treatment, and other industrial environments. Tampering with these could lead to catastrophic failures that would result in environmental damage, disruption of critical services, and possible loss of life.
Risks inherent to OT/OT devices are well-known
These devices run very slim operating systems that often cannot accommodate onboard security measures. Moreover, many manufacturers have neglected security best practices. Researchers have discovered hardcoded admin passwords, authentication bypasses, and buffer overflows on many devices.
Translation: Manufacturers don’t seem to be building for security—at all. ZScaler stated in its ThreatLabz 2023 Enterprise IoT and OT Threat Report that “five of the 39 most popular IoT exploits being disclosed in the past three years, it’s evident that attackers are exploiting legacy vulnerabilities” and that “oldest vulnerability observed dates back to 2013.”
The reality is that these devices, due to their limited nature, must be hardened from the get-go. This is problematic because this equipment can consist of commodity hardware—meaning they often are easily available, inexpensive, and easily interchangeable with other commodity devices—but connecting anything like this to the internet drastically balloons both the threat model of the asset and the attack surface of the organization.
Moreover, malicious actors have off-the-shelf tools to compromise IOT/OT assets. QBot and Mirai are two popular open-source codebases that target IOT/OT devices and may have partly fueled the “400% increase in IoT malware attacks compared to the previous year (January–June 2022),” as ZScaler’s 2023 TreatLabz report notes.
Examples of nation-state-attributed attacks
CISA’s recent announcement acknowledges the already well-known (or at least well-suspected) fact of the nation-state actors and nation-state-attributed attacks. See Lazarus Group, Cozy Bear, APT 38, and the like as prominent examples:
- Lazarus is alleged to be an actor employed by the North Korean government. The identities of the individual members are unknown, but they are associated with numerous attacks on numerous countries. Most notably, they were linked to the 2014 attack on Sony Pictures that led to the leak of a significant amount of data. Lazarus reportedly infiltrated the company’s network for more than a year, and itt’s suspected this attack was retaliation for a Sony production, “The Interview,” a comedy that painted the country’s leader in a less-than-flattering light.
- Lazarus was also associated with the Bangladesh Bank heist, which employed a sophisticated attack chain that implied a very detailed understanding of the SWIFT banking system. While much of the $1 billion stolen was recovered or blocked, this attack led to devastating financial loss.
- Perhaps most infamously, Lazarus Group was strongly associated with the WannaCry ransomware attack that affected multiple organizations across the globe. This weaponized ransomware was thwarted, but again, this intrusion could have been devastating.
- Cozy Bear has been associated with Russian intelligence agencies and linkedd with multiple high-profile attacks, including the breach of the U.S. Democratic National Committee as well as several Norwegian and Dutch ministries in which the goal seemed to be long-term espionage. Security company FireEye reported in 2020 that Cozy Bear leveraged exploits in SolarWinds Orion software, allowing them to steal security tools.
The Russian invasion of Ukraine and conflict has painted this prospect in vivid relief. The Ukrainian government famously sent out a call to raise an IT army while private ransomware groups linked to Russia are believed to operate with at least indifference by Russian government authorities. Some believe these groups operate with the blessing—by way of agreement or graft—from the Russian government itself.
See also: Why IoT device manufacturers need to prioritize cyber resilience
This cyber domain presents an opportunity for asymmetric warfare. Countries can operate cyber forces to sew chaos and cause damage to infrastructure without risking human lives or expending huge resources. The reality now is that the cyber domain is another front in a military campaign, and CISA’s announcement, in a way, further acknowledges this reality. This begs the question: Should the United States have a nationwide intranet for critical infrastructure?
Does it make sense that social media, streaming services, hospitals, water treatment plants, and factories share the same global network? Admittedly, this is a massive ask and commitment, but given the known state of threats, air gapping might be the only sure way to protect critical infrastructure, and by extension, human lives.
See also: Inside the Rockwell, Church & Dwight OT cybersecurity team-up
In the interim, these types of steps by CISA and the U.S. government are essential to improving this situation. We also need vendors to make a concerted effort to harden IOT/OT devices. Security does not have to be perfect, and likely can’t be, but making critical infrastructure environments less attractive targets will go a long way toward improving and possibly saving lives.
