Control systems exposure puts critical infrastructure at risk

Experts have warned for decades that while the goal of war remains the same as always — to inflict catastrophic physical damage on the enemy — an increasing amount of that damage will be inflicted not with missiles, bullets, and bombs, but through space — cyberspace.

Indeed, if it’s possible to shut down communications systems, an electrical grid, utilities like water and sewer, transportation control systems, and more with computer keystrokes instead of fighter jets, aircraft carriers, submarines, tanks and infantry, why not? For smaller, poorer countries it tends to level the battlefield against richer, more powerful enemies.

And that’s the scenario developing worldwide, according to Censys, a software company focused on attack surface management and threat-hunting solutions.

According to a recent Censys report, there are more than 145,000 internet-exposed industrial control systems (ICS) across 175 countries, with about 38% — more than 40,000 of them — in the U.S.

Those systems are used to control the nation’s critical infrastructure, 16 sectors that include transportation, electric power, communications, water supply, healthcare, financial services, manufacturing, and more. So obviously it’s not a good thing if an attacker gets control of the controls.

Indeed, the first example the report gave of the risk was that, “In November 2023, the CyberAv3ngers, an Iranian Revolutionary Guard Corps (IRGC)-affiliated hacking group, compromised the Municipal Water Authority of Aliquippa, Pennsylvania. They targeted a water pressure monitoring system at a remote pumping station, exploiting a publicly exposed Unitronics Vision Series programmable logic controller (PLC) known to ship with default passwords.”

“The actor defaced the system’s interface with an anti-Israel message as part of a broader campaign targeting Israeli-made Unitronics PLCs globally, following regional conflicts,” according to the report.

A second example in the report is from this past January, when “the Cyber Army of Russia Reborn, a hacking group purportedly linked to Russia’s military intelligence, targeted water facilities in the small Texas towns of Muleshoe and Abernathy. The group claimed responsibility for manipulating human/machine interfaces (HMIs) at these facilities, which resulted in the overflow of water storage tanks and minor, temporary disruption of operations in Muleshoe.”

The U.S. government sanctioned two of the hackers involved, but that came months later, in July. And the attacks didn’t make international news when they happened, as surely would have been the case if those water systems had been bombed or blown up.

But the message ought to be clear: The hackers didn’t need bombs or any of the other kinetic tools of warfare. The examples also illustrate that not only information — personal, financial, and intellectual property — is at risk. So are physical objects and services, many of them critical.

This is not a new threat. As noted, experts have been talking about cyber threats for decades. Former counter-terrorism czar Richard A. Clarke warned of a “Cyber Pearl Harbor” in 2002, although that phrase became much more high-profile in 2012 when then-defense secretary Leon Panetta used it in a speech in New York to the Business Executives for National Security.

But the threat hasn’t gone away or even subsided — it seems to be expanding. Why? Perhaps in part because it’s not seen as an existential, Pearl Harbor-like, threat — at least not yet.

Plenty of cybersecurity experts have been saying for years that the “Pearl Harbor” warnings are hyperbole — that there are multiple reasons a catastrophic attack is unlikely.

First, taking down the U.S. economy would damage the economies of plenty of other nations, even those that are hostile to the U.S.

Second, a major attack on U.S. critical infrastructure would trigger a major response of the nation’s conventional military might.

Third, the U.S. critical infrastructure sectors aren’t centralized. They are both diverse and dispersed — enough to make it impossible to take down something like the entire grid with one attack.

Finally, the fact that more than 40,000 ICSs are exposed to the internet doesn’t automatically mean they’re vulnerable. Boris Cipot, security engineer with the software security company Black Duck, said that “exposed doesn’t mean guaranteed exploitability.”

He added that the barriers for attackers go beyond simply getting access to an ICS. “There are also technical barriers,” he said. “Yes, ICSs are devices; however, you still need specialized knowledge to do something with them. Gaining this knowledge is not as easy as it is for a PC or similar, more common devices.”

Still, Cipot agrees that ICS security should be much better. The exposures cited by Censys “do raise the attack surface dramatically and open new attack possibilities,” he said.

And even a regional or local takedown of critical infrastructure — communications or a section of the power grid — could cause enormous disruption. Joe Weiss, managing partner at Applied Control Solutions and a long-time blogger on control system defects, wrote recently that ICS compromises, whether unintentional or malicious, “can involve significant consequences, e.g., refinery explosions and pipeline ruptures with potential fatalities, water issues making people sick, medical devices injuring people, airplane and train crashes with potential fatalities, etc.”

In an interview he said the damage can be long-term, noting that “some transformers in the grid take three or four years to build.”

The ICS security problem was supposed to have been addressed decades ago, according to Weiss, who wrote in another recent blog post that a presidential decision directive under President Bill Clinton in 1998 “stated that all critical infrastructures, including power, were to be cyber secure within five years. That is, cyber secure by 2003, now 21 years ago.”

Instead, ICS security is worse than it was decades ago. “It’s actually gone backward,” he said, contending that too much of the focus has been on network security, “which is not the controls.”

Weiss acknowledged in his post that “there has been significant progress in securing IT [information technology] and OT [operational technology] networks. But one would think that after 23 years, the OT security community would be further along in securing critical infrastructures from control system and other kinetic cyber incidents.”

In the interview, he said it is likely true that hostile nation states don’t want to destroy the U.S. economy, but they are still busy working on the capability to hold it hostage. “China owns 10% of the power systems for New York City,” he said.

So why not address ICS vulnerabilities more aggressively even if the threat isn’t imminent?

That raises another problem — a practical and financial one. Addressing the security defects of ICSs is both time-consuming and expensive. ICSs, as originally designed, were never intended to be connected to the internet, but now they are.

According to Cipot, “we need to understand that ICSs are often old — decades since they were introduced, and replacing such legacy systems is expensive, which means that their owners would rather try to maintain than replace them.”

Craig Spiezle, managing director of Agelight Advisory Group, said it comes down to a lack of investment from all ICS stakeholders. “Part of this is due to legacy devices, part of it is lack of funding at the local and state levels to replace them, and part is a lack of availability of hardened replacements,” he said.

Whether that changes is obviously up to the owners. But they can’t say there is no advice about what to do.

Cipot said it comes down to security hygiene. “As with any device, ICSs need proper patching and administration. Monitor the systems and controls constantly. Make sure the device configurations are secure, that they only allow the needed connections, and have proper authentication in place. Also make sure that access to the systems is limited. Network segmentation will help prohibit access to the devices but also attacks from those devices to others in the networks.”

And an advisory from CISA following the attack in Pennsylvania by the IRGC has a list of recommendations.

• Change all default passwords on PLCs [programmable logic controllers] and HMIs [human machine interfaces] and use a strong password.
• Disconnect the PLC from the public-facing internet.
• Implement multifactor authentication for access to the OT network whenever applicable.
• If remote access is required, implement a firewall and/or virtual private network (VPN) in front of the PLC to control network access. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication.
• Create strong backups of the logic and configurations of PLCs to enable fast recovery. Get familiar with factory resets and backup deployment as preparation for a possible ransomware attack.
• Keep PLC devices updated.
• Confirm third-party vendors are applying the above recommended countermeasures to mitigate exposure of these devices and all installed equipment.

Even those aren’t silver bullets, according to Weiss, who wrote that some of them are useful but not all are realistic. For example, in response to the recommendation that a VPN will enable multifactor authentication even if the PLC doesn’t, Weiss wrote that “If the PLC is already compromised, the VPN will be providing compromised data.”

Weiss argues that much of the security problem with ICSs is because of a lack of communication between those who manage networks and those who manage the control devices. “There is a continuing culture chasm between cybersecurity managed by the CISO and the engineering and operations personnel responsible for operational technology,” he said.

“The culture chasm results in both sides either not talking or talking past each other including each side not requiring appropriate competence in their standards and requirements. Cyberattackers recognize these gaps and are exploiting them.”