Power plants, factories, oil & gas refineries etc. are all potentially targeted by foreign enemies, the US has warned.
The US National Security Agency (NSA) & the Cyber-security & Infrastructure Security Agency (CISA) have issued an alert warning that adversaries could be targeting US critical infrastructure.
ICS-CERT also issued an advisory on a critical security bug in the Schneider Electric Triconex TriStation & Tricon Communication Module.
The safety instrumented system (SIS) controllers are able to shut-down plant operations in the event of a problem, & act as an automated safety defence for industrial facilities, designed to prevent equipment failure & catastrophic incidents e.g. explosions or fire. They have been targeted before, in the 2017 TRITON attack.
“Over recent months, cyber-actors have demonstrated their continued willingness to conduct malicious cyber-activity against critical infrastructure (CI) by exploiting internet-accessible operational technology (OT) assets,” observed the NSA/CISA joint advisory, released last week.
“Due to the increase in adversary capabilities & activity, the criticality to US national security and way of life & the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to US interests or retaliate for perceived US aggression.”
Vulnerable OT Systems
The advisory goes further & explains that OT systems often consist of legacy equipment that was never designed to be connected to the internet, nor defend against malicious cyber-attacks. Simultaneously, more & more utilities, petrochemical installations, factories etc. are planning to increase remote operations.
This means conducting various activities over the web using an IT network to connect to the OT side, enabling monitoring, instrumentation & control, OT asset management/maintenance, & sometimes, process operations & maintenance.
Mainly, adversaries are using spear phishing to obtain 1st access to the organisation’s IT network, before pivoting to the OT network, this advisory added.
“Combined with readily available information that identifies OT assets connected via the internet (e.g., Shodan, Kamerka), are creating a ‘perfect storm’ of easy access to unsecured assets, use of common, open-source information about devices, & an extensive list of exploits deployable via common exploit frameworks,” the agencies warned.
The NSA/CISA advisory also detailed that several cyber-attack attempts have been observed.
These include attempts to: Deploy of commodity ransomware on both IT & OT networks; communicate with controllers & downloading modified control logic; use vendor engineering software & program downloads & modify control logic & parameters on programmable logic controllers (PLCs).
PLCs are responsible for directly reading & manipulating physical processes in industrial environments.
If successful, these attempts could mean an OT network going down, a partial loss of view for human operators, lost productivity, & revenue, or, in the worst-case scenario, adversary control & disruption to physical processes.
“Cyber campaigns are an ideal way for nation-states to apply pressure on the global stage, because they offer the advantage of plausible deniability plus the rules of engagement are undefined,” Phil Neray, VP of Industrial Cyber-security at CyberX, commented via email.
“This NSA/CISA advisory is particularly interesting because it appears to be tied to ongoing campaigns targeting industrial control systems, & it explicitly mentions the need for organisations to protect against sophisticated living-off-the-land tactics such as modifying the control logic in process controllers, which is exactly what we saw in the TRITON attack.”
Two partial-loss-of-view incidents have been recorded in the US before: One was a ransomware attack on a pipeline in Feb. that put it offline for 2 days; & the other was an attack on a wind-and-solar power plant last Nov. Loss of view means that the organisation loses the ability to monitor the current status of its physical systems.
Neray commented in an interview, “if an attacker wanted to shut down parts of the grid, one of their first steps might be precisely this loss-of-view step, because it would leave utility operators ‘blind’ to subsequent disruptive actions the attackers would take, such as switching relays off to halt the flow of electricity.”
Triconex Redux…and a Critical Bug
Parallel with the NSA/CISA alert is an ICS-CERT advisory about more bugs, 1 critical & ranking 10 out of 10 on the CvSS vulnerability-severity scale, in Triconex SIS equipment from Schneider.
“Successful exploitation of these vulnerabilities may allow an attacker to view clear text data on the network, cause a denial-of-service condition or allow improper access,” comments the document.
The disclosure does concern, given the previous targeting of this Triconex SIS. In 2017, a Middle Eastern oil & gas petrochemical facility was hit with a malware called TRITON (also TRISIS or HatMan), which exceeded other industrial cyberattacks because it directly interacted with and controlled the Triconex SIS.
Because the SIS is the last line of automated safety defence for industrial facilities, (i.e., protection functions meant to safeguard human lives) shutting it down paves the way for a destructive, physical attack that is unhampered by fail-safe mechanisms.
In the case of the TRITON attack, that next stage never came, as the attack was manually stopped before it could advance.
The new batch of bugs impact TriStation 1131, v1.0.0 to v4.9.0, v4.10.0, and 4.12.0, operating on Windows NT, Windows XP or Windows 7; & Tricon Communications Module (TCM) Models 4351, 4352, 4351A/B, and 4352A/B installed in Tricon v10.0 to v10.5.3 systems.
Current & more recent versions are not exposed to these specific vulnerabilities, but many ICS installations are still running legacy versions.
A critical bug (CVE-2020-7491) is an Improper Access Control flaw: “A legacy debug port account in TCMs installed in Tricon system Versions 10.2.0 through 10.5.3 is visible on the network & could allow inappropriate access.”
There are also 4 less-severe problems.
The bug tracked as CVE-2020-7484 (severity rating of 7.5) allows uncontrolled resource consumption, according to ICS-CERT: “A vulnerability related to the password feature in TriStation 1131 Versions 1.0 through 4.12.0 could allow a denial-of-service attack if the user is not following documented guidelines pertaining to dedicated TriStation 1131 connection and key-switch protection.”
Meanwhile, an uncontrolled resource consumption bug (CVE-2020-7486), also with a CvSS score of 7.5, could cause TCMs installed in Tricon system Versions 10.0.0 through 10.4.x to reset when under high network load. This reset could mean a denial of service with the SIS.
A further bug (CVE-2020-7485) is a hidden-functionality issue, severity rating of 5.5: “A vulnerability related to a legacy support account in TriStation 1131 versions 1.0 through 4.9.0 & 4.10.0 could allow inappropriate access to the TriStation 1131 project file.”
Also, CVE-2020-7483 (severity rating of 5.3) lets cleartext transmission of sensitive information. “A vulnerability related to the “password” feature in TriStation 1131 Versions 1.0 through 4.12.0 could cause certain data to be visible on the network when the feature was enabled,” says the advisory.
The NSA/CISA alert urges patching & mitigations across the civilian & military OT landscape, & offered steps to take in the advisory.
National Security Systems
“OT assets are critical to the Department of Defence (DoD) mission & underpin essential National Security Systems (NSS) & services, as well as the Defence Industrial Base (DIB) & other critical infrastructure,”
It reads. “At this time of heightened tensions, it is critical that asset owners & operators of critical infrastructure take…immediate steps to ensure resilience & safety of US systems should a time of crisis emerge in the near term.”