The Canadian, US, and UK governments issued a series of recommendations in their just-released security alert Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity, which mirror my own insights on the important topic.
The alert notes that all three governments are aware of pro-Russia hacktivists targeting and compromising small-scale OT systems in North American and European Water and Wastewater Systems (WWS), Dams, Energy, and Food and Agriculture sectors. These hacktivists seek to compromise modular, Internet-exposed industrial control systems (ICS) through their software components, such as human-machine interfaces (HMIs), by exploiting virtual network computing (VNC) remote access software and default passwords.
At this point, with these pro-Russia hacktivists potentially in or able to get into our water and wastewater systems since 2022, the defensive measures these operators can take are somewhat limited, but as we shall detail, the WWS, and other sectors do have some moves.
Trustwave recommends WWS and other potential OT targets update and upgrade wherever possible. In addition, the best steps to take involve truly segmenting, isolating, or air-gapping their systems. This action will ensure that they have proven backup and recovery capabilities in place in case of attack.
In addition, operators must vigilantly monitor their systems for malicious activity. They must also ensure their systems are monitoring the safety of the water going to the public and are resilient enough to enable shutoff if the worst should happen.
CISA does practice what it preaches. CISA Director Jen Easterly recently explained one of the steps her agency took to secure its systems.
“First, we deployed threat-hunting teams across multiple sectors, water, power, energy, and transportation to find and eradicate these Chinese cyber actors. And we've shared insights with others before they become victims,” Easterly said. “Now these PRC hunting missions are just part of our larger hunting missions. In just FY '23, we conducted 97 hunt engagements to eradicate threat actors from US critical infrastructure and we shared over 1,100 cyber advisories to enable risk reduction at scale.”
Finally, in addition to the recent 97 CISA-led threat hunting engagements across water, power, energy, and transportation as noted by Jen Easterly, Director of CISA, the 153,000 public drinking systems and 16,000 publicly owned WWS operators may also want to consider aligning with the private sector providers such as Trustwave’s SpiderLabs for penetration or offensive security testing engagement to identify weaknesses that may be exposing their systems and if any are found, they may want to go to the next step of a digital forensics investigation.
The Hacktivist Threat
The report noted that hacktivist activity against these sectors appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects.
However, investigations have identified that these actors can pose physical threats against insecure and misconfigured OT environments. The government agencies have observed pro-Russia hacktivists gaining remote access via a combination of exploiting publicly exposed internet-facing connections and outdated VNC software, as well as using the HMIs’ factory default passwords and weak passwords without multifactor authentication.
So far, in 2024, North American and UK investigators have responded to several WWS attacks. In these cases, the pro-Russian groups created limited physical disruptions by remotely manipulating HMIs. Specifically, manipulating HMIs has caused water pumps and blower equipment to exceed their normal operating parameters.
In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators. Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations.
The pro-Russia hacktivists use a variety of techniques to gain remote access to the HMIs and make changes to the underlying OT:
- Using the VNC Protocol to access HMIs and change the underlying OT. VNC is used for remote access to graphical user interfaces, including HMIs that control OT systems.
- Leveraging the VNC Remote Frame Buffer Protocol to log into HMIs to control OT systems.
- Leveraging VNC over Port 5900 to access HMIs by using default credentials and weak passwords on accounts not protected by multifactor authentication.
Mitigations
Security organizations from the reporting nations offered several security steps to implement. First and foremost:
- Immediately change all default passwords of OT devices (including PLCs and HMIs), and use strong, unique passwords.
- Limit exposure of OT systems to the Internet.
- Implement multifactor authentication for all access to the OT network.
Additional mitigations aligned with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST) were posted specifically to harden HMI remote access.
- Disconnect all HMIs, such as the touchscreens used to monitor or make changes to the system, or programmable logic controllers (PLCs), from the public-facing Internet. If remote access is necessary, implement a firewall and virtual private network (VPN) with a strong password and multifactor authentication to control device access [CPG 2.W] [CPG 2.X].
- Implement multifactor authentication for all access to the OT network. For additional information, see CISA’s More than a Password [CPG 2.H].
- Immediately change all default and weak passwords on HMIs and use a strong, unique password. Ensure the factory default password is not in use. Open the remote settings panel to confirm the old password is no longer shown [CPG 2.A] [CPG 2.B].
- Keep VNC updated with the latest version available and ensure all systems and software are up to date with patches and necessary security updates.
- Establish an allowlist that permits only authorized device IP addresses. The allowlist can be refined to specific times of the day to further obstruct malicious threat actor activity; organizations are encouraged to establish alerting for monitoring access attempts. An allowlist is not a complete security solution by itself but may increase the level of effort necessary for a threat actor to compromise a device.
- Log remote logins to HMIs, taking note of any failed attempts and unusual times [CPG 2.T].
