Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Trustwave Backs Multinational OT Security Recommendations to Protect Critical Infrastructure

The Canadian, US, and UK governments issued a series of recommendations in their just-released security alert Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity, which mirror my own insights on the important topic.

The alert notes that all three governments are aware of pro-Russia hacktivists targeting and compromising small-scale OT systems in North American and European Water and Wastewater Systems (WWS), Dams, Energy, and Food and Agriculture sectors. These hacktivists seek to compromise modular, Internet-exposed industrial control systems (ICS) through their software components, such as human-machine interfaces (HMIs), by exploiting virtual network computing (VNC) remote access software and default passwords.

At this point, with these pro-Russia hacktivists potentially in or able to get into our water and wastewater systems since 2022, the defensive measures these operators can take are somewhat limited, but as we shall detail, the WWS, and other sectors do have some moves.

Trustwave recommends WWS and other potential OT targets update and upgrade wherever possible. In addition, the best steps to take involve truly segmenting, isolating, or air-gapping their systems. This action will ensure that they have proven backup and recovery capabilities in place in case of attack.

In addition, operators must vigilantly monitor their systems for malicious activity. They must also ensure their systems are monitoring the safety of the water going to the public and are resilient enough to enable shutoff if the worst should happen.

CISA does practice what it preaches. CISA Director Jen Easterly recently explained one of the steps her agency took to secure its systems.

“First, we deployed threat-hunting teams across multiple sectors, water, power, energy, and transportation to find and eradicate these Chinese cyber actors. And we've shared insights with others before they become victims,” Easterly said. "Now these PRC hunting missions are just part of our larger hunting missions."

"In just FY '23, we conducted 97 hunt engagements to eradicate threat actors from US critical infrastructure and we shared over 1,100 cyber advisories to enable risk reduction at scale."
Jen Easterly, CISA Director

Finally, in addition to the recent 97 CISA-led threat hunting engagements across water, power, energy, and transportation as noted by Jen Easterly, Director of CISA, the 153,000 public drinking systems and 16,000 publicly owned WWS operators may also want to consider aligning with the private sector providers such as Trustwave’s SpiderLabs for penetration or offensive security testing engagement to identify weaknesses that may be exposing their systems and if any are found, they may want to go to the next step of a digital forensics investigation.

 

The Hacktivist Threat

The report noted that hacktivist activity against these sectors appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects.

However, investigations have identified that these actors can pose physical threats against insecure and misconfigured OT environments. The government agencies have observed pro-Russia hacktivists gaining remote access via a combination of exploiting publicly exposed internet-facing connections and outdated VNC software, as well as using the HMIs’ factory default passwords and weak passwords without multifactor authentication.

So far, in 2024, North American and UK investigators have responded to several WWS attacks. In these cases, the pro-Russian groups created limited physical disruptions by remotely manipulating HMIs. Specifically, manipulating HMIs has caused water pumps and blower equipment to exceed their normal operating parameters.

In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators. Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations.

The pro-Russia hacktivists use a variety of techniques to gain remote access to the HMIs and make changes to the underlying OT:

  • Using the VNC Protocol to access HMIs and change the underlying OT. VNC is used for remote access to graphical user interfaces, including HMIs that control OT systems.
  • Leveraging the VNC Remote Frame Buffer Protocol to log into HMIs to control OT systems.
  • Leveraging VNC over Port 5900 to access HMIs by using default credentials and weak passwords on accounts not protected by multifactor authentication.

 

Mitigations

Security organizations from the reporting nations offered several security steps to implement. First and foremost:

  • Immediately change all default passwords of OT devices (including PLCs and HMIs), and use strong, unique passwords.
  • Limit exposure of OT systems to the Internet.
  • Implement multifactor authentication for all access to the OT network.

Additional mitigations aligned with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST) were posted specifically to harden HMI remote access.

  • Disconnect all HMIs, such as the touchscreens used to monitor or make changes to the system, or programmable logic controllers (PLCs), from the public-facing Internet. If remote access is necessary, implement a firewall and virtual private network (VPN) with a strong password and multifactor authentication to control device access [CPG 2.W] [CPG 2.X].
  • Implement multifactor authentication for all access to the OT network. For additional information, see CISA’s More than a Password [CPG 2.H].
  • Immediately change all default and weak passwords on HMIs and use a strong, unique password. Ensure the factory default password is not in use. Open the remote settings panel to confirm the old password is no longer shown [CPG 2.A] [CPG 2.B].
  • Keep VNC updated with the latest version available and ensure all systems and software are up to date with patches and necessary security updates.
  • Establish an allowlist that permits only authorized device IP addresses. The allowlist can be refined to specific times of the day to further obstruct malicious threat actor activity; organizations are encouraged to establish alerting for monitoring access attempts. An allowlist is not a complete security solution by itself but may increase the level of effort necessary for a threat actor to compromise a device.
  • Log remote logins to HMIs, taking note of any failed attempts and unusual times [CPG 2.T].

   

About the Author

Kevin Kerr is Lead Security Principal Consultant at Trustwave for the Americas with over 39 years of public and private sector leadership experience with the U.S. Department of Energy and as CISO of Oak Ridge National Laboratory. Follow Kevin on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo