Critical infrastructure insights
- CISA, NSA and the FBI have been tracking attacks by the Chinese government on critical infrastructure.
- China has a history of attacking U.S. critical infrastructure, recording 23 attacks on pipelines from 2011-2013.
- To help protect industrial control systems and critical infrastructure, it is important to make sure all software is up to date and patched, disable unused channels and have a cybersecurity team to regularly manage a business’s cybersecurity.
On June 10, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency and the Federal Bureau of Investigation (FBI) released a joint advisory concerning Chinese-sponsored cyberattacks. The report detailed a sustained campaign focused on exploiting networking devices across a broad range of public and private sector entities. The report is the most recent evidence pointing to the larger trend of increases in the number and sophistication of state-sponsored cyberattacks. This phenomenon is unlikely to reverse soon. As a result, critical infrastructure companies must understand and prepare for more of them.
For many years, the People’s Republic of China (PRC) has sustained a series of targeted cyber campaigns designed to disrupt commercial enterprises. In 2021, the Department of Justice filed criminal charges against four Chinese nationals affiliated with the Chinese Ministry of State Security. Each were found to have facilitated cyberattacks designed to collect confidential business information across the globe. Stories like this have made the public broadly familiar with the threat China poses to intellectual property and information technology (IT) security.
Less known, however, is the fact that the FBI has been tracking Chinese attacks against operational technology (OT) for more than a decade. Between 2011 and 2013 alone, the FBI was actively tracking Chinese attacks against 23 different natural gas pipelines. Sixteen of the attacks resulted in confirmed system compromises. These compromises often began with Chinese hackers gaining access to corporate networks connected to industrial control systems. This, in turn, was leveraged by Chinese actors to gain access to “SCADA networks at several U.S. natural gas pipeline companies.” Had any of these exploits been directly weaponized, the results would have been crippling.
More concerning, however, is the fact that in the decade since, the capability and sophistication of Chinese cyberattacks has risen significantly. According to the 2022 Annual Threat Assessment published by the Office of the Director of National Intelligence, China is “capable of launching cyberattacks that would disrupt critical infrastructure services within the United States, including against oil and gas pipelines and rail systems.”
The primary finding of the joint advisory was the priority Chinese actors placed on compromising networking devices. Devices produced by companies like Cisco and Netgear were common targets for attack. Yet, within the context of the 2011 to 2013 pipeline attacks, we can understand that this is not a new approach. Their information and operational functions continue to make them highly valuable cyber targets. Furthermore, in the decade since, IT/OT convergence has been accelerated by the Industrial Internet of Things and broader Industry 4.0 movement. As such, the exploitation of networking devices poses an even more substantial threat to operational technology today.
The report further details that most of these attacks are initiated through publicly reported common vulnerability exposures (CVEs). Investigators found that, in most cases, the CVE had been publicly disclosed for two years prior to being exploited by a state-sponsored attacker. Additionally, the attackers were observed to routinely use open-source network scanning tools to seek out unpatched systems and mark them as a target. This maximizes the efficiency of their operations while also eliminating the need to utilize more obvious tactics. All these developments are yet another data point that should motivate security operators to consider their own cyber resilience.
What you can do to protect critical infrastructure
Thankfully, there are effective steps that critical infrastructure companies can take to defend both their IT and OT infrastructure against state-sponsored cyberattacks:
- Apply patches for networking devices as soon as possible: Maintaining updated patches is the biggest takeaway from the advisory. Doing this will increase network resiliency and may even prevent a network from being targeted for attack.
- Disable unnecessary ports and protocols: By disabling unused channels, operators decrease the surface area of attack and mitigate the consequences of a successful intrusion. To be most effective, a robust asset inventory should be developed to ensure that no potential attack vectors are left undiscovered.
- Replace end-of-life infrastructure: Legacy and unused equipment can provide an easy attack vector. Even worse, if these devices are not adequately indexed within a larger asset inventory, then it may be difficult to even detect an intrusion.
- Implement centralized security management: Each of these practices can be made more effective by centralizing their management. SIEMs and related technologies can improve the efficiency of security operators and result in a more resilient cybersecurity posture.
The unfortunate reality is that the broader geopolitical landscape is becoming increasingly strained. This has been highlighted by the 2022 invasion of Ukraine and escalating rhetoric surrounding Taiwan. Security operators and executives at critical infrastructure companies must take this as an opportunity to double down on hiring the best people, implementing efficient processes and investing in cyber resilience technologies.
Original content can be found at Industrial Defender.