Defending OT Operations Against Ongoing Hacktivist Activity
OT environments with internet-facing connections and outdated VNC software can be compromised through open ports.
In the recently released fact sheet, the Cybersecurity and Infrastructure Security Agency (CISA) and its partners have noticed nation-state threat actors and hacktivists targeting and compromising small-scale OT systems in North American and European Wastewater Systems, Dams, Energy, and Food and Agricultural sectors. These attackers seek to compromise modular, internet-facing Industrial Control Systems (ICS). These systems contain components such as Human-Machine Interfaces (HMI) and Virtual Network Computing software (VNC) that can be exploited through default passwords and remote access software. These attacks are limited to unsophisticated techniques, such as manipulating equipment to create nuisance effects. Although unsophisticated and primitive, these attacks pose a physical threat against any insecure or misconfigured OT environment.
OT environments with internet-facing connections and outdated VNC software can be compromised through open ports. Additionally, HMIs are usually left with factory default passwords or weak passwords, in addition to not having multifactor authentication present. This would allow attackers to access a weakly configured ICS through very basic password attacks. Furthermore, OT environments with legacy or end-of-life can expose unpatched vulnerabilities that could be exploited once the system is discovered. It is crucial that immediate action is taken to update and secure these systems to prevent potential attacks.
Recent Activity
The recent attacks are not just theoretical scenarios. They have real-world consequences. The attacks originated from the compromise of Unitronics program logic controllers in late 2023. This led to wastewater systems in the United Kingdom and the United States being targeted by nation state-sponsored hacktivists. The Aliquippa Water Authority in Pennsylvania experienced a breach, with attackers gaining access to a station that monitored and regulated water pressure. The facility in Erris, Ireland, also suffered a similar attack. The facility used Eurotronics products, a rebranded version of Unitronics PLC and HMI technologies. These incidents underscore the need for immediate action to secure our OT environments.
In early 2024, CISA and partner organizations observed hacktivists targeting vulnerable industrial control systems in North America and Europe. Wastewater Systems experienced limited physical disruptions from an unauthorized user remotely manipulating HMI. These attacks could cause water pumps and blower equipment to exceed their normal operating parameters. In each case for these 2024 attacks, hacktivists maxed out set points, altered settings, deactivated alarm mechanisms, and changed admin passwords to lock out facility operators. Some victims experienced minor tank overflow events; however, reverting to manual controls as soon as a compromise was detected restored operations with minimal complications.
HMI and VNC
HMI are user interfaces connecting the utility operator to the machine, usually a screen. CISA and its partners have observed hacktivists use various techniques to access HMI to compromise OT systems. These attacks revolve around the use of VNC Software. VNC software is a remote access technology that allows users to control other computers remotely. HMI are sometimes configured to have internet-facing ports and services by default through their ICS systems and pre-installed software. These services allow any attacker who discovers these ports to access them, leveraging the VNC Remote Frame Buffer Protocol or VNC over Port 5900 to access HMI using default credentials and weak passwords on accounts not protected by multi-factor authentication. In addition, several of these attacks were HMI with unsupported legacy operating systems or foreign devices rebranded as made-in-the-USA devices, resulting in a lack of patching and consistent update cycles.
Mitigation Plan
CISA has found the leading causes of these attacks to be poor password security and unnecessary exposure to the internet. CISA and its partners advise enacting the following mitigation strategies that align with the Cross-Sector Cybersecurity Performance Goals (CPGs) and the National Institute of Standards and Technology (NIST):
Harden HMI:
-
1
Disconnect all HMI and PLCs from the public-facing internet. Implement the necessary firewalls and/or virtual private networks with additional multi-factor authentication enabled if remote access is needed.
-
2
Implement multi-factor authentication for all access to the OT network.
-
3
Replace all default factory passwords with new, strong, unique passwords.
-
4
Update VNC to the latest versions and keep up to date with patching upcoming software updates.
-
5
Establish allowlists to permit select IP addresses to access the OT environment. Refine the allowlist for specific times of the day to obstruct malicious activity in off-peak hours. Note that an allowlist enhances security but should not be considered a standalone solution.
-
6
Log all HMI information, including attempted logins, timestamps, and actions executed, and review consistently.
Strengthen Security Posture:
-
1
Practice and maintain manual operability in the event of a compromise.
-
2
Create backups of logic, configurations, firmware, and logs to enable fast recovery of OT systems. Draft and practice backup procedures.
-
3
Regularly check PLC programming and logic for any unauthorized modifications or tampering.
-
4
Safeguard network diagrams for both IT and OT environments. Apply the principles of least privilege, encryption, authentication, and authorization techniques. Restrict map viewing and modifications to trusted personnel only.
-
5
Be aware of cyber/physical related threats, as attackers can gain credentials via social engineering methods such as official visits, social media, or conference/tradeshow conversations.
-
6
Take inventory of all HMIs, including their end-of-life status, and replace all HMIs that have reached that status.
-
7
Use interlocks and cyber-physical safety systems to implement software and hardware limits, limiting the impact of a system being compromised.
Security by Design
Although steps can be taken to mitigate risks, it is ultimately OT manufacturers' responsibility to build secure products by design. It is advised for OT manufacturers to take ownership of security outcomes and work on the following:
Security-Focused Design Considerations:
-
1
Eliminate default passwords and ask users to apply strong passwords upon first startup.
-
2
Mandate multifactor authentication.
-
3
Logging should be included as a feature and not at an additional cost.
-
4
Publish software bill of materials for better measurement and vulnerability mitigation in OT systems.
Please visit this link to read the full fact sheet.