OT/ICS/SCADA Cybersecurity News Roundup for May 2024
In May 2024, the industrial cybersecurity landscape faced a series of significant challenges, underscoring the urgent need for robust security measures.
High-profile incidents, such as the Ransomhub attack on a Spanish slaughterhouses SCADA system, further emphasized these vulnerabilities.
Additionally, the ongoing Israel-Hamas conflict saw hacktivist groups like Cyb3r Dragonz and ByteBlitz targeting Israeli infrastructure, adding to the complex threat landscape.
Kaspersky Forecasts ICS Threats
Kaspersky released their ICS CERT Predictions for 2024, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights about offensive cybersecurity, and new logistics and transportation risks.
Ransomware is predicted to remain the top concern for industrial businesses in 2024. Last year, ransomware attacks solidified their status as the largest information security threat, disrupting not just digital systems but also leading to significant real-world consequences. Official statements from affected organizations revealed that 18% of ransomware attacks on industrial businesses led to a halt in the production or delivery of various products, including medical devices, power grids, and transportation systems.
Recent incidents targeting Automated Tracking Systems in the Red Sea and the Indian Ocean, as well as the 2020 cyberattack on Iran's Shahid Rajaee port terminal, highlight system vulnerabilities that need to be addressed. The increasing prevalence of ransomware attacks means organizations must be prepared with not only strong preventative measures but also comprehensive response strategies.
Companies should consider investing in services like threat intelligence and incident response, as well as conducting regular backups of critical data in off-premise storage facilities. Employee training is equally crucial, as many ransomware attacks stem from successful phishing attempts or social engineering tactics.
The Kaspersky predictions also highlight the need for organizations to stay informed about the latest cybersecurity trends and threats specific to their industry. This involves monitoring the geopolitical landscape for potential risks, as well as keeping abreast of new attack vectors and vulnerabilities that could be exploited by malicious actors.
Strengthening Water Utility Cybersecurity
In May 2024, the U.S. Environmental Protection Agency (EPA) and the White House issued urgent warnings to water utilities nationwide about the growing threat of cyber attacks from hackers affiliated with Iran and China. These adversaries are increasingly targeting drinking water and wastewater systems in an effort to sabotage critical infrastructure.
The cyber attacks against water utilities are escalating in both severity and frequency. Hackers aligned with Iran's Islamic Revolutionary Guard Corps (IRGC) have carried out malicious attacks against U.S. drinking water systems, exploiting default manufacturer passwords that facilities had neglected to change. China's state-sponsored Volt Typhoon group has also compromised the IT systems of multiple drinking water utilities in the U.S. and its territories in a pattern of behavior that extends beyond typical cyber espionage.
Federal agencies assess with high confidence that these threat actors are pre-positioning to potentially disrupt critical infrastructure operations in the event of geopolitical tensions or military conflicts. Water and wastewater systems are seen as attractive targets because they are lifeline critical infrastructure but often lack the resources and technical capacity to implement top-tier cybersecurity practices.
More than 70% of water systems inspected by the EPA do not fully comply with requirements in the Safe Drinking Water Act, and some have critical vulnerabilities like default passwords and easily compromised single logins. The EPA issued an enforcement alert emphasizing that the severity of the cyber threats against water utilities has reached a point where additional action is critical.
To bolster their cyber defenses, the EPA and White House are urging water utilities to take immediate steps like:
Auditing IT systems to identify and address vulnerabilities
Ensuring all systems have up-to-date antivirus and anti-malware software
Installing security patches on a monthly basis
Implementing secure remote access practices
Segregating networks and controlling access based on job functions
Monitoring networks for suspicious activity
By implementing these basic cyber hygiene practices, water utilities can improve their ability to prevent, detect, respond to, and recover from cyber incidents. However, many water utilities, especially smaller systems, lack IT and security specialists to help them launch effective cybersecurity programs. User-friendly resources and guidance from the EPA and CISA aim to assist utilities in getting started and knowing where to turn for support in enhancing their cyber resilience.
Cyb3r Dragonz and ByteBlitz Target Israel
In May 2024, the ongoing conflict between Israel and Hamas led to an increase in cyber threats as hacktivist groups pivoted their attacks to target Israel. Two prominent groups, Cyb3r Dragonz and ByteBlitz, shifted their focus from Turkey to Israel amid the escalating tensions.
Cyb3r Dragonz, a pro-Russian hacktivist collective known for targeting India in the past, launched a series of DDoS attacks against over 30 Israeli government websites. The group also claimed to have stolen sensitive documents from Israel's national electricity authority and the Dorad power plant, although some experts believe these claims may be fabricated.
Meanwhile, ByteBlitz, a group that emerged in the days following the outbreak of the Israel-Hamas conflict, defaced several Israeli websites with "Free Palestine" messages. The group's limited prior activity suggests it was formed specifically in response to the current hostilities.
Security analysts warn that while hacktivist attacks may not have a significant impact on the overall threat landscape, they contribute to the chaos and unpredictability of the situation. Disinformation and panic fueled by these attacks can lead to unintended consequences, with some digital actors thriving on the turmoil itself.
As the conflict between Israel and Hamas persists, the threat of Iranian cyber attacks also looms large. Organizations are advised to remain vigilant against spearphishing attempts and educate employees on the risks associated with these attacks. Implementing robust cybersecurity measures is crucial to safeguarding critical infrastructure and assets amid the heightened geopolitical tensions in the region.
Rockwell Urges ICS Disconnection
In May 2024, Rockwell Automation issued an urgent advisory urging customers to disconnect all industrial control systems (ICSs) not intended to be connected to the public-facing internet to mitigate unauthorized or malicious cyber activity. The company emphasized the need for immediate action due to "heightened geopolitical tensions and adversarial cyber activity globally."
Rockwell Automation advised users to determine whether they have devices accessible over the internet and, if so, cut off connectivity for those not meant to be left exposed. The company stressed that users should never configure their assets to be directly connected to the public-facing internet, as removing that connectivity proactively reduces the attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors.In addition to disconnecting exposed ICS devices, Rockwell Automation required organizations to ensure they have adopted the necessary mitigations and patches to secure against several critical vulnerabilities impacting their products, including:
CVE-2021-22681 (CVSS score: 10.0)
CVE-2022-1159 (CVSS score: 7.7)
CVE-2023-3595 (CVSS score: 9.8)
CVE-2023-46290 (CVSS score: 8.1)
CVE-2024-21914 (CVSS score: 5.3)
CVE-2024-21915 (CVSS score: 9.0)
CVE-2024-21917 (CVSS score: 9.8)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also shared the alert, recommending that users and administrators follow appropriate measures outlined in the guidance to reduce exposure. This aligns with a 2020 joint advisory from CISA and the National Security Agency (NSA) warning of malicious actors exploiting internet-accessible operational technology (OT) assets to conduct cyber activity that could pose severe threats to critical infrastructure.