Topics:
LAS VEGAS — If CISOs need any more impetus to seriously look at the risks and threats to their cyber-physical systems (CPS), they need look no further than the aggressive stance nation-states have taken using CPS in attacks that reduce confidence in the government’s resilience and response capabilities.
During a panel discussion moderated by NightDragon Partner and Chief Operating Officer Barbara Massa held last week at the Black Hat USA conference, former National Cyber Director Chris Inglis, Director of Cybersecurity Alerting Strategy at Dataminr, Joe Slowik, and Claroty Chief Executive Officer Yaniv Vardi brought their diverse perspectives to the security of CPS, and raised the call for more awareness and protection of these critical systems.
Inglis said that cybersecurity leaders have arrived at a point where defenders must signal that deterrence is important and that nation states hold others accountable. Activity from APT groups such as Volt Typhoon, Sandworm, and the CyberAv3ngers, represents the pinnacle of adversaries’ strategies in targeting critical infrastructure.
“What is important strategically with each of those [groups] and what they’re doing is using private-sector operational CPS to put nations at risk,” Inglis said. “One desire is to hold the nation at risk and the other is to deter nations from taking action. If we look at what Volt Typhoon was doing to our bases in Guam—malware discovered embedded on critical infrastructure assets and networks—this holds the confidence we have in our critical infrastructure at risk.”
Resilience should be the North Star that CISOs are aiming for, the panelists said. Vardi pointed out that while concepts such as secure-by-design/default are important for newly engineered connected devices, tactics such as secure remote access and complete asset visibility are paramount defensive tactics in the present.
“How can you protect what you don’t see? It’s about visibility,” Vardi said. “Assets are not properly identified. There are many proprietary protocols, and networks with thousands of connected assets. A CISO doesn’t know what’s connected. Start with visibility, and then secure remote access to these assets.”
Slowik, meanwhile, reinforced that internet-facing assets within critical infrastructure facilities are not secure and have made life too easy for attackers in some cases.
“There is the quality of speed and agility lacking on defense,” Slowik cautioned, pointing to an adversaries’ ability to rapidly exploit software and hardware vulnerabilities before extensive CPS patch cycles address damaging or disruptive flaws. “Their speed in weaponizing attacks is outpacing defenders’ speed to patch or mitigate vulnerabilities. Technical operations need to shorten that [exposure] and ensure adversaries don’t have a so-called happy time.”
Slowik urged CISOs to build resilient systems and devices that can withstand incidents with minimal disruption or damage.
“With resilience, you might lose assets or devices, but not process control over functionality,” he said.
The panelists pointed out that the strategic targeting of CPS is enhanced by three things:
The current geopolitical situation and how adversaries are looking to make a societal impact through cyberspace
Connectivity, whereby 30 billion connected devices, smart things, and the internet of things are no longer air-gapped, and are communicating sensitive information information to the cloud and the vulnerable enterprise IT network
Artificial intelligence and machine learning, which is adding to attackers’ speed and sophistication.
All three are dangerous complements to the current capabilities and strategies of APTs. The China-linked Volt and Salt Typhoon actors, for example, have been discovered embedding offensive weapons on critical infrastructure in the U.S., and military installations in Guam, as well as stealing customer communications, law enforcement information, and targeting political figures.
Sandworm, a notorious Russian APT, is believed to be responsible for damaging and disruptive attacks against Ukraine’s electricity infrastructure for more than a decade.
Iran’s CyberAv3ngers are alleged to be behind the deployment of the IOCONTROL malware and attacks against Israel-made operational technology and industrial control systems.
Slowik added that CISOs need to be aware of how adversaries are using existing infrastructure for their own purposes. Volt Typhoon being a prime example with its use of living-off-the-land techniques to blend in with legitimate traffic, embedding these tools in theory to revisit them in a time of conflict.
“They’re leveraging network infrastructure to obfuscate pathways for follow-up action,” Slowik said, adding that Volt Typhoon uses operational relay networks to proxy communication between the threat actor and victim.
With enterprises and critical infrastructure owners and operators keen on digital transformation for the speed, efficiency, and analysis it promises, attackers are also being presented with freshly connected—and likely vulnerable—targets.
“We are doing nothing to curtail our ability to be less attractive to attackers,” Inglis said. “Make systems harder to exploit by building in resilience. Establish continuous monitoring of CPS. And engage to evict them [from CPS and networks], or impose consequences on them. We have to make ourselves less attractive; we’re too easy, too permissive.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
