In the crosshairs: Critical infrastructure targeted by state actors

Liam Garman, editor of Cyber Daily: Given how important critical infrastructure is in our day-to-day lives, are we cyber ready in this field?

Dawn Capelli: It varies. First of all, it varies by sector. So if you look at power, oil and gas, those sectors have been being targeted since 2010 when Stuxnet happened, and they’ve been under heavy regulation for the most part. So, they are much more prepared to respond and certainly to mitigate and prevent cyber attacks in their OT environments.

But then if you think about, like, water; water, it’s, first of all, it’s being highly targeted right now. A lot of them are small. They’re municipal. They’re not huge oil and gas companies. They don’t have the people, expertise, or money to defend themselves.

Another sector that’s really behind the curve is manufacturing. And I was in manufacturing at Rockwell. There are no regulations, at least in the US, that apply to manufacturing. And so, like I said, until WannaCry and NotPetya hit, nobody thought that manufacturing had to worry about OT cyber security, but all of a sudden, they did. And I’m shocked now that I’m at Dragos when they bring me in to meet with CISOs of prospective customers, and they are only starting to think now about OT cyber security.

Garman: What are some of the emerging vulnerabilities that we’re seeing in this space? And for our Australian audience, perhaps, what have you seen in the United States that we should start preparing for?

Capelli: Well, yeah, industry 4.0, that’s been around for a long time now. And so the whole convergence of IT and OT, that has opened up a lot of vulnerabilities because a lot of companies think, they say to us all the time, “Oh, don’t worry, our OT environment is air-gapped. It’s not connected.”

Well, is your plant connected to your ERP system? If so, you’re connected to it, so you aren’t air-gapped. If you think about COVID, when that happened, I know at Rockwell, all of a sudden, bam, no one is allowed in our plants unless they’re essential. No third parties are allowed in our plants for any reason. They have to do everything they need to do remotely.

So, all of a sudden, we had to open up remote access to our engineering firms, our service companies, and our employees. Many companies had to do it literally overnight, and a lot of them now have gone back and made sure that access is secure, but a lot of them haven’t. So, secure remote access is a big issue. Segregating your IT from your OT, that’s a big issue.

Worryingly, we see a lot of utilities that have equipment with default passwords exposed to the internet, and they don’t even know it. And they’re easy pick-ins for state actors and now hacktivists and ransomware, all of it.

Garman: You mentioned Stuxnet before, and it’s a classic example. Sometimes, all it takes is a compromised USB.

Capelli: The problem with USB is it can be unintentional as well. That was one of the biggest things that, as the CISO at Rockwell, we realised field service engineers would go into customer one, plug it into their network, then I [would] go to customer two, plug it into theirs, and then customer three. Well, if one of those has malware on their network, you now have gotten that USB infected and now you’re going to infect those other two customers.

Garman: So, what are some of the big trends we’re seeing at the moment?

Capelli: I think the biggest trend in my mind is ever since 2022 when the Ukraine-Russia war started; until then, we know Russia brought down the Ukraine power grid twice. But aside from that, there was this line that state actors were not willing to cross. They knew if I attack critical infrastructure, it’s kind of like the Cold War with nuclear weapons. [It] used to be if Russia fires a nuclear bomb at the US, the US is going to fire back at them, and the whole world could end up being destroyed. So there was that line that couldn’t be crossed.

Well, since the Ukraine-Russia war, and now with Israel and Hamas, that line has been crossed. And for all these years, we talked about “What will the consequences be?” Well, I think they still haven’t figured it out. And so the line is being crossed, and not just by state actors, but it used to be, hacktivists used to prey on fear, uncertainty, and doubt, but they defaced websites. They conducted DDoS attacks. It was all just to scare people.

Now we’ve seen that these hacktivist groups are aligning with the state actors, and they are conducting much more destructive and disruptive attacks, like the Cyber Avengers, a hacktivist group, pro-Hamas, who teamed up with the government of Iran and wreaked havoc on water utilities around the world, including, I believe, in Australia. Then there’s the Cyber Army of Russia Reborn, another hacktivist group that is now aligned with the Russian government, and they have brought down water utilities around the world.

So that trend of, you know, it kind of gives the state actors plausible deniability. Well, we didn’t do it. That was that hacktivist group. Even though behind the scenes, our governments are coming out and saying these hacktivists are aligned with the state actors, we still don’t publicly prove it.

Garman: The growing severity of attacks necessitates very thorough regulations. Do you see those regulations working? Are they going to be impactful in strengthening OT security?

Capelli: Well, they certainly have been impactful in power. So that’s a good model in water that they’re trying. It’s just there’s so much that needs to be done. You can’t just regulate overnight and impose new compliance regulations that the water utilities don’t have the money or the people to meet. So, I think it’s important to kind of work with the different sectors and meet them where they’re at and help them get where they need to be rather than just impose some regulations that they won’t be able to meet.

I know from our OT CERT members and from another program – a community defence program, where we specifically help small utilities – I know that the regulators have been not expressly dropping the hammer, but working with them to try and help them to assess “Where are you? What are your gaps? Because we rely on you.”

For instance, one of our OT CERT members, one of their customers, is a military base in the US, and the Department of Defense came and said, “We want to look at your cyber security program because if you get taken out, then we have no water. We can’t have a military base with no water.”

And so it hasn’t been. I don’t get the impression that it’s like a regulator coming in and dropping the hammer. It’s more … “Let’s work together, let’s look at your program, and let’s figure out what you can do to make it better”. So, that’s kind of the impression that I’m getting, and I think what needs to be done is let’s figure this out together and figure out how we can help you to improve.

Garman: Do you have any case studies from recent incidents where Dragos has intervened to keep critical infrastructure safe?

Capelli: So there’s a threat group that we call Voltzite. It’s also called Volt Typhoon.

So this is kind of a personal Dragos story about Voltzite. We had a medium-sized power and water utility that bought our platform and our threat hunting. So, we installed the platform. The threat hunters went in and discovered that for almost a year, Voltzite had been in their utility, and they got in through it, which is usually how companies get compromised.

But unlike ransomware groups, where they just get in your network, and they’ll hit anything they can once they’re in, and they might get OT if it’s accessible, they deliberately moved into the OT environment and they stole information. No surprise there. This is Voltzite; however, this is the Chinese government. That’s what they do. They steal information. But they didn’t steal PII or, you know, financial information.

What they stole was OT information. They stole OT device configurations, SCADA configurations, information about how their processes worked in that OT environment. GIS data, critical customer lists. And when you think about what I said earlier about the Department of Defense going into that water utility because it services a military base, you can kind of put two and two together. Why did they want that critical customer list? Because they want to know, “If I hit this utility, who am I going to impact?” So it was very obvious from what they stole that they [were] stealing information so that they, in the future, [could] use that information to cause a disruptive or destructive attack.

Oh, wait – I forgot the most important part. So now we know, because we found them, we knew exactly what to look for in the platform. So, we built all of those detections into the Dragos platform. And once we did that, we discovered Voltzite was in other Dragos customers as well.

So, the FBI director in the US got up and publicly stated China is in our critical infrastructure. Well, yeah, we know personally at Dragos.

Tune in to hear more!

You can hear the full discussion between Cyber Daily and Dragos’ head of OT CERT, Dawn Cappelli on the Cyber Uncut podcast, here: