EP13: Industrial cyber infrastructure vulnerabilities

Summary: In this episode, we discuss the vulnerabilities of the US industrial cyber infrastructure, particularly the power grid, water management, and communications systems. We highlight how outdated technology, weak security practices, and a lack of sufficient separation between operational and IT networks as contributing factors to these vulnerabilities. While there are agencies like CISA working to address these issues, we discuss that more needs to be done to prevent attacks, rather than simply responding to them after they occur. We explore the need for better cybersecurity measures to protect critical infrastructure from exploitation, especially from foreign actors.  Questions to consider as you read/listen:What are the main vulnerabilities in the US's industrial cyber infrastructure, and how are they being addressed?What are the consequences of these vulnerabilities, and what are the potential impacts on critical infrastructure and national security?How can the US improve its cybersecurity posture to better protect its critical infrastructure from cyberattacks? Long format: Industrial cyber infrastructure vulnerabilities  There is a very large issue here in the US that is fairly well known in the national intelligence and even private corporate security corridors which is the US’s industrial cyber infrastructure vulnerabilities including but not limited to the power grid, water management, internet, communications, and industrial control system. To me, it seems like we have a lot of congressional hearings and a lot of workshops and a lot of speeches and a lot of blue ribbon panel commissions ADMIRING the problem. But that seems to me to be all that we are doing largely. Admiring the problem. Not solving it.Many industrial control systems (ICS) use legacy protocols and hardware with limited security features, making them susceptible to exploitation. Weak passwords, lack of multi-factor authentication, and inadequate user management practices can enable unauthorized access to critical systems allow for “brute force” attacks into critical areas. And this is thought at least as of now to be the way that the Chinese accessed these telecoms. In previous attacks attributed to Salt Typhoon/Ghost Emperor, the threat actor used a custom backdoor called SparrowDoor, customized versions of the Mimikatz tool for extracting authentication data, and a Windows kernel-mode rootkit Demodex. (https://www.theregister.com/2024/10/07/verizon_att_lumen_salt_typhoon/ and https://www.bleepingcomputer.com/news/security/atandt-verizon-reportedly-hacked-to-target-us-govt-wiretapping-platform/#:~:text=In%20previous%20attacks%20attributed%20to,Windows%20kernel%2Dmode%20rootkit%20Demodex and https://www.channelfutures.com/security/salt-typhoon-hacks-att-verizon-lumen ) Insufficient separation between operational technology (OT) networks and IT networks can allow attackers to move laterally from one system to another. Inadequate logging and intrusion detection capabilities can hinder the ability to identify and respond to malicious activity. A lack of meaningful SCADA. I read about the Cybersecurity and Infrastructure Security Agency (CISA). They have issued guidelines and best practices and there has been some limited legislation like the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) which mandates reporting of cyber incidents by critical infrastructure entities, allowing for faster response and threat analysis. I read about the DOE’s Energy Threat Analysis Center. And that’s all fine and good to report AFTER an incident and autopsy it, but what is better perhaps is to look at prevention. Are we ever going to get past the point of issuing white papers and reports and past the point of needing to do autopsies and actually look at the health of the proverbial patient and try to do things that avoid the need for an autopsy?Sources:  https://commercial.allianz.com/news-and-insights/expert-risk-articles/cyber-attacks-on-critical-infrastructure.html#:~:text=Recent%20years%20have%20seen%20growing,priority%20issue%2C%E2%80%9D%20he%20explains https://www.energy.gov/policy/articles/cyber-threat-and-vulnerability-analysis-us-electric-sector#:~:text=With%20utilities%20in%20the%20U.S.,physical%20security%20related%20events%20that https://www.forbes.com/sites/chuckbrooks/2023/02/15/3-alarming-threats-to-the-us-energy-grid--cyber-physical-and-existential-events/ https://www.esecurityplanet.com/cloud/industrial-control-systems-cyber-security/ https://www.cisa.gov/sites/default/files/recommended_practices/DHS_Common_Cybersecurity_Vulnerabilities_ICS_2010.pdf  https://cbsaustin.com/news/nation-world/national-security-agency-investigates-chinese-hack-of-3-telecommunications-companies-att-verizon-lumen-technologies-surveillance-federal-government https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit geopoliticsunplugged.substack.com/subscribe