“….the lord hath given unto you 15 [tablet falls] .. eh, uh, 10…., 10 Commandments for all to obey..”
– From Mel Brooks “History of the World Part 1”
Happy New Year everyone. As 2023 came to an end several “top 10” year-end cybersecurity lists were published by various organizations. One of them was by ESET a security company based in Slovakia that has provided much useful analysis and news about cybersecurity in the past. Its website claims it has “experienced researchers with in-depth knowledge of the latest threats and security trends”.[1] So I read through their list of “A year in review:10 of the biggest security incidents of 2023” and was left wondering, is that all there was?[2]
In what they characterize as a “monumental year in cybersecurity” I was disappointed to find a most inadequate list consisting of mostly data breaches. Don’t get me wrong, the listed incidents are serious, but one would expect a more comprehensive review when taking on the cyber incidents of a whole year. Cyber criminals intent on compromising data was not the only highlight of 2023.
Early in the past year Ars Technica published a report of a “forever day”[3] vulnerability present in a long line of brand name PLCs[4]. The vulnerability according to researchers can be used to fully compromise the PLC and bypass security protections.[5] As many of us know PLCs are ubiquitous devices found in industrial automation and control system (IACS) environments. A vulnerability that can be used to disrupt the monitoring and control of a physical process could lead to severe physical consequences that go beyond what may happen in the aftermath of a data breach. Very few of the list makers seem to be aware that PLCs remain targets of interest by threat actors although incidents have been reported in public.
CISA a US Government agency came out with a very curious announcement in late November 2023 about the need to secure PLC’s after the reports of PLC compromises at some small water facilities[6]. CISA among its recommendations drew attention to the default password (which it published) of the targeted device and need to change it.
Besides data, technologies used to monitor and control physical processes found in critical infrastructure continue to be targeted by threat actors. There was no data breach or attempt to plant malware on an IT system when individuals with some knowledge of radio and the frequencies used in railroad control systems succeeded in sending emergency stop signals to the control systems of 20 trains in Poland in late summer of 2023[7]. The incident is notable for it provides a good example of the vulnerabilities that continue to exist in some train control systems which could be used to degrade a nation’s critical transportation infrastructure.
There were also control system related incidents missing from the list where no threat actor was involved. A data center was forced to shut down denying service to thousands of cloud customers with resulting equipment damage when the control systems used to regulate the temperature in the data center failed due to a power glitch from the grid. It happened not because of a cyber-attack but because of flaws in the systems’ design and management which were exposed when an unplanned adverse event took place.[8] There was no data breach but at least for me this incident at a Microsoft data center in Australia was worthy of notice. Not only for its design system issues but also since it echoes other incidents from the recent past such as the Colonial Pipeline shutdown which also exposed similar system design and maintenance issues.
I guess as far as lists go one follows what one knows best. For an IT security company threats to data found in office IT systems are what gets the attention. Even more so if their products can be offered as a solution for protection. A similar dynamic also seems to apply to IACS security solution providers. However, a problem may arise when one only focuses on one kind of threat in cyberspace. The threats to the office IT environments tend to dominate in the public and unfortunately in the policy maker’s eye. A good example are some national cybersecurity strategies and other policy documents that came out last year. (See my articles on the US http://scadamag.infracritical.com/index.php/2023/03/15/impressions-of-the-u-s-national-cybersecurity-strategy-of-2023/ and about the EU’s efforts in this area http://scadamag.infracritical.com/index.php/2023/09/19/the-european-union-moves-to-regulate-its-digital-economy-by-proposing-cybersecurity-requirements-is-the-cra-a-bridge-too-far/ )
IMO what is also missing are the events that go unnoticed either because the victim wants no publicity or perhaps it is a natural accident resulting from equipment failure or mismanagement that slips through the reporting requirements. One LinkedIn commentator wrote about visiting a site and noting several system cybersecurity issues and made recommendations which were largely ignored. A few months later the asset owner experienced a major cyber incident resulting in closing operations for 10 days. As was noted in the comment on LinkedIn incidents like this that are not reported are to the advantage of the attackers.[9]
What we need are more representative and comprehensive lists of the threats found in cyberspace. Lists that cover the spectrum ranging from the home/office IT to the IACS environments. They also would be more objective if they did not just come from a security company that may offer a good solution for just the one environment (and market), they are interested in. It has been said many times before that we need a better way to share incident information to allow for others to learn and improve their security postures. It seems that a confidential way of sharing this information and avoiding further legal or reputation repercussions for the victim could be developed. I sometimes watch plane crash investigations on TV. Yes, the name of the airline is mentioned but it is done in a no-fault way and the result is lessons learned and safer, more reliable airplanes. Something that operators of critical infrastructure could take note of and equally benefit.
The asset owner needs to be provided with a fuller picture of the threat environment that is not limited to the data domain that will aid in making the right choices in improving safety and resilience of operations. It is also needed for the policy maker who hopes to issue a document that will help protect economic activity, national security and the well-being of society. Until this information sharing problem is solved, we can only keep our fingers crossed and hope for the best as we look forward to 2024.
[1] https://www.welivesecurity.com/en/company/about-us/
[2] https://www.welivesecurity.com/en/cybersecurity/year-review-10-biggest-security-incidents-2023/
[3] Refers to a vulnerability that can not be fixed with a patch or update, it remains an attack vector until the vulnerable equipment is replaced or reconfigured in the system to make it less reachable by a malicious actor.
[4] https://arstechnica.com/information-technology/2023/01/a-widespread-logic-controller-flaw-raises-the-specter-of-stuxnet/
[5] Ibid.
[6] CISA alert, Exploitation of Unitronics PLCs used in Water and Wastewater Systems
Release Date November 28, 2023
[7] Wojciech KOŚĆ, Polish train chaos blamed on radio hackers: IT specialists say radio attacks point to long-standing weaknesses in rail network’s security., Politico, AUGUST 28, 2023
[8] Ry Crozier, Microsoft had three staff at Australian data centre campus when Azure went out, ITNews, Sep 4 2023, https://www.itnews.com.au/news/microsoft-had-three-staff-at-australian-data-centre-campus-when-azure-went-out-599849?utm_source=desktop&utm_medium=email&utm_campaign=share
[9] Leopoldo Ferrer, LinkedIn, Accessed 2024-01-03, https://www.linkedin.com/feed/update/urn:li:activity:6993434149017530368/?lipi=urn%3Ali%3Apage%3Ad_flagship3_detail_base%3B%2BBR4eTCnRDGJiJTwbXRtTw%3D%3D