Global federal agencies are sounding the alarm over an increase in cyberattacks by pro-Russia hacktivist groups targeting operational technology (OT) devices across critical infrastructure in North America and Europe.
The Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, EPA, DOE, USDA, FDA, Multi-State ISAC, Canadian Centre for Cyber Security, and UK’s National Cyber Security Centre have observed these threat actors compromising small-scale industrial control systems like human-machine interfaces (HMIs) used in water/wastewater, dams, energy, and food/agriculture facilities.
“The authoring organisations are aware of pro-Russia hacktivists targeting and compromising small-scale OT systems in North American and European Water and Wastewater Systems, Dams, Energy, and Food and Agriculture Sectors,” the agencies stated.
“These hacktivists seek to compromise modular, internet-exposed industrial control systems through their software components, such as HMIs, by exploiting virtual network computing (VNC) remote access software and default passwords.”
While the techniques used are relatively unsophisticated, authorities warn the hacktivists demonstrate capabilities that could enable physical disruptions to insecure OT environments. Tactics observed include exploiting publicly exposed internet connections, using default or weak passwords without multi-factor authentication, and remotely manipulating HMI settings.
“In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the operators,” the advisory explains. “Some victims experienced minor tank overflow events; however, most reverted to manual controls and quickly restored operations.”
In early 2024, the agencies responded to several water/wastewater facilities in the U.S. that experienced “limited physical disruptions” when unauthorised users remotely manipulated HMIs to dangerously adjust pump and blower settings before locking out legitimate operators.
The joint advisory provides extensive mitigations and resources for critical infrastructure owners and OT manufacturers to improve their cyber defences. Key recommendations include:
- Disconnect internet-exposed HMIs/controllers and require VPNs with multi-factor for remote access
- Implement strong, unique passwords and eliminate any default credentials
- Keep VNC software patched and up-to-date
- Allow only authorised device IPs and enable access logging
- Maintain updated network diagrams and backup device configurations
- Replace any end-of-life OT equipment as soon as possible
- For manufacturers: eliminate default passwords, mandate multi-factor for privileged access, include logging, and publish software bills of materials
“Although critical infrastructure organisations can take steps to mitigate risks, it is ultimately the responsibility of the OT device manufacturer to build products that are secure by design and default,” the advisory states. “The authoring organisations urge device manufacturers to take ownership of the security outcomes of their customers.”
The agencies stress that while the hacktivists have historically exaggerated their capabilities, the access obtained to industrial control systems demonstrates the potential for much greater real-world impacts if vulnerabilities go unaddressed.
Organisations affected by this activity or other suspicious incidents are encouraged to promptly report them to CISA, the FBI, relevant ISACs, and sector risk management agencies.
See also: UK introduces first IoT security laws
Want to learn about the IoT from industry leaders? Check out IoT Tech Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Cyber Security & Cloud Expo, AI & Big Data Expo, Edge Computing Expo, and Digital Transformation Week.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.