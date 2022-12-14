Comment on this story Comment Gift Article Share

Report: 75 percent of industrial control devices are vulnerable, unpatched

Three-quarters of devices that keep facilities like electricity and water treatment plants safe and operational have severe, unpatched cybersecurity vulnerabilities, according to research first shared with The Cybersecurity 202.

Microsoft came up with that figure for high-severity vulnerabilities in industrial control devices based on an examination of its customers’ operational technology networks.

It’s the latest data point about a threat that, when hackers seize on it, can cause plenty of havoc.

The Stuxnet worm wiped out an estimated one-fifth of Iran’s nuclear centrifuges more than a decade ago by targeting such industrial controllers.

Industroyer malware afflicted industrial control systems in 2016 to shut off electricity to parts of Kyiv, Ukraine, for an hour.

A hacker briefly was able to boost the level of lye at a water treatment plant in Oldsmar, Fla., last year to a level dangerous to humans. Fortunately, a plant operator noticed the hacker and was able to swiftly thwart them.

The convergence of operational technology (OT) and information technology — which is more focused on collecting and transmitting data — in “internet of things” (IoT) devices such as routers and cameras means the threat is rising, Microsoft fears. That’s especially true for the most vital U.S. infrastructures.

“While the prevalence of IoT and OT vulnerabilities presents a challenge for all organizations, critical infrastructure is at increased risk,” reads the latest edition of “Cyber Signals,” an ongoing Microsoft series of threat intelligence briefings. “Disabling critical services, not even necessarily destroying them, is a powerful lever.”

Why so vulnerable?

Some of the biggest issues rendering industrial control systems insecure is when they were designed, and for what purpose.

Bryson Bort, co-founder of the ICS Village at the Def Con security conference, likes to start any conversation about industrial control systems with a joke that reveals insight into an underlying issue with those devices.

“What is an industrial control system?” he asks. “Any computer that’s at least 20 years old.”

The age of these systems means they sometimes run on software that manufacturers no longer update and support, Bort, founder of the cybersecurity company SCYTHE, told me. The devices were designed with availability and safety in mind, less so security, he said.

“The security of these things is now catching up,” he said. “It’s sort of, ‘Oh, wait a second. We’ve got computers in these, they’re interconnected, that’s a problem and we have to do something about it.’”

Industrial controllers run on platforms with lower power consumption and memory restrictions that make it difficult to run complicated software, further deepening the problem of relying on outdated operating systems, David Atch, head of IoT/OT security research at Microsoft Defender Threat Intelligence, told me.

“These vulnerabilities are there, and these devices are insecure by design,” Atch said.

Not all the Microsoft numbers are so grim, however.

The company found that disclosure of the most severe vulnerabilities in industrial control equipment produced by popular vendors jumped 78 percent from 2020 to 2022.

That doesn’t necessarily mean there are more vulnerabilities — only that more of them are being found and revealed.

“That’s a huge positive,” Vasu Jakkal, corporate vice president for security, compliance, identity, management and privacy at Microsoft, told me. “The fact that they’re coming out and disclosing a vulnerability means we can do something about it.”

What others are doing about it

Many government efforts to secure these devices and systems are folded into other initiatives.

For example, the Cybersecurity and Infrastructure Security Agency has invited industrial control system industry experts to join a program to collaborate to reduce cyberthreats. Director Jen Easterly has said water cybersecurity will be a focus for her agency in 2023. And the agency issues alerts on industrial controller vulnerabilities, as it does with other kinds of tech flaws that could attract hackers.

But CISA has problems tackling this issue that are largely outside its control, Bort said. For example, the tendency to label more and more infrastructure as “critical” has made it harder for CISA to prioritize the most important ones. (CISA is working on that prioritization, but lawmakers this month left legislative language out of the annual defense policy bill that would go further.)

One industrial control system-specific program that’s getting good results out of the Energy Department’s Office of Cybersecurity, Energy Security and Emergency Response is an initiative that voluntarily connects vendors with the National Laboratories to submit equipment for security testing, Bort said.

Meanwhile, in Europe, a proposed cybersecurity regulation known as the Cyber Resilience Act would require software and hardware products to meet certain security benchmarks based on how “critical” they are deemed to be.

“They’re on the list of more critical if they are going to be used in an industrial control system,” Lorena Boix Alonso, the European Commission’s cybersecurity director, told me.

The keys

Apple working on allowing alternative app stores

A move to give users such an ability would be a reversal from Apple’s previous rhetoric about opening up its software ecosystem, which the company has argued would expose users to cyberthreats, Bloomberg News’s Mark Gurman reports. It comes in the wake of new European rules requiring major tech companies to make their platforms interoperable with those of their competitors. The rules also block the companies from giving their products preferential treatment and forcing developers to use their payment systems.

Apple has long argued that allowing users to install apps from outside its own App Store could open up their devices to hacks. “To help protect against unsafe apps, Apple is discussing the idea of mandating certain security requirements even if software is distributed outside its store. Such apps also may need to be verified by Apple — a process that could carry a fee,” Gurman writes.

The changes could be added to Apple software next year, Gurman reports. But Apple, which charges fees to app developers who use its App Store, hasn’t yet decided whether to comply with European rules letting app developers introduce alternative payment systems in their apps, Gurman reports.

An Apple spokesperson declined to comment to Bloomberg News.

Russian trolls impersonating Kid Rock fans build followings on right-wing social media platforms

Researchers from Graphika and Stanford University’s Internet Observatory said they tied at least 35 accounts on Gab, Gettr, Parler and Truth Social to the Newsroom for American and European Based Citizens, which has been linked to the Internet Research Agency, Rolling Stone’s Adam Rawnsley reports.

“Researchers found Russian-linked fake accounts posing as authentic American conservatives cross-posting content to personas on Truth Social, Gab, and Gettr,” he writes. “While right-wing social platforms like Gab and Parler have previously played host to Russian influence operations, the report marks the first documented case of Russian meddling on Truth Social, the social media app founded by [former president Donald] Trump.”

Representatives of Truth Social and Kid Rock didn’t respond to Rolling Stone’s questions. Gab founder Andrew Torba told the outlet that it would have “investigated and taken action” if it had “received notification from law enforcement that the account you mentioned.” But Gab does not “care what Graphika has to say on the matter,” Torba said. Getter CEO Jason Miller said in a statement that the company complies with law enforcement and “takes a robust and proactive approach to moderation.” The Kid Rock account disappeared from Gettr after Rolling Stone’s story was published; the platform didn’t answer questions from Rolling Stone asking whether it removed the account.

Lawmakers propose TikTok ban

The bipartisan legislation announced Tuesday would block transactions from social media firms in or under the influence of China and Russia, and it targets TikTok, Reuters’s Alexandra Alper reports. The bill comes as a flurry of Republican-led states ban TikTok from state government devices. In recent weeks, FBI Director Christopher A. Wray has warned that China’s government could use the app to influence American users or amass data on them.

TikTok condemned the legislation. “It is troubling that rather than encouraging the administration to conclude its national security review of TikTok, some members of Congress have decided to push for a politically-motivated ban that will do nothing to advance the national security of the United States,” a TikTok spokesperson told Reuters. The company will continue to discuss plans “well underway” to “further secure our platform in the United States” with lawmakers, they said.

Thom Tillis (R-N.C.) Sen.(R-N.C.) speaks at an ITIF event on malware in ads today at noon.

The California Privacy Protection Agency Board hosts a public meeting on Friday at noon.

