In this age of global polycrisis, safeguarding critical infrastructure has become a top priority for governments, businesses, and security professionals. This post provides a brief Q324 survey of the risks and vulnerabilities faced by essential systems, from energy grids to communication networks and transportation to the water, food, and agriculture sectors.  This risk assessment identifies potential threats and evaluates weaknesses.  

Q324:  A Critical Infrastructure Risk and Vulnerability Assessment

The government isn’t ready for cyber chaos in the food and agriculture sector

“Food and agriculture has avoided the cybersecurity spotlight so far because hackers are focused on more valuable targets elsewhere. But that won’t last forever.”

The nightmare scenarios are numerous: Desiccated farms menaced by out-of-control tractors. Meatpacking plants silently overrun by diseased animals. Trucks clogging highways for hours, their cargo areas full of rotting food.  The U.S. Department of Agriculture is supposed to prevent these disasters by helping the food and agriculture sector protect its infrastructure from physical threats and cyberattacks. But in an era of growing digital dangers, USDA is woefully unprepared to play that role, according to policymakers, independent experts and even the department’s own warnings to Congress. 

USDA has assigned this critical mission to a small, underfunded office that also handles a range of other tasks. Department leaders rarely discuss the acute cyber threats facing the food and agriculture sector — which accounted for more than 5% of the U.S. economy and roughly 10% of U.S. jobs last year — and it’s unclear if the department has meaningfully reduced those threats.  While other agencies tasked with protecting vital infrastructure have aggressively confronted cyber challenges, USDA has shown little of the same urgency, even as its industry partners grow increasingly worried about their digital vulnerabilities.  

Iran-linked actors ramping up cyberattacks on US critical infrastructure

“Nation-state attacker are exploiting vulnerabilities in products from Check Point Software, Palo Alto Networks and others to attack multiple industries.”

Critical infrastructure providers and other organizations in the U.S. are facing a heightened risk of malicious cyberattacks from Iran-linked actors, according to threat researchers and U.S. officials.   The FBI and Cybersecurity and Infrastructure Security Agency last week issued a joint warning with the Department of Defense Cyber Crime Center about Iran collaborating with criminal ransomware groups to attack key industries in the U.S. and other foreign countries.   The group, known as Pioneer Kitten, has been collaborating with high-profile ransomware actors, including AlphV, Ransomhouse and NoEscape, in exchange for a cut of the ransom payments, officials said. The Iran-lined actors were seen scanning IP addresses as recently as July for Check Point Security Gateways that were potentially vulnerable to CVE-2024-24919.   The Check Point vulnerability, first disclosed in late May, allowed attackers to read information on internet-connected gateways with remote access VPN or mobile access enabled. 

Federal watchdog urges EPA to develop comprehensive cyber strategy to protect water systems

“The report comes amid a rise in malicious cyberthreats from state-linked and criminal hackers targeting U.S. drinking water and water treatment facilities.”

• According to a report from the U.S. Government Accountability Office released, the congressional watchdog is calling on the Environmental Protection Agency to urgently develop a strategy to address the rising risk of malicious cyber activity targeting the nation’s drinking and wastewater. 
• In recent months, the sector has been up against heightened threat activity from state-linked and criminal hackers targeting vulnerable water utilities using custom malware, ransomware and other tools designed to either disable, sabotage or exfiltrate data. 
• The EPA needs to conduct a sector-wide risk assessment, the GAO said, because the water utility sector is unprepared to protect itself against these existing threats without additional government support.
• The Biden administration has prioritized the drinking and wastewater treatment industries as a number of high-profile hacking incidents have raised concerns about the ability to secure the nation’s drinking water and water treatment sectors. 
• Following the GAO report last week, EPA officials said they are working on plans to strengthen federal assistance to the water industry. The EPA in 2023 launched plans to get water utilities to tighten cyber resilience through audits, but that plan was rescinded after a state legal challenge. 

Internet outages spread across Ukraine following Russian air strikes on critical infrastructure

On August 28th, as reported by The Record:  “Millions of Ukrainians have experienced internet disruptions over the last two days following Russian missile and drone strikes targeting critical infrastructure throughout the country. According to data from the internet monitoring service NetBlocks, national internet connectivity in Ukraine remains at 71% of ordinary levels as of Tuesday. Why it matters:

1. Relentless Russian Attacks: Millions of Ukrainians have lost internet connectivity following repeated Russian attacks on critical infrastructure. Damage to energy facilities has also led to power outages and disruptions to the national grid, escalating to frequent power shutdowns in different parts of the country.
2. Costly Response to Aggression: Russia’s sustained cyber and physical attacks have taken a significant financial toll – Forbes estimates just one such large-scale attack could cost up to $1.3 billion. These staggering costs highlight the extreme measures taken by Russia in its attempts to destabilize Ukraine.
3. Collateral Damage on Russians: The conflict has also had repercussions on Russian users who often face issues with accessing internet and digital services. This could be a result of physical and cyberattacks by Ukraine, suggesting that the cyber warfare isn’t one-sided and affects civilians on both sides.

Seattle Airport Blames Outages on Possible Cyberattack

On August 27th, as reported at Security Week:  “The Port of Seattle, including the SEA Airport, [experienced] system outages likely caused by a cyberattack. For the past three days, the Port of Seattle, including the Seattle-Tacoma International Airport (SEA Airport), has been struggling with system outages potentially caused by a cyberattack.   Impacting internet and internal systems, the outages began on August 24, affecting various services, the Port announced on X (formerly Twitter).  “Earlier this morning the Port of Seattle experienced certain system outages indicating a possible cyberattack. The Port isolated critical systems and is in the process of working to restore full service and does not have an estimated time for return,” the Port said on Saturday.  In addition to the SEA Airport, the outages impact maritime facilities, and travelers are encouraged to contact them by phone, the Port noted on a dedicated updates page.  The airport did not provide details on the type of cyberattack it fell victim to and SecurityWeek has not seen any known ransomware groups claiming responsibility for it.

PinnacleOne | The Escalation of Nation-State Sabotage and Its Implications for the Private Sector

Intelligence and security reports indicate a marked increase in sabotage and “gray-zone” or “hybrid” attacks across Europe and potentially targeting the United States. These activities, primarily attributed to Russia and China, represent an evolution in geopolitical conflict that falls below the threshold of traditional warfare, but poses risks to national security and economic stability.  In a disturbing series of incidents surrounding the 2024 Paris Olympics, France has experienced multiple acts of sabotage targeting critical infrastructure, raising serious concerns about security and the potential involvement of extremist groups.  These incidents occur against a backdrop of increasing geopolitical tensions and a rise in nation-state sabotage activities across Europe. Intelligence agencies from multiple European countries have warned their governments that Russia, in particular, is plotting violent acts of sabotage across the continent as part of a strategy of permanent conflict with the West.

Recent examples of suspected Russian-linked sabotage include:

1. An arson attack on a Ukrainian-linked warehouse in London;
2. Cyberattacks disrupting European railway networks;
3. GPS signal jamming in Baltic states;
4. Plots against U.S. military bases in Germany; and
5. Fires and explosions in Riga, Latvia; Warsaw, Poland; Prague, Czech Republic; and Paris.

Private companies – especially those in critical sectors such as energy, telecoms, transportation, health care, water, ports, and finance – face heightened risk of becoming targets. Nation-state actors often view private sector entities as extensions of national interests, making them legitimate targets in geopolitical conflicts.  The diverse and evolving nature of sabotage tactics creates a multifaceted threat environment that is challenging to predict and mitigate. Beyond direct damages, sabotage attempts can have broader economic implications, disrupting supply chains, market dynamics, and customer relationships.  Intelligence capabilities are becoming vital for corporations. Organizations need to develop threat monitoring and analysis capacities, while collaborating with government agencies where appropriate. Regular scenario and crisis simulation is key to ensure effective response.

China’s hackers are preparing to ’cause real world harm’ to Americans: FBI director

China’s hackers are preparing to “wreak havoc” and “cause real-world harm” to Americans, FBI Director Christopher Wray [warned] in congressional testimony [in January 2024].  “There has been far too little public focus on the fact that PRC hackers are targeting our critical infrastructure — our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems. And the risk that poses to every American requires our attention — now,” Wray says in selected testimony released by the FBI ahead of the hearing.   He says they are “attacking our economic security, engaging in wholesale theft of our innovation, and our personal and corporate data.”  Wray has been consistently sounding the alarm on how much of a threat China is to the United States…”

China would consider attacks on US railroads, pipelines if it invades Taiwan, Easterly says

Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly warned that the Chinese government would consider destructive or disruptive attacks on American pipelines, railroads and other critical infrastructure if it believed the U.S. would get involved during a potential invasion of Taiwan. Here’s what you need to know:

1. The Chinese government could potentially launch destructive cyber attacks on American critical infrastructure such as pipelines and railroads if the U.S. intervenes in a potential invasion of Taiwan, as warned by Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA).
2. The threat from China is escalating, with prior attacks mainly focused on financial and technological information theft and surveillance now extending their reach to the ability to disrupt U.S. critical infrastructure. There are also indications that Chinese hackers have extended their access to power grids, communication systems, and water supplies for military bases within the U.S. and overseas.
3. Despite the increasing threat and potential for disruptive attacks, Jen Easterly calls on the American public to prepare by taking lessons from Ukraine and maintaining resilience and unity. Concurrently, security agencies, such as the TSA, are coordinating and issuing emergency directives in response to the concerning intelligence they are receiving regarding the cyber threats.

CISA: Most cyberattacks on gov’ts, critical infrastructure involve valid credentials

More than half of all cyberattacks on government agencies, critical infrastructure organizations and state-level government bodies involved the use of valid accounts,  according to a new report from the Cybersecurity and Infrastructure Security Agency (CISA)

Additional OODA Loop News Briefs on Critical Infrastructure Risks and Vulnerabilities 

• Critical Infrastructure Remains the Brass Ring for Cyber Attackers in 2024
• AI, National Security and Critical Infrastructure: What will the near-term future look like?
• 21 Vulnerabilities in Sierra Wireless Routers Could Expose Critical Infrastructure to Attacks
• CISA Rolls Out New Guidelines to Mitigate AI Risks to US Critical Infrastructure
• CISA unveils guidelines for AI and critical infrastructure
• Are Chinese-Made Ship-to-Shore Cranes at U.S. Ports a Critical Infrastructure Vulnerability?
• US Says China’s Volt Typhoon Hackers ‘Pre-Positioning’ for Cyberattacks Against Critical Infrastructure

https://oodaloop.com/archive/2024/08/30/shields-ready-critical-infrastructure-security-and-resilience-2/

Additional OODA Loop Resources

For our News Briefs and Original Analysis research efforts to date on this topic, go to:

• OODA Loop | Critical Infrastructure
• OODA Loop | Elections
• OODA Loop | CISA
• OODA Loop | Volt Typhoon
• OODA Loop | APT
• OODA Loop | Secure by Design

Information Warfare, Social Engineering, and Ransomware: A Global Situational Awareness and Threat Vector Survey:  As we slide into the end of summer weekend in the U.S., we take a “bird’s eye” view of the high-threat level created by the 2024 U.S. Presidential Election.  In this post: a situational awareness and threat vector survey of information warfare, social engineering, and ransomware incidents and activities worldwide as of Friday, August 30, 2024 – including a very recent joint Cybersecurity advisory from the Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Department of Health and Human Services (HHS) and context on the recent arrest of the Telegram CEO. 

“…Leaving our Nation Vulnerable to Cyber Invasion”: Volt Typhoon’s Recent Zero Day Attack on U.S. Internet Providers:  Thank you to the OODA Loop News Brief team for surfacing our initial report of the Volt Typhoon Zero Day attack (Chinese APT Volt Typhoon Caught Exploiting Versa Networks SD-WAN Zero-Day). This attack occurs fast on the heels of a renewed, very specific warning that was just issued at Black Hat USA a couple of weeks ago (characterizing the recent CrowdStrike incident as a ‘dress rehearsal’ of what the impacts of a major attack on U.S. Critical Infrastructure would look like – and then some).  In this post: more details of the recent zero day attack  – and the What Next? from the perspective of the firm, strident, strategic messaging by CISA and national security experts over the course of the last two years.  If this threat vector has been on your organizations strategic back burner to date – time to shift to the Decide and Act of your internal OODA Loop ASAP.

CISA Director Easterly on “Democracy’s Biggest Year: The Fight for Secure Elections Around the World”:  CISA Director Jen Easterly participated in a keynote session at Black Hat USA 2024, along with international election experts Hans de Vries, COO, European Union Agency for Cybersecurity (ENISA), and Felicity Oswald, CEO, National Cyber Security Centre (NCSC) to “unpack how international leaders are approaching election security risks to the democratic processes.”   Along with coverage of this keynote panel, we have compiled Director Easterly’s recent communications on the 2024 security threats and security and integrity strategies taken up by CISA and the USG in the run-up to the November 2024 Election in the U.S.   

The Crowdstrike Incident – OODA Loop Update #4:  In the spirit of the significance of tracking the global impact of disruptive events and encouraging the sharing of relevant stories for compilation, the following is our latest  tracking of the Crowdstrike Incident since our last update on 7/22 – The Crowdstrike/Microsoft Global IT Outage Debacle: Ongoing Impacts and Recent Updates and the July 2024 OODA Network Monthly Meeting: A Real-time Discussion of the Crowdstrike Global IT Outage.

Are Chinese-Made Ship-to-Shore Cranes at U.S. Ports a Critical Infrastructure Vulnerability?:  The 2023 National Defense Authorization Act (NDAA)  (made into law in December 2022) included some specific military-related cybersecurity provisions, including a required study of cybersecurity and national security threats posed by foreign-manufactured cranes at United States ports” to assess whether foreign manufactured cranes at United States ports pose cybersecurity or national security threats.” The study was completed late last year – and the response to the findings has sparked global controversy and debate.  Details here. 

Cyber Risks

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has caused regional issues that affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic’s reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Recommendations for Action

Decision Intelligence for Optimal Choices: Numerous disruptions complicate situational awareness and can inhibit effective decision-making. Every enterprise should evaluate its data collection methods, assessment, and decision-making processes for more insights: Decision Intelligence.

Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the IT department’s or the CISO’s responsibility – it’s a collective effort involving the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses

The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance

Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront unpredictable external threats. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. Regardless of their size, all organizations should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning