Food and Ag-ISAC Alert: Pro-Russian Hacktivists Targeting HMI Vulnerabilities in OT Networks

Summary:

Threat actors continue to target operational technology as a means to disrupt critical infrastructure networks, or to deliver malware as a just-in-case measure for increasing global conflicts. Earlier this year we reported on IRGC-Affiliated Cyber Actors targeting Israeli produced programmable logic controllers (PLCs) to disrupt the water sector. We also highlighted reports of Chinese (PRC) state-Sponsored actors compromising and maintaining persistent access to U.S. critical infrastructure with strategic and destructive malware.

Research is showing that threat actors continue to target critical infrastructure organizations by exploiting vulnerabilities in operational technology networks and industrial control systems. This advisory highlights pro-Russian hacktivists attacks against human machine interface (HMI) devices to breach and impact organizations in U.S. and European Water and Wastewater Systems (WWS), Dams, Energy, and Food and Agriculture sectors.

Operational technology is commonly used across the food and agriculture sector, and organizations are encouraged to implement best practices to defend these systems from foreign adversaries. We have joined this alert to raise awareness of these types of attacks and to share best practices to prevent them. Food and agriculture companies who see such incidents are encouraged to share this with us so that we can help identify trends and engage with members and partners to help reduce risk across the sector. Impacted organizations can report findings directly to the Food and Ag-ISAC by sending an email to ops@foodandag-isac.org.

Suggested Corrections:

The alert highlighted several best practices organizations can use to defend against attacks against HMI devices:

Harden HMIs

  • Disconnect all HMIs, such as the touchscreens used to monitor or make changes to the system, or programmable logic controllers (PLCs), from the public-facing internet. If remote access is necessary, implement a firewall and/or virtual private network (VPN) with a strong password and multifactor authentication to control device access.
  • Immediately change all default and weak passwords on HMIs and use a strong, unique password. Ensure the factory default password is not in use. Open the remote settings panel to confirm the old password is no longer shown.
  • Keep VNC updated with the latest version available and ensure all systems and software are up to date with patches and necessary security updates.
  • Establish an allowlist that permits only authorized device IP addresses. The allowlist can be refined to specific times of the day to further obstruct malicious threat actor activity; organizations are encouraged to establish alerting for monitoring access attempts.
    • Note: An allowlist is not a complete security solution by itself, but may increase the level of effort necessary for a threat actor to compromise a device.


Strengthen Security Posture

  • Implement multifactor authentication for all access to the OT network.
  • Log remote logins to HMIs, taking note of any failed attempts and unusual times.
  • Practice and maintain the ability to operate systems manually.
  • Create backups of the engineering logic, configurations, and firmware of HMIs to enable fast recovery. Familiarize your organization with factory resets and backup deployment.
  • Check the integrity of PLC ladder logic (LAD) or other PLC programming languages and diagrams to ensure they operate, especially if an intrusion has been identified.
  • Update and safeguard network diagrams to reflect both the IT and OT networks. Operators should apply the principles of least privilege and need to know for individuals’ access to network diagrams. Maintain awareness of internal and external solicitation efforts (both malicious and benign) to obtain network architectures and restrict mapping to trusted personnel. Consider using encryption, authentication, and authorization techniques to secure your network diagram files, and implement access control and audit logs to monitor and restrict who can view or modify your network diagrams.
  • Be aware of cyber/physical-enabled threats. Adversaries may attempt to obtain network credentials by various physical means, including official visits, tradeshow and conference conversations, and through social media platforms.
  • Take inventory and determine the end of life status of all HMIs. Replace end of life HMIs as soon as feasible.
  • Implement software and hardware limits to the manipulation of physical processes, limiting the impact of a successful compromise.


The Food and Ag-ISAC has prepared a best practice document to help secure small and medium sized businesses in the food and agriculture sector. This document provides low-cost, easy to implement best practices that can help less mature organizations bolster their security when they may not have the resources to implement robust controls.

https://www.cisa.gov/resources-tool...gainst-ongoing-pro-russia-hacktivist-activity