The U.S. government has warned about cyberthreats to the technology behind so-called "critical infrastructure," especially in the energy sector, and is urging providers to take steps to harden their networks against attack.
The Department of Energy, Cybersecurity and Infrastructure Security Agency, FBI and other parts of the government said on Wednesday that unnamed but "advanced" actors appear to have the "capability to gain full system access to multiple" types of devices involved in industrial control.
The warning comes amid concerns from cybersecurity experts that hackers aligned with Russia could target, or accidentally disrupt, systems worldwide as part of the country's war in Ukraine. Last month, President Biden personally pushed U.S. companies, especially those that control pipelines, refineries and other fossil fuel infrastructure, "to lock their digital doors," citing "evolving intelligence" that Moscow was exploring the possibility of a cyberattack.
The recent advisory from the government is reminiscent of the ransomware attack against the Colonial Pipeline last year, which disrupted the operation of the largest fuel pipeline in the U.S., causing an increase in prices and even shortages in some places along the East Coast. (Some of those shortages were driven by hoarding.) The cyber gang behind the attack may be based in Russia.
The hack reflected a lack of cybersecurity standards and support from the federal government to ensure what is currently critical infrastructure remains secure. It also shows that relying on aging fossil fuel infrastructure, in addition to damaging the climate, comes with serious risks. With gas prices continuing to remain high, a Colonial Pipeline-esque hack could cause more economic damage.
While fossil fuel infrastructure is front and center, utilities and industrial operations could also be at risk from the new hacking threat. In its Wednesday warning, the U.S. listed several devices, saying the cyber actors threatening them had "developed custom-made tools for targeting" the systems. According to the Department of Commerce, industrial control systems — for which the government cited several devices in its advisory — may handle manufacturing and transportation, as well as electrical, mechanical or hydraulic systems.
The U.S. recommended more than a dozen mitigation measures, including multifactor authentication for remote access, a shift from default passwords to "device-unique strong passwords," maintenance of offline backups and "strong perimeter controls" around affected systems.