Experts say the disruption of a botnet operated by the Volt Typhoon threat actors, through a collaborative mix of federal agencies and private cybersecurity firms, highlights the complexities of protecting the U.S. critical infrastructure in similar situations and provides a template for future actions.
The botnet, consisting of KV malware, resided within infected and end-of-life small business/home office networking gear. The attacks exploited the vulnerabilities CVE-2019-1652 and CVE-2019-1653 to compromise these devices. The botnet targeted critical infrastructure within the communications, energy, transportation, and water sectors. The botnet takedown, the research behind it, and its critical infrastructure targets highlight the challenges the world faces in defending against such threats—and the private industry/government collaboration that's necessary to succeed. Still, more work needs to be done to lay the foundation for future success.
"One of the primary factors driving the complication is the decentralized nature of the various critical infrastructure organizations."
—Thomas Pace
Thomas Pace, co-founder, and CEO at NetRise, says the shared ownership of the U.S. critical infrastructure complicates the response to cybersecurity threats in several ways. "One of the primary factors driving the complication is the decentralized nature of the various critical infrastructure organizations," Pace explains.
This, Pace adds, is especially true as it pertains to utility companies that are operated at state and local levels where it is doubtful that they have the resources available to address mainstream malicious threat actors, let alone advanced nation-states.
Christopher Warner, senior security consultant, OT-GRC at GuidePoint Security, agrees the complexities are high. "Private organizations own and operate over 75% of our nation's critical infrastructure, which provides electricity, water, oil and gas, food and beverage plants, emergency services, hospitals, and more. These organizations have limited resources dedicated to maintaining operational technology/industrial control systems, typically without any or limited downtimes for maintenance or patching," says Warner.
"OT/ICS systems can be very complex, and the knowledge and expertise engineers need to maintain these systems add more resource constraints in finding qualified personnel on these systems, let alone [those with] knowledge of security," Warner adds.
Jackie McGuire, senior security Strategist at observability provider Cribl, adds that Volt Typhoon's successful use of a built-in Windows system and common open-source tools adds to the difficulty of detection within the already complex publicly owned networks. "Bureaucratic obstacles can exacerbate this, hindering the agility needed to deploy advanced monitoring solutions at scale," McGuire says. That’s especially important to rectify with attacks such as Volt Typhoon which the Cybersecurity and Infrastructure Security Agency warned that these threat actors were using “living off of the land” techniques to pre-position themselves for future attacks.
When it comes to defending critical infrastructure, there have been growing signs of collaboration between the federal government and the private sector in recent years. The partnership between Microsoft, telecommunications firms, and the U.S. government to disrupt the TrickBot operators in 2020 is one. Another is the private sector and government response to SolarWinds. Others include Emotet and NetWalker in 2021, as well as Avalanche in 2016; Experts note that the increase in collaboration not only shows the complexity of the challenges and necessary response and that more needs to be done.
Still, nearly all experts cite the need for increased information sharing and collaboration among governments, critical infrastructure industry stakeholders, and security vendors. "This includes sharing threat intelligence, best practices, and lessons learned from cyber incidents to improve collective preparedness and response capabilities," says Adhiran Thirmal, senior solutions engineer at Security Compass.
Current efforts include the Joint Cybersecurity Initiatives and Programs (JCDC). Initiatives like the JCDC bring together cross-industry organizations to proactively gather, analyze, and share cyber risk information. Such collaborative efforts enable the development of unified threat pictures and coordinated responses to cyber incidents, benefiting the security posture of critical infrastructure across sectors.
Another includes incident response and emergency management. One such effort consists of the National Cyber Incident Response Plan (NCIRP), which outlines a comprehensive national approach to cybersecurity-related incidents including response from federal agencies, private sector entities, and private owners and operators of critical infrastructure to help present a unified effort in cyberattack response. Such public-private partnerships that help are essential for effective and coordinated incident response and emergency management. By working together, both sectors can leverage their resources, expertise, and capabilities to respond more efficiently to cyber emergencies, minimizing the impact on critical infrastructure.
Over time, efforts such as the NCIRP need more integration and coordinated response modeling and practice. Experts add that the nation needs to focus on increasing the amount of cybersecurity talent active in the workforce, including perhaps developing incentives and providing resources to prioritize cybersecurity within small and medium-sized businesses (SMBs).
Continued, and even increased success, will take increased creativity between the public and private sectors. NetRise's Pace has ideas. One is to improve information sharing: create a centralized registry of devices with a comprehensive listing of their vulnerabilities and associated risks. Pace contends such a registry is now possible in ways it previously wasn't. "One such example is the advent of advanced supply chain visibility capabilities that allow end users to understand the software components and other key artifacts that exist associated with these critical devices," Pace says.
According to Pace, there are approximately 10 key vendors that are primarily driving the OT/ICS infrastructure and creating a partnership with them and potentially an organization like CISA that maintains a device registry that allows intelligence to be applied to this device supply chain that can help determine where at-risk devices may be present. "One of the key challenges in OT/ICS security is understanding 'where else can this happen?' due to the lack of visibility we have traditionally had for these devices. Gaining visibility into these devices is now possible and can create a proactive security posture versus the reactive posture we are currently operating in," says Pace.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.