Cyberattack Disrupts Operations at Johnson Controls International

On Sep. 27, government contractor Johnson Controls International (JIC) filed an 8-K with the US Securities and Exchange Commission (SEC) disclosing a cybersecurity incident. JIC manufactures industrial controls systems and solutions for autonomous buildings, and it is a US government contractor.

Shortly after the incident was disclosed, it came to light that the cyberattack may have impacted the Department of Homeland Security (DHS). DHS is investigating the possibility that the attack compromised physical security related to its floor plans, according to CNN.

This attack comes ahead of a potential government shutdown, which could introduce more cybersecurity risks for the federal government and the country’s critical infrastructure.

The JIC Cyberattack

In its brief SEC filing, JIC reports that the cybersecurity disrupted “portions of its internal information technology infrastructure and applications.” While the company goes through its incident response plan and remediation efforts, it anticipates the cyberattack will continue to cause disruptions to its operations, according to the filing.

The cybersecurity incident appears to be a ransomware attack. Nextron Systems researcher Gameel Ali shared a ransom note from cybergang Dark Angels in a tweet, Dark Reading reports. The cyber attackers encrypted JIC’s VMware ESXi machines, according to BleepingComputer.

Related:Damage Control: Addressing Reputational Harm After a Data Breach

An Expanding Attack Surface

This attack highlights the need to look at nontraditional IT assets, like building control systems, that are a part of the expanding attack surface, according to Tom Guarente, vice president of external and government affairs at cybersecurity company Armis. “All of those things that typically have not been part of the purview of security teams … are becoming more and more targets for nation states and criminal organizations,” he says in a phone interview.

Compromised IoT assets, industrial control systems and supervisory control and data acquisition networks could have significant security implications. Todd Helfrich, vice president of federal at exposure management and threat hunting software company Censys, emphasizes the importance of comprehensive asset management including all IT assets, cloud assets and building control systems.

“Continuously monitor for changes in configuration, new assets coming online that [you] weren't familiar with and ensure … that there’s a regimented not only patch validation but testing and release and implementation procedure,” he tells InformationWeek over the phone.

Related:What Cybersecurity Gets Wrong

Third-Party Risk

The impact of a cyberattack often ripples through the interconnected supply chain as seen in this case. JIC is the initial victim of this ransomware attack, but as a government contractor, it has access to sensitive information from DHS.

While data theft is a major concern in cyberattacks, there is potential for more damage. “Is ransomware truly the objective, or is this potentially just a ruse [to] disguise … a more surgical attack?” Helfrich wonders. “A smart adversary might create a ruse and implement some sort of software supply chain attack, similar to what we saw a couple of years ago with Solar Winds.”

The campaign of cyberattacks that targeted SolarWinds led to approximately 18,000 of the network management software company’s customers to receive a compromised software update, according to the US Government Accountability Office.

How far could the impact of a cyberattack like the one executed against JIC ripple outward? It depends on what kind of system access a threat actor gains, their dwell time, and what data was compromised. But untangling the supply chain to understand third-party risks fully has become increasingly complicated.

“Think about a single supplier and their delivery to a government organization and how many subcontractors that they have behind them that are providing services,” says Helfrich.

Related:2023 Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023

A Possible Shutdown

While JIC and its customers work through the fallout of this ransomware attack, the possibility of more cybersecurity vulnerability at the federal level approaches. A shutdown has been averted for now, but a continuing resolution sets a new deadline for Congress to pass a budget: Nov. 17.

If a shutdown does happen, the government’s cybersecurity workforce will be drastically reduced. The Cybersecurity and Infrastructure Security Agency, for example, would furlough more than 80% of its workers.

“This has greater implications than simply having fewer hands on deck to maintain security controls, respond to alerts, etc.,” Patrick Harr, CEO at SlashNext, a generative AI security solutions company, tells InformationWeek via email. ““A shutdown signals to cybercriminals that this is a perfect time to launch attacks; nefarious actors love to operate in times of confusion and doubt.”

If a major cyberattack occurs, either directly against a government agency or against one of its third-party vendors, a depleted staff could make it more difficult to detect, respond, and remediate.

In addition to the immediate risk of increased attack velocity, a shutdown could hamper cybersecurity progress. “A government shutdown is going to affect not just current contracts but planned programs and contracts, upgrades and enhancements to our cybersecurity infrastructure and framework,” explains Guarente.

This shutdown, if it happens, won’t be the first. Past shutdowns have illustrated the importance of limiting security controls disruption, and some preparation can be done in advance, according to Harr.

“For example, security professionals could ensure that all patches are up to date or set to patch automatically, renew any security subscriptions that might lapse during the shutdown and leverage automation to thwart/respond to threats as much as possible,” he says.

Guarente calls for a shift in the way cybersecurity is viewed: more like a function that needs to be in a state of perpetual readiness, much like the military, and less like general IT support.

“All of us in this arena believe that cybersecurity needs to be insulated from many of the political battles that we see every time the budget comes up to be renewed,” he says.