Security Architecture, Endpoint/Device Security, IoT, Security Strategy, Plan, Budget, Threat Management, Governance, Risk and Compliance, Critical Infrastructure Security

Public utilities in the US need to lock down critical infrastructure facilities

Share
Today’s columnist, Elad Ben-Meir of SCADAfence, writes that the attack on the water treatment plant in Oldsmar, Fla.,was a “wake-up call” and that all public utilities have to get serious about securing critical infrastructure.

Critical infrastructure such as water treatment facilities and electric power plants in the United States have become more vulnerable than ever to a cyberattack. Security perimeters have been stretched with the addition of many kinds of IoT devices at a time when industrial operating systems are increasingly operated remotely, opening up new threat vectors and numerous entry points for attackers.

In the United States alone, there are about 54,000 distinct drinking water systems and many are currently highly vulnerable to ransomware attacks or malicious breaches, as they largely rely on some type of remote access to monitor and/or administer their systems. Many of their facilities are also unattended, particularly during the pandemic. They are generally underfunded, and rarely have anyone watching the IT operations around the clock, meaning any initial breach via an IoT device can get ruthlessly exploited for hours before being detected, placing the targeted facility firmly in the hackers’ hands.

There’s currently no legal requirement for those managing utilities in the United States to report cyber breaches to the authorities and most are reluctant to risk causing panic on the part of the general public by announcing cyber breaches at water facilities and power stations when they do occur. Unfortunately, this has resulted in something of a culture of complacency, where it’s difficult for those in charge of critical infrastructure to share threat intelligence regarding incoming attacks. This has left many utilities not only vulnerable to attacks from highly organized professionals, but also to those executed by relatively unskilled hackers

Pinellas County Sheriff Bob Gualteri called the recent attack on the water supply in Oldsmar, Fla., “a wake-up call.” Before they were detected, the hackers had been attempting to increase the volume of sodium hydroxide in the local water supply over a hundredfold, effectively turning it into a potentially lethal corrosive and deadly poison. In common with many other facilities, Oldsmar uses a SCADA (Supervisory Control and Data Acquisition) system that lets staff monitor and control conditions within the facility. At the same time, the staff used TeamViewer to monitor and control systems within the SCADA network remotely.

Unfortunately, the Oldsmar facility was connected directly to the internet without any type of firewall protection having been installed and all the employees shared the same password to access TeamViewer. This left the systems wide open to attack. The Oldsmar facility was also using Windows 7, an outdated software no longer supported by Microsoft. The Massachusetts Department of Environmental Protection has also identified additional unsafe practices or behaviors at the Oldsmar water treatment plant that significantly increased the risk.

Public utilities such as water treatment facilities should create specific firewall-like rules for variables such as a: “Sodium Hydroxide ppm Anomalous Value” alert, thereby raising an alert if the value of Sodium Hydroxide in the water exceeded the maximum value of 40 parts per million (ppm) or fell below 1 ppm. Utilities should also use continuous network monitoring and remote access technologies to get visibility into their OT networks and keep their critical infrastructure networks secure.

With this type of holistic approach to network monitoring, anomaly detection, remote access visibility, and compliance, water and wastewater, can reduce the risk level of future attacks by up to 95 percent. But standard safeguards such as these can do little to protect America’s critical infrastructure from more determined attacks by skilled hacker groups, as last summer’s systematic attacks on Israel’s water infrastructure by Iranian hackers illustrate. The hackers routed the attacks through servers located in the United States to try and cover their tracks.

The global organizations that supply the OT systems and equipment needed to run public utilities, including Siemens, Mitsubishi Electric, and ABB, now face a huge challenge. Ransomware gangs and hostile nation states are now quick to identify flaws in their systems they can exploit to execute a successful attack. For example, a serious vulnerability in an ABB single specially-crafted packet sent by an attacker over the ABB protocol on port 1200 will cause a denial-of-service (DoS) vulnerability that could result in a hardware failure, allowing remote code execution, which would let the hackers take control of the system with potentially lethal results.

In addition to constant monitoring of the OT system for anomalies and intrusions, utilities should always use a firewall or virtual private network to prevent unauthorized access when they need to grant Internet access. Where possible, separate the IT network from the OT network segment, while limiting the access between the two segments. It’s also essential to install and maintain effective firewalls to block access from untrusted networks and hosts.

Reported breaches of critical infrastructure are only the tip of an iceberg of cyberattacks now sweeping across the U.S. Those managing industrial plants and critical infrastructure urgently need to extend their traditional security perimeters to ensure full network visibility to detect any anomalous behavior and malicious activities – including those that originate in remote access.

Elad Ben-Meir, chief executive officer, SCADAfence

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.