A failed attack in Florida reveals cybersecurity gaps in water systems
Recently, there has been an increase in cybersecurity incidents and attacks on facilities that supply drinking water to communities. Including facilities responsible for its treatment as well as sewage disposal. The most popular example is the hacking attack on the Florida water treatment system in February 2021. The attacker hooked up to chemical dosing controllers and tried to increase sodium hydroxide levels. Fortunately, the attack was thwarted by the operator.
What could have happened if the operator was on a break at that moment …? The possible effects of this attack are left to your imagination.
The attack in Florida did not go unnoticed in Poland. – R-CYBER-1/2021 cybersecurity recommendations for the water and sewage sector have just been published. Containing a set of safety recommendations, the implementation of which is to significantly increase the resilience of industrial control systems in facilities providing water and sewage services.
As a reminder – the water and sewage sector is one of the elements of the critical infrastructure of countries and that includes both facilities managed by the government administration and local government units.
Below is a summary of the recommendation with a short commentary:
1.Minimize the exposure of the industrial network, both local and interconnection points, by identifying and limiting to the necessary ‘on’ and ‘to’ connections.
Easier said than done. OT vendors, service technicians or simply administrators require remote access. It is almost inevitable nowadays.
Of course, if we can separate the network, preferably electroplating – without any operational losses – then go for it! Otherwise, all we can do is carry out the aforementioned identification. Or:
- inventory and categorize accesses
- impose security policies on individual groups
- implement, monitor and ensure that they are complied with
The aforementioned policies will hit the ecosystem of many companies – therefore the effects should be expected in the long term.
2.Separation of OT systems from customer-oriented IT systems and monitoring and management of interactions between areas. It is recommended to avoid connecting the network to the public network, in particular the network
Unfortunately, the entire area of business intelligence – SCADA or DCS – “hooks” on IT – when using business applications, databases or communication protocols. Today, IT and OT are a necessity today, as is internet connection. The only solution is the output of the IT / OT and OT / Internet contact. It is better to save than to face a critical incident in the future.
3.In case remote access is necessary (eg. to collect and manage extensive infrastructure) it should always be performed using VPN6 with a tool enabling the use of multi-factor authentication (MFA).
The catch here is the technology that third party service providers employ. A kind of revolutionary, and in our opinion, a necessary solution, will be the introduction of appropriate security mechanisms for remote connections to the criteria of selecting OT solution providers.
4.Review remote access and keep it to a minimum. In particular, attention should be paid to cellular modems and subcontracting remote access methods.
As soon as possible.
5.Change the default credentials using good strong password practices (if the device supports such passwords), on all devices, in particular devices with a web interface, and disable unused accounts.
And not only in OT networks, but wherever possible.
6.Where possible, restrict VPN access to specific IP addresses or their ranges.
7.If it is necessary to remotely transmit telemetry data via a cellular network, dedicated private APNs should be used.
8.The software of the systems and devices used should be updated, in particular during scheduled shutdowns. Before updating, an analysis of the potential impact of the update on business continuity should be carried out (in particular, the update may introduce elements that will cause a loss of compatibility with, for example, low-level software). Therefore, before updating, it should be tested in a test environment, before using it in a production environment.
The point on updating OT systems deserves a separate article. Briefly:
- We are talking about a service that is essential for the functioning of society. Turning it off for the update period (if it is possible at all) requires several weeks (or months) of preparation
- Updates tend to be frequent.
- Not everyone has a test environment.
- Nobody in OT will not let the “production” of untested software
9.Network segmentation should be used. At least at the interface of an industrial network, and preferably also inside, depending on the size and complexity of the plant.
10.Periodic analysis of the visibility of devices should be carried out by external scanning of the address range belonging to the facility or the use of Shodan tools.
Zoomeye.org is also a good tool.
11.Report contact persons to incident response teams. National level CSIRTs to establish a fast track response in the event of an incident.
12.Each cyberattack incident and security incident should be immediately reported to the appropriate national level CSIRT.
As a warning, we present what negligence led to a potentially life-threatening cyberattack in Florida:
What specifically failed:
- Weak password management policy. All computers had the same password for remote access,
- All computers used to manage the service were connected to the Internet,
- No firewall.
How to fix it?
Let’s start with a reminder of the order of attributes in OT – CIA (Confidentiality, Integrity, Availability):
- Availability: Issue # 1 for all operators and a potentially critical health and safety issue.
- Integrity: How to protect the target system from unauthorized changes.
- Confidentiality: how to protect system details from unauthorized access and misuse.
The basis of OT security are three solutions on which the ecosystem can be built. Let’s call them – the “OT triad”:
Industrial Firewall / IPS is a physical device, implemented in transparent-bridge mode. For seamless integration and uninterrupted operation of OT systems, that sits in front of critical media surveillance endpoints, protecting PLCs, VFDs, and other networked devices. Learns and enforces normal operations in the plant environment and actively eliminates threats to OT in real time.
The firewall should protect the ICS network against:
- unauthorized configuration changes,
- device resets, device readings,
- logic updates and value messages.
Due to the extreme sensitivity of data flows, rules are built based on the learned traffic patterns encountered in the protected environment and take into account a number of unique possibilities for different protocols, systems and environments. For products operating in an OT environment to be truly useful, they need to understand operational ranges of values, e.g. this threshold or out-of-range violations are detected and appropriately handled based on the needs of each person in the customer environment.
Typically, this is the last line of defense to protect your establishment’s assets from unauthorized or unintentional (misuse) use.
Industrial Access – OT did not resist the digital evolution, now remote access is necessary and often included in the SLAs of manufacturers of OT network communication solutions. OT remote access solutions are more precise than any VPN thanks to the ability to control access based on policies configured according to:
- Type of user
Policies should be constantly enforced during access sessions to provide an option for remote workers or external vendors to access endpoints in the OT network.
The Data Diode creates a sealed tunnel (airgap) that controls, restricts and enables communication from sensitive, proprietary parts of the OT network. It provides isolated, one-way data transfer in such a way that no network information is exposed. The diode creates full isolation between protocols, two network units, and thus transmits data without exposing them to an untrusted network and provides protection against unauthorized communication.
The key benefits of the implementation are:
Only one-way data transfer is allowed and secured thanks to optical isolation.
- Control of various protocols and data types – both OT and IT.
- Possibility of multi-level validation of your OT flows: original file structure, AV signatures, DLP sensitive data and heuristic analysis.
- Consolidation of security events of standard operating syslog, binary audit and data transfer logginga