As the critical infrastructure focus seems to be intensifying, news has surfaced about an apparent attack on the San Francisco Bay Area water supply.
NBC News first reported that the unidentified hacker used a former plant employee's username and password to gain entry to the unidentified Bay Area water treatment facility on Jan. 15. While confirming the breach, Michael Sena, executive director of the Northern California Regional Intelligence Center declined that any threat to public safety existed.
Regardless, the latest occurrence should be a lesson as well as warning to those in charge of managing and protecting infrastructure.
The consequences of a data breach can vary greatly depending on the intention of the adversary, explains Bill O’Neill, vice president, public sector at ThycoticCentrify, in a statement. “Some hackers simply aim to cause disruption. Others extract valuable PII to sell on the Dark Web, while others look to extort money due to ransomware. When a cyberattack is attempted against critical infrastructures such as hospitals, electrical grids, or water systems, the potential repercussions can affect thousands of individuals like you and me. It can be devastating — or even deadly,” said O’Neill. “In fact, the 2020 Global State of Industrial Cybersecurity report found that 74% of IT security professionals are more concerned about a cyberattack on critical infrastructure than an enterprise data breach.”
According to O’Neill, the Oldsmar water treatment plant incident and the newly uncovered Bay Area water supply attack should serve as urgent reminders to organizations about taking precautionary steps before a cyberattack occurs.
“To help lock down critical systems, we suggest enforcing least privilege and adopting what is referred to as a zero trust approach. This means trusting no one until they have been adequately verified and validated, re-establishing trust,” he said. “Through self-service workflows, admins can request elevated privileges just-in-time for a limited time. This approach of verifying who is requesting access, the context of the request, and the access environment’s risk combine to mitigate the risk of a breach.”
Critical national infrastructure (CNI) is at the top of the target list for adversaries, given the impact if successful -- even in part, added Sam Humphries, security strategist at Exabeam. “The need to understand and baseline normal in terms of critical asset/system access is absolutely key in protecting critical infrastructure. Regardless of whether systems in operational technology (OT) environments are air-gapped or not, if there’s a digital route to the system, then it’s at risk,” said Humphries, in a statement. “We’ve got to ensure we are monitoring OT systems far more diligently by capturing all viable log data in terms of access control, system settings and maintenance. Any abnormality -- regardless of how small -- should be investigated, triaged and managed accordingly. Relying on users alone for the protection of our CNI systems does not (and will not) scale.”
According to Humphries, working smarter with automation technologies in managing large volumes of data streams, analyzing them for anomalies and reporting risk in real time, is the only way forward for CNI protection. “This, in partnership with continued user education in being diligent and applying critical thinking analysis to system activity reports, is critical,” he said.
According to Chris Grove, Technology Evangelist at Nozomi Networks, a critical infrastructure security specialist, while it’s important to keep an eye on major events, we should also avoid over sensationalized headlines intended to spread fear. Some headlines are taking the action of deleting code and jumping to attempted mass poisoning. Even the facility operator pointed this out. There was not an attempt at poisoning the water supply.
"That said, this is a stark reminder on how insecure our nation’s water facilities are. The circumstances surrounding this event show a lack of 2 factor authentication, password procedures, monitoring, and other defenses. There are many facilities that are in the same situation - same remote access woes, same password problems, and the same underfunded, understaffed cybersecurity defenders," said Grove in a statement. "By securing remote access, and monitoring for anomalies in key processes, security teams can quickly identify unusual activity – such as abnormally high number of remote connections, the use of unusual protocols in those connections, and atypical behavior of the remote user — before operations are actually disrupted.”
“The breach that gave attackers access to the Bay Area water treatment plant is only the latest attack on the country's critical food, utility and energy infrastructure. Similar to recent attacks on water treatment plants in Florida and Pennsylvania, it's fortunate that no citizens appear to have been endangered,” said Neil Jones, cybersecurity evangelist, Egnyte, in a statement. “In this case, the attacker managed to access a former staff member's TeamViewer account, an account that permits employees to remotely access their computers. Such remote-access technology is mission-critical for a water treatment plant that's required to function on a 24/7/365 basis.”
Unfortunately, we see far too often that there are methods and tools being employed that don’t meet the security and control needs of municipal organizations, explains Jones. “Security is more than a checklist, and recent reports indicate that 1 in 10 waste or wastewater plants has a critical security vulnerability. The best solutions fit in a broader sense of governance, but still make it easy to share files with anyone without compromising security and control,” he said.
“The reality is that all data is vulnerable without proper data governance and password management techniques, and it is imperative that organizations protect the data itself, not just the technical infrastructure around it. This type of security incident happens regularly, particularly now that many of us are working in decentralized teams," said Jones. "If secure file collaboration tools are implemented correctly, they can render cybercriminals’ attacks useless. Used in a case like this where the adversaries were able to infiltrate the network, the files themselves would be inaccessible to outsiders, and crucial public systems would remain safe.”
