In February 2021, a cyber attacker attempted to poison 15,000 residents in Oldsmar, Florida. After hacking into the city’s water plant system, the hacker attempted to increase the level of sodium hydroxide in the water from 100 parts per million to a lethal 11,100 parts per million.
A cautious and alert employee thankfully managed to thwart the attack, and city officials claimed the dangerous levels of sodium hydroxide would never have reached residents’ homes. Still the fact remains: water is life, and clean water is essential to our health. So how is it that we’re doing so little to protect our water from the very real and growing threat of cyber attacks?
In July 2021, just months after the Oldsmar incident, two public wastewater plants in Maine were attacked with ransomware. The following month, a California-based water system was similarly attacked with ransomware. In January 2022, federal official admitted that the cyber defenses of most US drinking water systems are inadequate.
The White House, the Environmental Protection Agency (EPA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Water Sector Coordinating Council (WSCC) are now implementing implementing a plan to secure critical infrastructure in the water sector. This is certainly good news for the water plants that will be getting the attention and resources they need to protect their facilities and the communities they serve. But what can water and wastewater plants do to improve security protocols on their own?
Cyber Alerts and Mitigation Methods for Water and Wastewater Plants
CISA published an alert in October 2021 titled, “Ongoing Cyber Threats to U.S. Water and Wastewater Systems.” The alert details common TTPs (tactics, techniques, and procedures) used to compromise IT and OT systems, as well as mitigation recommendations for water and wastewater plants.
According to CISA, the main types of TTPs to look out for include:
Spearphishing – Phishing targeted at specific individuals in an organization. In this case, attackers gain access to OT assets by spearphishing credentialed users or via remote access methods, like Remote Desktop Control (RDP).
Exploiting outdated or unsupported systems or software – This is common since water plants and other OT systems frequently do not or cannot prioritize softwares updates and upgrades.
Exploiting control system devices with vulnerable firmware – Similar to software, water and wastewater facilities often use outdated devices, heightening their vulnerability.
To mitigate the risks of IT and OT vulnerabilities, CISA recommends that water and wastewater plants take the following actions:
Monitoring
Threat activity should be monitored for the following:
Ensuring unauthorized personnel cannot access SCADA system controls
Checking for unfamiliar data windows or system alerts on SCADA system controls
Detecting abnormal operating parameters related to drinking water treatment
Tracking unusual access times to systems
Checking unexplained restarts
Checking static parameter values that are normally dynamic
Remote Access Mitigations
The following security controls are recommended:
Multi-factor authentication (MFA) for remote accessibility to the OT network
Blocklisting and allowlisting
Logging and log auditing for remote access technologies
Manual start and stop features to replace unattended access that is always activated
Auditing networks for systems with remote access services
Customizing remote access setting to limit access scope
Network Mitigations
To enhance security posture, it is recommended to:
Planning and Operational Mitigations
To cover all angles of security, CISA recommends that organizations build and practice an emergency response plan that takes various scenarios into account. This plan should include the ability to manually operate systems and the need for third-party vendors to access OT systems.
Safety System Mitigations
Finally, it is recommended to install cyber-physical safety systems that can prevent dangerous conditions from occurring, even if the control system is compromised by an attacker.
How Identity-Based Connectivity Can Help Implement CISA Recommendations for Water and Wastewater Plants
Identity-based connectivity is a modern security strategy and a coordinated approach across IT and OT that helps mitigate the threat from bad actors exploiting weaknesses in existing authentication infrastructure. By utilizing identities to enforce security, identity-based access can streamline uniform security policies across all systems while reducing overhead with minimal time to deploy, implement and enforce IT security.
Identity-based access provides solutions to the following CISA requirements:
Monitoring
Cyolo’s identity-based connectivity provides full visibility and control over who connects to which resources and what actions have occurred. Cyolo prevents access by personnel who have not been explicitly authorized and enables tracking and monitoring of approved users’ behavior inside the system, both in real-time or through audit logs.
Remote Access Mitigations
Cyolo implements MFA and log auditing capabilities to ensure only authorized personnel can access OT and SCADA systems and to prevent attacks like phishing or ransomware. Users’ actions are monitored and audited as well. In addition, Cyolo checks for device health to ensure all software is updated to prevent devices with exploitable vulnerabilities from accessing the system.
Network Mitigations
Cyolo reduces the risk of a breach by minimizing the attack surface and moving public network access to all applications behind its identity-centric ZTNA (Zero Trust Network Access) solution. Cyolo also cloaks the networks from users, enforcing de facto network segmentation to prevent lateral movement between OT and IT systems, and within the OT system itself.
To learn more about how Cyolo can protect your water plant or other OT systems, schedule a call today.
