In February 2021, a cyber attacker attempted to poison 15,000 residents in Oldsmar, Florida. After hacking into the city’s water plant system, the hacker attempted to increase the level of sodium hydroxide in the water from 100 parts per million to a lethal 11,100 parts per million.
A cautious and alert employee thankfully managed to thwart the attack, and city officials claimed the dangerous levels of sodium hydroxide would never have reached residents’ homes. Still the fact remains: water is life, and clean water is essential to our health. So how is it that we’re doing so little to protect our water from the very real and growing threat of cyber attacks?
In July 2021, just months after the Oldsmar incident, two public wastewater plants in Maine were attacked with ransomware. The following month, a California-based water system was similarly attacked with ransomware. In January 2022, federal official admitted that the cyber defenses of most US drinking water systems are inadequate.
The White House, the Environmental Protection Agency (EPA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Water Sector Coordinating Council (WSCC) are now implementing implementing a plan to secure critical infrastructure in the water sector. This is certainly good news for the water plants that will be getting the attention and resources they need to protect their facilities and the communities they serve. But what can water and wastewater plants do to improve security protocols on their own?
CISA published an alert in October 2021 titled, “Ongoing Cyber Threats to U.S. Water and Wastewater Systems.” The alert details common TTPs (tactics, techniques, and procedures) used to compromise IT and OT systems, as well as mitigation recommendations for water and wastewater plants.
According to CISA, the main types of TTPs to look out for include:
Spearphishing – Phishing targeted at specific individuals in an organization. In this case, attackers gain access to OT assets by spearphishing credentialed users or via remote access methods, like Remote Desktop Control (RDP).
Exploiting outdated or unsupported systems or software – This is common since water plants and other OT systems frequently do not or cannot prioritize softwares updates and upgrades.
Exploiting control system devices with vulnerable firmware – Similar to software, water and wastewater facilities often use outdated devices, heightening their vulnerability.
To mitigate the risks of IT and OT vulnerabilities, CISA recommends that water and wastewater plants take the following actions:
Threat activity should be monitored for the following:
Ensuring unauthorized personnel cannot access SCADA system controls
Checking for unfamiliar data windows or system alerts on SCADA system controls
Detecting abnormal operating parameters related to drinking water treatment
Tracking unusual access times to systems
Checking unexplained restarts
Checking static parameter values that are normally dynamic
The following security controls are recommended:
Multi-factor authentication (MFA) for remote accessibility to the OT network
Blocklisting and allowlisting
Logging and log auditing for remote access technologies
Manual start and stop features to replace unattended access that is always activated
Auditing networks for systems with remote access services
Customizing remote access setting to limit access scope
To enhance security posture, it is recommended to:
Implement network segmentation between IT and OT
Update network maps and remove unrequired equipment from networks
To cover all angles of security, CISA recommends that organizations build and practice an emergency response plan that takes various scenarios into account. This plan should include the ability to manually operate systems and the need for third-party vendors to access OT systems.
Finally, it is recommended to install cyber-physical safety systems that can prevent dangerous conditions from occurring, even if the control system is compromised by an attacker.
Identity-based connectivity is a modern security strategy and a coordinated approach across IT and OT that helps mitigate the threat from bad actors exploiting weaknesses in existing authentication infrastructure. By utilizing identities to enforce security, identity-based access can streamline uniform security policies across all systems while reducing overhead with minimal time to deploy, implement and enforce IT security.
Identity-based access provides solutions to the following CISA requirements:
Cyolo’s identity-based connectivity provides full visibility and control over who connects to which resources and what actions have occurred. Cyolo prevents access by personnel who have not been explicitly authorized and enables tracking and monitoring of approved users’ behavior inside the system, both in real-time or through audit logs.
Cyolo implements MFA and log auditing capabilities to ensure only authorized personnel can access OT and SCADA systems and to prevent attacks like phishing or ransomware. Users’ actions are monitored and audited as well. In addition, Cyolo checks for device health to ensure all software is updated to prevent devices with exploitable vulnerabilities from accessing the system.
Cyolo reduces the risk of a breach by minimizing the attack surface and moving public network access to all applications behind its identity-centric ZTNA (Zero Trust Network Access) solution. Cyolo also cloaks the networks from users, enforcing de facto network segmentation to prevent lateral movement between OT and IT systems, and within the OT system itself.
To learn more about how Cyolo can protect your water plant or other OT systems, schedule a call today.
Josh Martin is a security professional who told himself he'd never work in security. With close to 5 years in the tech industry across Support, Product Marketing, Sales Enablement, and Sales Engineering, Josh has a unique perspective into how technical challenges can impact larger business goals and how to craft unique solutions to solve real world problems. Josh joined Cyolo in 2021 and prior worked at Zscaler, Duo Security, and Cisco.
Outside of Cyolo, Josh spends his time outdoors - hiking, camping, kayaking, or whatever new hobby he's trying out for the week. Or, you can find him tirelessly automating things that do NOT need to be automated in his home at the expense of his partner. Josh lives in North Carolina, USA.