Analysis of a Water Treatment Plant Attack

Analysis of a Water Treatment Plant Attack Header

Analysis of a Water Treatment Plant Attack

Lessons Learned for Mitigating Threats to Industrial Control Systems 

Over the years, cyberattacks on industrial control systems (ICS) have rapidly increased within many organizations. Most industrial control systems and critical infrastructure operational technology (OT) were built long before they were intended to interconnect to IT networks. As IT and OT networks and systems have converged, the integration creates new efficiencies and benefits. However, the convergence and expanded attack surface also introduces new vulnerabilities.   

Security weaknesses like outdated operating systems, poor password security, desktop sharing software, and lack of network segmentation contribute to leaving organizations highly vulnerable to hackers, which can result in destructive consequences to industrial environments. It is best practice for organizations to be aware of and anticipate advancing threats and to make cybersecurity a top priority when it comes to critical infrastructure. It requires security leaders to develop a proactive approach to protect industrial areas from risks and prepare security teams to detect and mitigate attacks before they occur.  

Let's evaluate a real-world attack on a water treatment plant and discuss some key takeaways that critical infrastructure operators should be aware of.

Evaluating the Florida Water Plant Hack

In February 2021, an unknown hacker gained access to the computer systems of a water treatment plant in Oldsmar, Florida. The trespasser identified weaknesses within the plant’s security, obtained remote access to the software that controls chemical levels, and increased the levels of sodium hydroxide – a lethal chemical typically used to clean drain pipes.  

Local government infrastructure can be a target for cyber attacks because it often lacks the proper funding to update operating systems to implement newer security mechanisms, making it challenging to protect these kinds of environments. 

Fortunately, in this case, a user noticed lagging on their system and reported it to the security team. The security team addressed the concern before it caused any major issues. However, if the attack had gone undetected, the accumulated amount of sodium hydroxide could have been lethal for human consumption if distributed through the water supply. This highlights the severity of potential chain reactions from cyber threats at critical infrastructure sites.

What Was Exploited

Outdated Operating System

The plant was running Windows 7, an operating system that Microsoft had stopped supporting in early 2020. With no further security updates being released, the plant had an outdated operating system in 2021, leaving it susceptible to exploits.

Poor Password Security

The hacker was able to gain remote access through a shared password used across the board, which is bad practice – and negligent. Rotating passwords every 24 hours could make it more difficult for a cyber intrusion to occur.

Unused Software

The plant had TeamViewer, a popular remote desktop access software solution, on its systems even though the plant had not been using it for about six months before the attack. Since the software remained installed on their systems, it was able to be leveraged by the attacker to gain remote access. Absence of monitoring or access controls can give attackers an easy way in. 

Lack of Network Segmentation

The plant did not have appropriate network segmentation established. That made it so that if a hacker exploits one user in one department, they could make their way through other departments and deeper into the network. 

These security gaps demonstrate how a few mistakes can have destructive consequences for cyber-physical systems.

Security systems in Cloud Range’s simulation platform

An example of an alert from security systems in Cloud Range’s simulation platform demonstrating what a security team would receive. It shows that the system is being scanned, which provides details about what IPs are publicly facing and what ports are open.

Alert Security systems in Cloud Range’s simulation platform

This alert, from a live-fire simulation in Cloud Range’s cyber range environment, shows that traffic is destined to port 3389. That could indicate a team member is remotely logging into that IP address or that an outsider is trying to do so. Alerts like these indicate something is happening that needs to be investigated by the security team.

Mitigations to Secure Critical Infrastructure

What can industrial control facilities do to prevent attacks? Here are vital security measures to implement and practice for enhanced cybersecurity resilience.

Keep Systems Updated

This hack exemplifies why regular patching and system upgrades are absolutely necessary. New malware is being discovered every month, so without updates, your antivirus does not know how to defend against newer attacks. Ensure antivirus software, spam filters, and firewalls are up to date, properly configured, and secure. It is also important to audit network configurations and isolate computer systems that cannot be updated. Prioritizing upgrades and patches, or allocating budget for extended vendor support, is a valuable investment.

Use Multi-Factor Authentication (MFA)

Humans are not always good at creating passwords, and even complex passwords are not enough by themselves. Multi-factor authentication provides an extra level of security to protect remote systems and desktop protocols (RDP) credentials, requiring users to verify through a second step like a one-time code. For example, an ATM machine uses two-factor authentication because you have something physically with you (the ATM card) and the memorized pin number. Multi-factor combines something you have (a card, a phone), something you know (a password, an answer to a question), and/or something you are (thumbprint or other biometric scan).

Monitor and Limit Remote Access

Audit your network for systems using the remote desktop protocol (RDP), and close unused RDP ports. Apply MFA wherever possible, and log RDP login attempts. Use a virtual private network (VPN), and make sure users have to be on the VPN to access servers and systems remotely. Employ tiered levels of access so different users have levels of access specific to their roles, and ensure the access levels are monitored closely and disabled when not needed. 

Additionally, require remote parties to receive confirmation from the host to gain any access other than “view only.” Doing so will ensure that, if an unauthorized party is able to connect via an app like TeamViewer, they will only see a locked screen and will not have keyboard control. Utilizing a “Block and Allow” list provides control over which TeamViewer users may request access to the system, and the list can be used to block users suspected of unauthorized access.

Segment Networks

Network segmentation in industrial control systems is essential for enhancing security by isolating and containing cyber threats, improving system performance by managing traffic loads, and ensuring compliance with regulatory standards. Install independent cyber-physical safety systems to physically prevent dangerous conditions from occurring if the control system is compromised. Examples of cyber-physical safety system controls for water treatment plants include:

  • Size of the chemical pump

  • Size of the chemical reservoir

  • Gearing on valves

  • Pressure switches

This strategic approach not only simplifies network management and troubleshooting but also allows for more granular access control, significantly mitigating the risk of widespread disruptions and safeguarding critical operations in industrial environments.

Practice Ongoing Security Training

Ensure your security team stays aware of the latest cyber attacks and corresponding tactics, techniques, and procedures. For example, while social engineering was not used in this attack, it is a common technique. Every member of your cybersecurity team – and in fact, the entire organization – should be trained to identify and report potential threats. 

Security teams especially are the last line of defense and need ongoing training to thwart phishing attempts, ransomware tactics, and other cyber threats. The best way to do that is to have the team regularly and proactively practice working together to detect and remediate cyber attacks through team-based live-fire simulations on a cyber range. 

Securing critical infrastructure against evolving cyber threats can be challenging, but it is crucial for organizations to take the necessary precautions and steps to train personnel and monitor interconnected networks to avoid breaches and manage potential exposure to cyber risk. By implementing proactive security measures and learning from the lessons of this attack, organizations can better safeguard their ICS networks and critical infrastructure from advanced cyber threats.

Cloud Range OT/ICS Infographic
Previous
Previous

The Forensics of Cyber Attacks – and the Power of Live-Fire Exercises

Next
Next

Safeguarding Critical Infrastructure: Building Resilience Against Volt Typhoon and Cyber Threats