The reported hack of a water processing plant in Oldsmar, Florida, has raised alarms about the security of critical infrastructure IT systems and their vulnerabilities. But for those more familiar with the security processes of these local systems, this is nothing new. Malicious hackers, particularly state-sponsored groups and cyberterrorists, have been trying for a while to access the systems of key infrastructure, such as power plants, dams and industrial sites, to create chaos or to take control during a cyberwar.
And they have had some success, mostly overseas, so far. In 2016, a power plant in Ukraine was shut down by hackers using specially designed malware called “Industroyer.” Similarly designed malware, “Triton,” infected and shut down a refinery in Saudi Arabia while attempting to cause a disaster at the plant.
In the good old days (10 to 20 years ago), most of these systems were not available online. Any electronic systems used for controls were, generally, directly connected and isolated from networks, or, “air gapped.” However, in the age of outsourcing, remote workforces, cost-saving technologies, and analytics, many of these systems have slowly become more connected, often without the security needed to keep them safe. Most of them still aren’t directly connected to the internet, but it is not hard to find public utility systems that are indirectly connected, or, in the case of the Oldsmar event, directly connected with no firewall. For those with firewalls or segmented networks, skilled hackers can often skip over these protections. Even air-gapped networks can be circumvented – it’s easy as jumping over a puddle for skilled hackers using physical media like USB drives or social engineering.
Vendors’ Network Access Increases Your Risk
This lack of the proper protections for critical infrastructure dramatically increases the risk of real-world effects from cyberattacks; it is known as “going kinetic.” Having your identity stolen or credit card number breached is annoying and potentially financially draining, but having your water supply contaminated or your power knocked out during a cold winter can be life-threatening. And that’s without considering the possibility of truly evil hackers causing industrial accidents, which could bring death and destruction to a large area. The fictional accounts of Bond-villain-style hackers turning our devices and infrastructure against us are closer to becoming reality. It’s only a matter of time before a major physical disaster is precipitated by electronic means.
Securing this infrastructure for internal users is hard enough, but when you add third-party users and technology to the mix, it becomes almost impossible for small towns and local utilities. As evidenced by the recent SolarWinds super breach, blindly trusting a software or hardware vendor’s security can often lead to a breach. The hack of their software left over 18,000 customers, both government and enterprise, with infected software at the core of their networks.
And when it comes to local systems, the issue is exacerbated by poor IT security. Small municipal utility districts, court systems and/or law enforcement organizations often do not have the IT resources to properly support or secure their systems. Some even outsource the functions altogether, due to the lack of talent in rural areas. And as the 2019 simultaneous mass ransomware attack on 23 small towns in Texas showed, if that vendor’s security fails, your security fails. In both the Texas and the water plant cases, the vulnerability was in third-party, remote access software that the organizations used. In the case of the Oldsmar plant, they used TeamViewer software on a publicly accessible IP address. Additionally, they were using a shared password for the service and running it on obsolete versions of Windows. All these factors combined resulted in local water system controls in the hands of a malicious hacker who increased the amount of sodium hydroxide added to the water to 100 times the normal level. This could have caused major health issues in the population if a vigilant operator hadn’t noticed the change and corrected it before it took effect. We may not be as lucky next time.
How to Protect your Network from Going Kinetic
Given the hackers will keep trying after this success, we must improve the security of these environments dramatically. First of all, these utilities must be more careful about their remote access software. General-purpose platforms like VPNs are not a good idea. Additional layers of controls and technology are required. In many cases, these small organizations use specialized software, developed by mom-and-pop shops that may not have the resources to write secure software, or maintain it. We need to make sure the vendors they use are properly vetted and secure.
Finally, there should be some standards for local critical infrastructure entities like these water plants. These standards should be verified by third-party audits, much like credit card companies require even small retailers to pass PCI-DSS scans and audits. We should be paying at least as much attention to these critical institutions as we do to our credit cards and financial bottom line. Because, in the end, hackers may find it more profitable and impactful to hack the former, rather than the latter.