With this year’s World Password Day upon us, it’s high time to take a good look at the critical infrastructure sector and the password-related security vulnerabilities that are in dire need of an update. While modern utility systems become increasingly digitally connected, cybercriminals and the threat landscape are also growing in sophistication.
While the Biden administration recently outlined plans to bolster the cybersecurity of critical utilities around the U.S. against potentially devastating takedowns, traditional password-based authentication remains a huge threat that the public-private industrial complex must address to better protect the industrial control systems (ICS) upon which society depends.
Modernizing industrial systems and critical infrastructure—water, gas, electricity, communication, etc.—has been crucial to improving quality of life, reducing waste and costs, streamlining operations, and increasing productivity. But it is also exposing us to completely new types of threats from cybercriminals and state-backed actors. In addition to stealing data and spying, malicious actors now have ways to do real damage in the physical world and inflict pain on whole populations.
One of the most recent eye-opening threats was February’s thwarted attempt to disrupt the level of sodium hydroxide in the water supplies in a small Florida city, threatening the health of its 15,000 citizens. The attempt was not carried out by armed attackers trying to break into the water purification facilities—it was the work of hackers accessing the online systems through the internet. The incident drew politicians’ attention to the security of critical infrastructure. Marco Rubio tweeted:
This should be treated as a matter of national security.
— Marco Rubio (@marcorubio) February 8, 2021
The Florida incident is just one of several examples of industrial control systems getting hacked. Perhaps the best-known example is the power blackout in Ukraine, allegedly instigated by Russian hackers. Another attack on the water systems of Israel, this time attributed to Iran-backed hackers, was foiled in June last year.
In some cases, industrial control systems become the beachhead for other types of attacks. This was the case of mega-retailer Target, which was breached in 2013 through a security hole in its HVAC system. Attackers used the foothold to gain access to the company’s network and devices and eventually steal the credit card information of more than 40 million customers.
Our critical infrastructure is becoming increasingly vulnerable to security threats, and mitigating these threats should be a top priority for any organization handling industrial control systems. But where to start?
Blockbuster movies and dystopian narratives often portray hackers as using very sophisticated methods and leveraging zero-day vulnerabilities to compromise industrial control systems. But the reality is that, like most other people, hackers are a lazy bunch. They go for the low-hanging fruit and prefer to try simple methods first. And to their credit, their tactic pays off. In fact, many security incidents happen not because the attackers are very sophisticated but because the victims are very negligent.
According to a 2018 assessment by FireEye, most of the top 20 security attacks against industrial control systems were either triggered or facilitated by credential theft. This could be a disgruntled insider “shoulder surfing” other employees and stealing their passwords to later abuse their administrative privileges, a phishing attack that tricks an employee into revealing their password to remote hackers, or even simpler, a weak password that can be guessed or cracked through brute force attacks.
Case in point: the Ukrainian power outage incident, which left 200,000 people without electricity in the depths of winter, started when attackers stole remote IT passwords through a phishing attack. In another incident, attackers used social engineering techniques to gain access to the local Wi-Fi network of a target plant and used their access to compromise ICS systems and cause plant shutdowns. And in the Target incident, the attackers stole the network credentials of the HVAC provider’s network to eventually gain access to credit card information.
When you examine these and other similar cases, there are several recurring patterns. First, every attack is unique. Every industrial control system has its own unique combination of device types, software, network structure and other physical and digital elements. This makes it hard for hackers to develop a systematic way to attack them. But the one thing that is present in all ICS networks is username and passwords. Whether it’s a remote desktop service, a network management tool, a WiFi hotspot or a mobile device management system, attackers will find one gateway that is controlled through username and password authentication. From there, they will find their victims – users who are not careful enough to protect their passwords – and target them with phishing attacks. If they’re lucky enough, the IT team used one of several very weak passwords such as “12345” or “passw0rd” to protect network access or an administrator account. Once the hackers gain their foothold in the network, the rest is fairly simple – they will be interacting with the ICS devices as any inside user would.
If you want to secure your internet-connected industrial control systems, you should start by addressing the most vulnerable components: usernames and passwords. As long as you’re basing the security of your critical infrastructure on operators typing in usernames and passwords, it will only be a matter of time before a malicious actor gains access to your ICS network. That is why we’re calling it a ticking time bomb waiting to explode.
Fortunately, the passwordless authentication sector has come a long way in the past few years, and whether your operators are using Windows and Linux terminals, SSH gateways or mobile applications, they should be able to access your networks without the need to remember and type passwords. An enterprise-grade solution will help you replace your passwords with passwordless authentication that makes it easy for organizations to replace their current authentication solutions without a lengthy and costly transition.
The first step to defuse the ICS time bomb is to get rid of passwords. And it’s never too soon to get started.