Most cybersecurity incidents to date have been primarily damaging from an intellectual property, financial and reputational perspective, making the recent attack on the Oldsmar water facility in Florida an atypical one. By leveraging the TeamViewer app to remotely access the facility’s systems, an unsophisticated attacker dialled up the water sodium hydroxide levels by more than 100 times – a hazardous level that could cause chemical burns if the water comes into contact with human skin.
Water is just one of many critical infrastructures that are becoming increasingly exposed to threat. Over the past year, we are seeing organisations place more emphasis on threat detection for critical infrastructure services. In fact, cybersecurity spending in this area is expected to surpass US$105 billion this year, with Asia Pacific set for the highest growth in spending. This is largely attributed to the increased number of remote workers and subsequent need for remote applications such as TeamViewer due to the pandemic. Thus, fuelling the need to balance IT cybersecurity spend with industrial control systems (ICS) cybersecurity spend.
If an unsophisticated attacker with a few mouse clicks can start the process of poisoning our water supply, what risks do we face from highly skilled threat actors?
Getting inside the system
Oldsmar highlights the vulnerable state of far too many ICS installations. To put a framework around securing water treatment facilities, we need to focus on the process and start asking the right questions. How is the water filtrated? What operational technology (OT) processes are being used? What are the risks posed to those processes? Working through the operational workflow can help prioritize the ‘crown jewels’ to protect.
Here are five steps to consider in protecting critical infrastructure from attack:
- Secure remote access
Many Chief Information Security Officers are reportedly sacrificing security to enable remote work. This is a worrying sign and deep changes need to be made to ensure that remote working remains sustainable and secure. This is especially pertinent for ICS networks since the process and controls for remote access is typically less mature than enterprise networks, as with the case of the Oldsmar incident.
In fact, best practices necessary to secure remote access, such as incorporating a virtual private network (VPN) with multifactor authentication (MFA), endpoint protection, good password hygiene, network firewalls, and – most importantly – continuous monitoring of remote activity, were not implemented in the Oldsmar facility. With the right tools in place, security teams can quickly identify the kind of activity used in the attack before major disruption occurs.
- Inventory all assets
It’s also important to inventory assets using passive traffic monitoring technology for increased visibility. This will help augment the cybersecurity posture of critical infrastructure operators in Asia Pacific, where few have full or even partial visibility of their OT assets.
Taking, and continuously updating, an inventory of all network assets enables security teams to achieve real-time network visibility into their devices, connections, communications, and protocols, to better monitor, identify, and troubleshoot networking issues that threaten reliability.
3. Identify and patch vulnerabilities
Frustratingly, most devices aren’t designed for the level of security required in a critical infrastructure environment. Many devices lack basic authentication, encryption and other security standards applied in IT. Hackers all too often exploit well-known, but unpatched, vulnerabilities.
Using end-of-life software, such as the Windows 7 systems found on Oldsmar’s network, is risky. All too often we see legacy, unsupported operating systems implemented where more than 34% of vulnerabilities do not have vendor fixes. There are tools available, such as the National Vulnerability Database (NVD) in the US, which organisations in Asia Pacific can leverage to determine the risk profile of devices, and prioritize and recommend firmware updates as required.
- Monitor for anomalies in processes and controls
It is not enough to only monitor for malware in ICS environments. Understanding and monitoring the actual industrial process tags and variables enables plant managers to identify anomalies that may impact production. Some may be a result of cyberattacks or from misconfigurations or equipment in need of service. Automated network anomaly detection uses artificial intelligence (AI) to run detection against the real parameters used to control industrial processes. This helps with cyber protection and to optimize the operations.
For example, if a pump is rated to spin at 100 rotations per minute, it is most likely unsafe to run it above that. We can’t necessarily rely on human intervention to prevent this limit from being exceeded. Hence, engineers program the human-machine-interface to prevent operators from entering invalid inputs or introducing unsafe conditions.
By monitoring the process, security teams can significantly reduce this risk, negligence or compromised insiders. In the case of Oldsmar, the threat actor compromised the graphic user interface to increase the levels of sodium hydroxide added to the water. Had anomaly detection been applied, the attack would have been quickly detected and blocked without issue.
- Integrate ICS and IT network security
OT creates an understanding of how to meet production targets and keep the plant running safely, while IT can address networking and cyber issues unfamiliar to ICS staff. Working in tandem, operational resiliency increases every time.
Unfortunately, security is still too heavily focused on IT, and not enough on OT, undermining the entire security posture of the organisation. It’s time the pair collaborated better to reduce blind spots and risks around increasingly connected ICS. This will be increasingly important with the increasing convergence of IT and OT in Asia Pacific.
Asia Pacific’s critical infrastructure and industrial facilities are essential for protecting citizens and driving economic recovery, but that makes them even bigger targets for threat actors and nation-state attackers. We need to heed the threat unveiled by Oldsmar and become better equipped and create a roadmap towards operational resiliency.