Securing critical infrastructure – Florida Water Plant Attack
Access to clean water is a critical part of day-to-day life. World Health Organization (WHO) reports that around 2.1 billion people lack safe drinking water within their homes. Around twice as many lack the sanitation systems to purify or filter water.
Last year February, a breach was made within the Water Treatment Plant in Oldsmar, Florida, where hackers gained access to the operational technology system of the water plant. The attackers attempted to poison the water or make it undrinkable by increasing the amount of sodium hydroxide (NaOH). The attack aimed to increase NaOH from 100 parts per million(ppm) to 11,100 ppm. This would undoubtedly irritate anyone who would apply the water on their skin or eyes. If swallowed, it could cause damage to the throat and stomach, inducing vomiting or causing nausea or diarrhea.
The Biden-Harris Administration has set new expansion for the public-private cybersecurity water sector and additional steps to safeguard critical infrastructure with the recent unraveling events. The new expansion focuses on outlining surge actions over 100 days to improve cybersecurity. The plan was developed with the help Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Water Sector Coordinating Council (WSCC) and focused to assisting critical infrastructures with monitoring and providing real-time situational awareness systems.
Operational Technolgy and Critical Infrastructure
The complexity of Operational Technology (OT) has been evolving, adapting to new dynamics and IT applications. We now see compatibility with OT infrastructure and less air-gapped networks. Though they are still in use, the connected IT components require remote access to vital system assets. Additionally, safeguarding privileged accounts and access to applications or critical system resources play a significant role in keeping the critical infrastructure running.
The interconnectivity within OT infrastructure brings forth many elements that must be actively monitored and controlled. With the addition of new regulations, many of the operating or troubleshooting sceneries occur via a remote connection. We see a correlation in the rise of attacks for these industrial sectors operating on online systems. These online systems and their access must be categorized as privileged points to combat the risks involved.
Authorized and authenticated access to these privileged points requires a management process to help to identify what kind of user roles can gain access and how widespread are their permissions, i.e., system operators, maintenance engineers, third-party contractors, or even system integrators. Such roles will be required to connect to these control systems remotely. The SANS 2021 Survey on OT/ICS Cybersecurity reported that around 37% of external remote services were initial attack vectors within OT and control system incidents. Followed by the exploitation of public-facing applications (32.7%) and internet-accessible devices(28.6%).
It is crucial to consider each vendor and employee with remote access as privileged accounts. Each remote access connection must be secure and contain appropriate access rights before connecting. However, there are many security practices used within critical infrastructures that propose more risks:
– Admin credential sharing within SCADA or critical infrastructure systems.
– Enabling “always-on” access to third parties.
– Weak credential security – storage, management, and distribution of passwords.
– Same password usage over multiple components/accounts.
– Access rights to users without a need-to-know basis or rarely used to access.
– Unrestricted access to resources.
– Unsecured systems connected to the internet – weak air-gapping system.
– Outdated system and software.
Because such measures are still practiced today, scenarios such as the Florida Water Plant attack can occur more frequently, exposing vulnerabilities and poor practices within these critical infrastructures. In the case of the water plant, the attacker possessed the username and password of former employees and could remotely connect to the water plants network. Gaining access to vital system components that could regulate the NaOH levels of water.
By adopting a Zero Trust framework within their integrated systems, critical infrastructures can help reduce the risk associated with poor security practices. Industrial control systems require access management strategies and secure remote access policies to protect their critical resources. Former or ghost accounts must be quarantined and disbanded from critical access components. Additionally, administrators should contain approval factors, i.e., four eye authentication methods, to most vital resources, that require two admin approvals before any access can be granted. Furthermore, if critical infrastructures require remote access by third-party contractors, Just-In-Time access should be appointed to specifically targeted assets with admin supervision and account policies set.
Though implementing a Zero Trust framework can be overwhelming, they are already set tools that can be implemented within your network to ease the process and offer out-of-the-box solutions without the burden of complex deployment. However, the need of great cybersecurity individuals is always on the rise. As the dynamic nature of cybersecurity and threats flourishes, so do our best practices to keep us safe!