As the focus on critical infrastructure appears to be intensifying, news has surfaced of an apparent attack on the San Francisco Bay water supply.
NBC News first reported that the unidentified hacker used the username and password of a former plant employee to gain access to the unidentified Bay Area water treatment facility on January 15. While confirming the violation, Michael Sena, executive director of the Northern California Regional Intelligence Center denied that any threat to public safety existed.
Either way, the last event should be a lesson as well as a warning for those in charge of infrastructure management and protection.
The consequences of a data breach can vary widely depending on the intent of the adversary, said Bill O’Neill, vice president, public sector at ThycoticCentrify, in a statement. “Some hackers just aim to cause disruption. Others extract valuable personal information for sale on the Dark Web, while others seek to extort money due to ransomware. When a cyber attack is attempted on critical infrastructure such as hospitals, power grids or water supply systems, the potential repercussions can affect thousands of people just like you and me. It can be devastating, even fatal, ”O’Neill said. “In fact, the 2020 Global State of Industrial Cybersecurity report found that 74% of IT security professionals are more concerned about a cyber attack on critical infrastructure than about a corporate data breach.
According to O’Neill, the Oldsmar water treatment plant incident and the new attack on the Bay Area water supply should serve as an urgent reminder to organizations to take precautionary measures before a cyberattack does not occur.
“To help lock down critical systems, we suggest enforcing least privilege and adopting what is called a zero trust approach. It means not trusting anyone until they have been properly verified and validated, thereby restoring trust, ”he said. “With self-service workflows, administrators can request elevated privileges just in time for a limited amount of time. This approach of checking who is requesting access, the context of the request, and the risk of the access environment all combine to mitigate the risk of breach.
Critical National Infrastructure (CNI) tops the list of targets for adversaries, given the impact if successful – even in part, added Sam Humphries, security strategist at Exabeam. “The need to understand and set the normal in terms of access to critical assets / systems is absolutely essential to protect critical infrastructure. Whether the systems in Operational Technology (OT) environments are idle or not, if there is a digital route to the system, then it is in danger, ”Humphries said in a statement. “We need to make sure that we are monitoring OT systems much more diligently by capturing all viable log data in terms of access control, system settings and maintenance. Any anomaly, regardless of its size, must be investigated, sorted and managed accordingly. Relying solely on users for the protection of our CNI systems does not (and will not) evolve.
According to Humphries, working smarter with automation technologies to handle large volumes of data flows, analyzing them for anomalies, and reporting risks in real time, is the only way forward for CNI protection. “This, in partnership with continuing education of users to exercise due diligence and apply critical thinking analysis to system activity reports, is essential,” he said.
According to Chris Grove, Technology Evangelist at Nozomi Networks, a specialist in critical infrastructure security, while keeping an eye on major events is important, we also need to avoid sensational headlines meant to instill fear. Some titles take the action of removing code and jumping to a mass poisoning attempt. Even the plant operator pointed out this. There was no attempt to poison the water supply.
“That said, it is a stark reminder of the insecurity of our country’s water supply facilities. The circumstances surrounding this event show a lack of 2-factor authentication, password procedures, surveillance and other defenses. Many facilities are in the same situation – same remote access issues, same password issues and same underfunded and understaffed cybersecurity advocates, ”Grove said. in a press release. “By securing remote access and monitoring anomalies in key processes, security teams can quickly identify unusual activity, such as an unusually high number of remote connections, the use of unusual protocols in those connections. and the atypical behavior of the remote user, before operations. are really disturbed.
“The breach that gave attackers access to the Bay Area water treatment plant is just the latest attack on the country’s critical food, utility and energy infrastructure. Similar to the recent attacks on water treatment plants in Florida and Pennsylvania, it is fortunate that no citizen appears to have been in danger, ”said Neil Jones, cybersecurity evangelist, Egnyte, in a statement. “In this case, the attacker managed to gain access to the TeamViewer account of a former staff member, an account that allows employees to remotely access their computers. Such remote access technology is essential to the mission of a water treatment plant that must operate 24 hours a day, 7 days a week, 365 days a year.
Unfortunately, far too often we find that there are methods and tools used that do not meet the security and control needs of municipal organizations, Jones explains. “Safety is more than a checklist, and recent reports indicate that one in 10 waste or sewage treatment plants has a critical safety vulnerability. The best solutions fit into a broader sense of governance, but still make it easy to share files with anyone without compromising security and control, ”he said.
“The reality is that all data is vulnerable without the proper data governance and password management techniques, and it is imperative that organizations protect the data itself, not just the technical infrastructure around it.” . This type of security incident happens on a regular basis, especially now that many of us are working in decentralized teams, ”Jones said. “If secure file collaboration tools are implemented correctly, they can make cybercriminal attacks unnecessary. Used in a case like this where adversaries could infiltrate the network, the files themselves would be inaccessible to outsiders and crucial public systems would remain safe.