For years, industrial cybersecurity experts have warned of the dangers facing critical infrastructure. Last week, those hypothetical risks became real when a hacker broke into a Florida water treatment plant.
The hacker gained control of a computer system at the facility and was able to order the system to increase the amount of lye in the water to dangerous levels.
“Yesterday’s hack of the Oldsmar, Florida water treatment plant again highlights the importance of maintaining critical infrastructure with a virtual air-gap (being off the network) from remote access,” says Gary Kinghorn, marketing director at cybersecurity company Tempered Networks. “These systems should not be reachable by unauthorized attackers because of the sophistication of modern penetration tools and the complexity of these systems to make them completely free of vulnerabilities.”
The cyber attack was discovered on February 5 by an operator at the Florida water treatment plant who detected remote access on the computer system he was monitoring. Computer systems at the plant were set up to allow remote access to certain authorized users.
“Traditional firewalls and other remote access or VPN solutions are proving inadequate against these threats,” Kinghorn says. “We need to block any unauthorized access from ever reaching these critical and life maintaining systems while still allowing authorized, fully identified users remote access through secure tunnels using military-grade encryption. We have many such water districts using our solution for just these types of scenarios.”
Remote access has increased in industrial environments in the months since the COVID-19 pandemic first forced many employees around the globe to work remotely. According to a report by Forrester, this shift to remote work has led to an increase in risk with 83 percent of survey respondents reporting that the rise in remote workers increases the risk of a security incident.
“In the rush to support remote operations during the global pandemic, there are very likely many organizations who have increased remote access to industrial engineering workstations and operator consoles,” says Eddie Habibi, founder at cybersecurity company PAS, now part of Hexagon. “Fortunately, in this case, there was a vigilant operator who noticed the 111x increase in the chemical (from 100ppm to 11,100ppm) and was able to take quick corrective action to return the configuration setting to its prior level. While industrial espionage remains a significant threat (not all cyber attacks are focused on disruption), the worst fears of many in the OT cybersecurity community were realized in this episode; namely, changing a configuration setting to harm the community served by the facility.”
Industrial Cyber talked to Habibi about the importance of the Florida attack and it’s greater implications for industrial environments and remote access.
“It highlights how more investment is needed in securing critical infrastructure,” Habibi says. “It can often be difficult for budget and resource-constrained organizations, such as local municipalities, to create the sense of urgency needed for more investment. (Perhaps there is a silver lining here that the Oldsmar attack may help to create that greater sense of urgency). At the same time, large global organizations with distributed responsibilities across sites can also struggle with implementing effective OT cybersecurity due to insufficient investment, regional autonomy, and the perceived impact to production operations. This is an area where the government can play a greater role in supporting increased training and software investment support.”
In October PAS released a survey looking at the degree of OT cybersecurity risk for several potential threats. According to the report, respondents said remote work was the fourth highest risk area.
“In the first few months of the pandemic shutdown, the focus was on sustaining business operations in the face of an unprecedented situation,” Habibi says. “Many organizations have not gone back to revisit the remote access they granted in the Spring of 2020 to ensure they are following good practices such as least privilege access, multi-factor authentication, and re-evaluating the risk of direct access to machines that are able to make configuration changes.
“You cannot secure what you do not have visibility to.”
Habibi says an up-to-date asset inventory and risk-based remote access management policies are critical because they reduce risk and enable faster recovery in the event of an unauthorized change. Industrial organizations should be working to build and maintain a detailed and accurate OT asset inventory as the foundation for their cybersecurity risk assessment. A broad asset inventory should include relationships and dependencies among OT systems and a baseline of configuration settings. Habibi says this enables organizations to more effectively assign and limit remote access at both the system and account levels.
“In today’s modern water operations, there are millions of devices such as sensors and controllers installed across the water system, providing essential information and helping make critical decisions. However, water companies are experiencing the tremendous challenge of keeping these numerous complex and diverse devices secure” comments Mr. Zion Harel, Co-Founder and Co-CEO of IXDen, a Cyber security company based in Tel Aviv.
“The event in Florida water treatment plant attack through the ICS platform and chemical controller and other recent events in water operation, highlight dangers of remote access. We saw recent reports of hackers targeting programmable logic controllers (PLCs) used to control valves – the results of which could be catastrophic organizationally and economically. It may have even cost human lives.”
“Water companies must continue to retain their qualitative edge in the battle against cybercriminals and attacks. This is the duty of all companies today, especially infrastructure companies. They need to secure their OT operations and monitor the sensor integrity as well as provide sensor threat detection At-The-Source. Water companies have to implement innovative technologies against cyberattack, tampering, and data manipulation, utilizing behavioral biometrics on endpoint devices and multifactor authentication driven by Artificial Intelligence and Machine Learning. Those companies must ensure the safety of the people and the quality of the water. This is no less a priority, and perhaps poses an even greater challenge” says Mr. Harel.