Cl0p ransomware attack yet again puts pressure on water sector to fix cybersecurity gaps

Cl0p ransomware attack yet again puts pressure on water sector to fix cybersecurity gaps

Cybersecurity attackers have once again targeted the water sector as the Russian-based Cl0p ransomware hacker group breached water systems at the U.K. water supply company South Staffordshire in mid-August. Coming in the middle of one of the worst droughts the U.K. has faced, the cyber attack demonstrates that very little has changed since last year’s remote access cyber attack at the Oldsmar, Florida water treatment plant. 

The Cl0p ransomware hackers claimed to ‘have access to more of 5 TB of data. Every system including SCADA and these systems which control chemicals in water. Do not be afraid from us. We do nothing. But other group who will try are not will be as honest as we,’ they added. 

The hackers also posted two screenshots of the OPUS Software PC6-SQL Master Station SCADA (supervisory control and data acquisition) system, which is used to monitor and control South Staffordshire water’s operations, substantiating the group’s claims that they could manipulate the level of chemicals in the water. Furthermore, the Cl0p ransomware group also posted a list of credentials discovered inside the environment to highlight the compromised systems. 

Close scrutiny shows that the same username and passwords are present multiple times and that not practicing good cyber hygiene can lead to simple credential reuse attacks. The Cl0p ransomware group also said it ‘spent months in the company system and saw first-hand evidence of very bad practice.’

South Staffordshire Plc, the parent company of utilities Cambridge Water and South Staffordshire Water, confirmed that the cyber-attack disrupted its corporate IT network. The attack, however, did not affect the company’s ability to supply safe water to its 1.6 million customers in the areas around Cambridge, the West Midlands, South Staffordshire, South Derbyshire, North Warwickshire, and North Worcestershire. 

Cl0p group, also known as Clop, has been active since 2019, but their infrastructure was temporarily shut down in June 2021 following INTERPOL’s Operation Cyclone, which also arrested people involved in laundering money for the group in Ukraine, Forescout’s Vedere Labs said in a recent blog post. “They remained inactive between the end of 2021 and the beginning of 2022, but in April, the group returned with 21 new victims announced on their leak site. The Cl0p hackers have been involved in several other attacks since then, including global technology company Applexus on July 26, Middle Eastern supermarket chain Spinneys on July 20, Canadian technology company Pricedex on May 28, and American distributor of physical security systems ENS Security on May 27,” it added.

“CL0P had an explosive and unexpected return to the forefront of the ransomware threat landscape, jumping from the least active threat actor in March to the fourth most active in April,” the NCC Group noted in its April Threat Pulse update. The most targeted sector for CL0P was industrials, which made up 45 percent of CL0P’s attacks, followed by technology with 27 percent, it added. 

“The increase in CL0P’s activity seems to suggest they have returned to the threat landscape,” Matt Hull, global lead for strategic threat intelligence at NCC Group observed. “Organisations within CL0P’s most targeted sectors – notably industrials and technology – should consider the threat this ransomware group presents, and be prepared for it.”

The attack on South Staffordshire water company demonstrates one more time the significant cybersecurity deficiencies that continue to prevail in the drinking water and wastewater sectors resulting partly from structural challenges. These systems operate with limited budgets and even more limited cybersecurity personnel and expertise. Conducting effective federal oversight of and providing sufficient federal assistance to such a distributed network of utilities is inherently difficult.

In January, the U.S. administration rolled out a water sector action plan to help protect water systems from cyberattacks, focusing on high-impact activities that can be surged within 100 days to safeguard water resources by improving cybersecurity across the water sector. The proposed actions include establishing a task force of water sector leaders, implementing pilot projects to demonstrate and accelerate the adoption of incident monitoring, improving information sharing and data analysis, and providing technical support to water systems.

Water companies see more attempts to attack operational water sites, primarily through the OT (operational technology) network with a focus on the edge device which is the weakest link in the chain, Leonid Cooperman, co-CEO and co-founder of IXDen, told Industrial Cyber. “In today’s modern water operations, there are millions of devices such as sensors and controllers installed across the water system, providing essential information and helping make critical decisions.  However, water companies are experiencing the tremendous challenge of keeping these numerous complex and diverse devices secure.” 

Leonid Cooperman, co-CEO and co-founder of IXDen
Leonid Cooperman, co-CEO and co-founder of IXDen

Cooperman said that the event in the Florida water treatment plant attack through the ICS (industrial control system) platform and chemical controller and other recent events in water operation highlight the dangers of remote access to the OT network. “We saw recent reports of hackers targeting programmable logic controllers  (PLCs) used to control valves – the results of which could be catastrophic organizationally and economically. It may have even cost human lives.”

“Water companies must continue to retain their qualitative edge in the battle against cybercriminals and attacks,” according to Cooperman. “This is the duty of all companies today, especially infrastructure companies. They need to secure their OT operations and monitor the sensor integrity as well as provide sensor threat detection At-The-Source. They need to monitor for anomalies in the lower levels of the Purdue model – Level  0-2 where the sensors, actuators, valves, etc., are exposed to risk,” he added.

Moreover, water companies have to implement innovative technologies against cyberattack, tampering, and data manipulation, utilizing behavioral biometrics on endpoint devices and multifactor authentication driven by Artificial Intelligence and Machine Learning, Cooperman suggested. “Those companies must ensure the safety of the people and the quality of the water. This is no less a priority and perhaps poses an even greater challenge.”

Given the prevailing ICS business risks faced by the water and wastewater systems sector, and the preparation level of minor installations to address these risks, it is important to analyze the key factors that led to the Cl0p ransomware group attacking South Staffordshire, and look at the critical lessons from the incident teaches the water sector. 

Andrew Ginter, VP Industrial Security at Waterfall Security Solutions
Andrew Ginter, VP Industrial Security at Waterfall Security Solutions

“Ransomware criminals are motivated by profit – they target everyone with money. In the water treatment sector, I am more worried about hacktivists – amateurs who do not profit from their attacks, but want to make a political statement by tainting water and harming a population,” Andrew Ginter, vice president for industrial security at Waterfall Security Solutions, told Industrial Cyber. “For these actors, smaller water systems are easier targets than large and presumably more heavily defended targets.”

The Cl0p attack on South Staffordshire appears to follow a familiar playbook, Mark Carrigan, senior vice president of process safety and OT cybersecurity at Hexagon Asset Lifecycle Intelligence, told Industrial Cyber. “The attackers likely used a spear-phishing campaign to acquire user credentials, gain access to the network, and then pivoted towards the industrial control system that controls water supply. Cl0p published screenshots that indicate they may have accessed the engineering or operator stations that would allow them to make changes to either disrupt or contaminate the water supply,” he added. 

“It is important to note that these same screenshots could be from remote monitoring software that provides ‘view-only’ without the ability to make any changes,” Carrigan pointed out. “South Staffordshire has not released any information to date confirming if the attackers had access to the stations that could implement change.” 

SVP of Process Safety and OT Cybersecurity at Hexagon Asset Lifecycle Intelligence

Carrigan added that it appears that Cl0p was able to steal information while they had access to the network but were unable to deploy ransomware that could have shut down the control systems. “Cl0p has a history of deploying ransomware for financial gain so it is reasonable to assume that was their ultimate intent. South Staffordshire should be applauded for recognizing and responding to the attack and disabling their adversary’s ability to deploy ransomware or make malicious changes to the control system.”

Outlining the additional resiliency and efficiency advances that critical water and wastewater installations need to adopt following the Cl0p ransomware attack at South Staffordshire, Ginter recommends IT/OT air gaps for the smallest operators and unidirectional gateway technology at the IT/OT interface for larger operators.

“Also – all operators should maximize their use of security engineering practices. For example: if there is physically no way that computers can open and close valves to create a path between untreated water sources and the drinking water distribution system, then there is no cyber compromise that can cause such routing of water,” according to Ginter. 

Similarly, physical limits on the maximum rate of chlorine, fluoride, and lye additives, coupled with a large finished water storage facility, will make harmful cyber manipulation of additive processes extremely difficult, Ginter said. “And a manual operation fall-back position means that even if ransomware operators can get into OT systems and cripple them, treatment systems can continue to be operated during the cyber clean-up, albeit at a lower level of efficiency,” he added. 

Water systems are most resilient when their automation is not essential to correct operation, only essential to efficient operation, Ginter said. “The good news – these measures do not have the very high operating cost that software-based cybersecurity programs have,” he added.

Carrigan said that all operating companies in critical industries, including water supply, must recognize that they are targets for attacks. “It only takes one wrong click by one employee on one of thousands of emails that run through the enterprise each day to allow adversaries to gain access to our networks.” 

“As a result, we must accept that it is a matter of when not if, the wrong people will ‘get in the door,’” according to Carrigan. “Companies should focus efforts on improving their resiliency to a cyber-attack, minimizing the potential harm, and restoring systems without having to pay a ransom. This should include implementing technology to recognize an attack, detecting malicious change to control systems, and having a robust backup and recovery plan to restore systems that may be affected by ransomware,” he added.

As the EPA determines its role and approach in securing the U.S. water infrastructure, the executives provide initiatives that the independent executive agency of the federal government tasked with environmental protection matters must adopt to regulate an industry with little to no resources, especially at smaller companies or utilities. 

Ginter suggests that the EPA should tap the Department of Energy (DOE) on the shoulder. “The DOE Cyber-Informed Engineering Strategy is a step in the right direction for the energy sector, and that approach will have tremendous value for especially smaller water treatment utilities as well,” he added.

“The water sector is an industry in most need of government partnership. We can agree that safe, reliable water supply is in the national interest of all nations,” Carrigan said. “In many cases (such as the USA), water supply is dominated by small local entities that are managed by municipal governments, often contracting with a private company for operations. These entities operate on tight budgets that currently do not have the means to effectively secure their operating systems.”

Governments, whether it be at the state or national level, need to provide more resources and funding to help these entities secure their assets, Carrigan highlighted. These entities often do not have the ability to raise additional funds for security due to local regulations, operating contracts, or their inability to determine tax or user fee policies. The government must provide a mechanism for these entities to secure funding for security which could include issuing additional bonds, adding fees to consumers, or devoting tax resources. Without clear, strategic direction from the government, the water sector is likely to remain one of our most vulnerable critical industries, he added.

“When taking action, the government must also avoid implementing a series of overlapping regulations that make it difficult for companies to achieve their security goals,” according to Carrigan. “As an example, in the USA there are a number of federal agencies that have implemented cybersecurity requirements and regulations that overlap – a company must then comply with all that are applicable to them. These agencies include the Department of Homeland Security (via CISA), DoT, Coast Guard, FERC, and others. Government must coordinate better to prevent operating companies from spending their precious security dollars on complying with an “alphabet soup” of conflicting regulations.”

Cooperman said that the EPA has a responsibility to improve the ability of water utilities to prevent, prepare for, and respond to water contamination that threatens public health. “Disasters, whether human-made or naturally occurring, can impact the ability of water and wastewater utilities to function, including the potential disruption of drinking water supplies to municipalities.”

To support disaster preparedness, Cooperman said that the EPA has to develop modeling tools that aid the design and operation of water and wastewater systems in a way that decreases their vulnerability to disasters. He also added that the EPA has to support water companies in the Implementation of cybersecurity best practices, which is critical for water and wastewater utilities and brings utilities one step closer to cyber resilience.

“EPA shall assess cybersecurity practices at water and wastewater systems and guide systems through developing a cybersecurity action plan to reduce risks and enhance resilience,” Cooperman added. “EPA shall provide water and wastewater systems with the resources to plan, conduct and evaluate tabletop exercises for all-hazards scenarios, including cybersecurity incidents,” he concluded.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related