On Feb. 2, the largest ever compilation of breached usernames and passwords was leaked online. Known as COMB, it contained 3.2 billion unique email/password pairs, including the credentials for the Oldsmar water plant in Florida.
Three days later an unknown attacker entered Oldsmar's computer systems and attempted to manipulate the pH in the city's water to dangerously high acidic levels by increasing sodium hydroxide (lye) by 100 times. Although the attack was foiled and the lye levels returned to normal, the incident highlighted the ease with which cybercriminals are increasingly able to target critical national infrastructure (CNI).
In this particular case it was thought that the attacker managed to get into Oldsmar's systems via the plant's TeamViewer software which allows supervisors to access the system remotely. "As recently as August 2020, our analysts identified several high-risk vulnerabilities and exposures publicly associated with TeamViewer," claims Evan Kohlmann, chief innovation officer of threat intelligence platform Flashpoint. "This includes an example allowing a malicious website to launch TeamViewer with arbitrary parameters, capturing the victim's password hash for offline password cracking."
However, the problem isn't unique to TeamViewer. As far back as 2013 the Department of Homeland Security (DHS) confirmed that an Iranian hacker group known as "SOBH Cyber Jihad" accessed computer systems controlling the Bowman Avenue Dam in New York at least six times, accessing sensitive files containing usernames and passwords. Similarly, in 2015 and 2016 Ukraine suffered a series of attacks on its power grids believed to be the work of a Russia-sponsored advanced persistent threat group called Sandworm, which left 225,000 Ukrainians in sustained blackouts for several hours at a time.
In July 2020, a CyberNews investigation highlighted just how easy it would be for an attacker to get into critical US infrastructure via unsecured industrial control systems (ICS). This, it claimed, could be done simply by attackers using search engines and tools dedicated to scanning all open ports and remotely taking control. Explains CyberNews Senior Researcher Edvardas Mikalauskas: "Our research has previously highlighted that many ICS panels in the US are critically unprotected and easily accessible to threat actors. The most vulnerable infrastructure appears to belong in the energy and water sector."
Security vs. Safety Dilemma
Indeed, in its recently published CNI Cyber Report: Risk and Resilience, Bridewell said there is a massive gap between the perceived threat of a cyberattack and the actual threat to CNI. While 78% of organizations are "confident" that their OT (operational technology) is protected from cyberthreats — and 28% very confident — it seems CNI is facing a "cyber siege." According to Bridewell's research of 250 UK IT and security decision-makers across five key CNI sectors (aviation, chemicals, energy, transport and water), 86% of organizations have detected cyberattacks on their OT/ICS environments in the last 12 months, with nearly a quarter (24%) experiencing between one and five successful attacks. Water and transport have been the sectors which have experienced the most successful attacks. Similarly, IBM reported a 2000% increase in cyber security incidents targeting OT in 2019, most of them involving Echobot IoT malware (download IBM's annual X-Force Threat Intelligence Index here).
For Terry Olaes, technical director, North America, of computer security company Skybox Security, the latest OT attacks signal a change in intent among cybercriminals, as well as raising questions about increasing critical infrastructure vulnerabilities. "Managing critical infrastructure comes with several challenges," he says. "It entails massive environments that can't experience downtime and where safety is often prioritized over security. As a result, vulnerability and remediation on OT devices only occurs around 'once or twice a year, leaving the back door wide open to nefarious attackers to our critical infrastructure."
Bridewell's Scott Nicholson agrees: "Within an industrial controls context consistency and availability of the service are key, whereas upgrading software is seen as risky. Patching systems and keeping them updated can be very complex for OT organizations," he adds.
A further problem is the demand for internet connectivity, which has been accelerated in part by the COVID-19 pandemic. Whereas traditionally many organizations within CNI sectors have managed Industrial Control Systems (ICS) and critical applications on their own closed private network, this is beginning to change. The rise of the Internet of Things (IoT) has brought the benefits of connectivity to the fore and there is a growing need to drive convergence between critical operational technology, IT networks and the internet for remote management. However, inevitably this simply increases the potential attack surface as well as bringing a wider range of threats.
"For many critical infrastructure facilities, COVID-19 forced an abrupt shift to employees working from home, meaning that security teams had to make production control networks accessible remotely to keep systems up and running," explains Andrea Carcano, co-founder of Nozomi Networks. "However, unfortunately remote access is often the easiest path for attackers to infiltrate a network."
Adds Scott Nicholson: "Their networks need to be segmented from the internet as much as possible." This can be done using the Purdue model — a hierarchical structure for industrial communications which was first developed in the 1990s.
Impressive Physical Security Isn't Enough
According to Thycotic's Joseph Carson, physical security surrounding critical national infrastructure, such as power plants, is usually very impressive. Unfortunately, the same cannot be said of their cyber security. "You've got gates, armed guards, all these sensors and perimeter detection systems but when you look at the cyber security side of things it's really quite concerning", he says. "Not only is the use of remote desktop solutions a threat, but I've seen audio streaming software installed which implies operators are able to install their own software for listening to music while monitoring critical infrastructure."
Nor are the challenges simply going to go away. The growth of IoT — in particular the rise of Industry 4.0 with its increasing demand for drones and autonomous vehicles — means the potential for attack is only going to get greater. At the same time, the continued demand for remote working as a result of the pandemic, provides additional risk as the recent TeamViewer attack on the Florida water treatment facility showed. Indeed, the fight against COVID itself is even providing a target for cyber attackers.
Nozomi Networks' Andrea Carcano concludes: "We've continued to see threats to critical infrastructure rise over the last few years and we don't expect that trend to end anytime soon. Recent attacks on healthcare organizations and those in the fight against COVID are dramatic reminders that the systems we reply on are high value targets that are vulnerable and at constant risk of attack."
Five Steps to Help Protect Critical National Infrastructure From Attack
—Story by Chris Price
This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.IFSEC Global, part of the Informa Network, is a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, ... View Full Bio