Cyberspatial News

Providing Real-time Visibility to Prevent the Next Water Treatment Plant Hack

October 18, 2023

It was alarming to learn in December 2020 that multiple U.S. government agencies had experienced severe data breaches as a result of cyberattacks. But for those of us who weren’t directly involved in the matter, the alarm was somewhat abstract in nature. After all, it was large-scale, international in scope, and directed at multiple targets, including NATO, the European Union, private businesses, and US federal agencies. It was blamed on hackers who had the backing of a foreign government. Its damage was also measured primarily in terms of data theft and information security.

By contrast, the alarm raised by the cyberattack on the Bruce T. Haddock Water Treatment Plant in Oldsmar, Florida, in early February 2021 felt rather concrete. It hit closer to home, as it focused on a single target in a single town. It had the potential to affect human life directly, since it involved an attempt to increase the amount of sodium hydroxide – also known as lye, a caustic substance – in the public water supply to toxic levels. It occurred shortly before Tampa, the city next door, hosted the Super Bowl, an event sure to put the area in the spotlight. And it has not been traced back to any particular source.

These two incidents also differed with respect to the methods used by hackers. The cyberattacks on U.S. government agencies involved supply chain attacks on Microsoft cloud computing services and on SolarWinds’ Orion network management software, as well as the exploitation of vulnerabilities in VMware Access and VMware Identity Manager, which manage identity and access to information technology (IT) networks. By contrast, the cyberattack on the Oldsmar facility compromised TeamViewer software, which allowed remote access to the water treatment plant’s operational technology (OT) systems.

Lengthy exposure to malicious actors may be part of the problem

Nevertheless, there may be a common thread connecting the two incidents – namely, lengthy exposure to malicious actors.

The data breaches experienced by U.S. federal agencies appear to have stemmed from intrusions that occurred over a period of many months. They may date back to March 2020, when malicious code was inserted into Orion, which uses centralized monitoring to check for problems within IT networks. The amount of time that passed before detection allowed the perpetrators to conduct a cyberespionage campaign that Ben Buchanan, the director of the CyberAI Project at Georgetown University’s Center for Security and Emerging Technology (CSET), described as “impressive, surprising, and alarming” in scope.

It is not yet known how long the party responsible for the incident in Florida had access to the Oldsmar water treatment plant. However, Marina Krotofil, a researcher who has developed cybersecurity roadmaps for major companies such as A.P. Moeller/Maersk, ABB, and Honeywell, said at a recent conference that successful attacks were often the result of hackers gaining prolonged access to production environments and pieces of equipment. Accordingly, she said, it’s crucial for utilities and other infrastructure providers to use secure remote access solutions. Doing so limits attack scenarios by denying hackers the ability to interact with OT networks, she said.

Rob Joyce, NSA Director of Cybersecurity

Comprehensive visibility helps identify possible sources of damage

Dr. Krotofil also recommended that infrastructure operators make a point of ensuring that they can observe every part of their own OT networks. She explained this recommendation by noting that comprehensive visibility makes it possible to determine exactly what devices and systems can be damaged – and exactly how they can be damaged.

At Cyberspatial, we 100% agree. Network visibility is crucial because you can’t secure what you can’t see. Also, it’s a fundamental best practice in the cybersecurity arena to develop and maintain a system inventory of all your networked devices and all your industrial control systems (ICS) – and the links between them. With that inventory in hand, you’ll be able to determine what facilities are connected to the network and who is active on the network. You’ll also be able to make decisions faster because you’ll have the full picture of that information.

Rob Joyce, NSA Director of Cybersecurity

We therefore recommend that you make visibility a priority when adopting cybersecurity solutions and developing cybersecurity policies. To do that, you’ll need to implement fundamental best practices in visibility architecture by addressing blind spots in your OT networks. More specifically, you’ll need to eliminate those blind spots so that your ICS security tools can detect threats and anomalies and conduct continuous monitoring. Furthermore, eliminating blind spots is only possible if your tools can carry out complete analyses of packet data visibility. To do so, you’ll need to deploy network TAPs, air-gapped virtual TAPs, and data diodes with your security and infrastructure strategy.

And if you’re not sure about the value to be gained from continuous monitoring, please think again. As we noted above, prolonged exposure to malicious actors appears to have contributed to the cyberattack on U.S. government agencies and may also have done so in the case of the Oldsmar water treatment plant. Real-time monitoring capabilities are also important, as they allow you to detect all kinds of adverse events – including but not limited to malware, malfunctioning devices, and neglected firmware updates – as they happen.

<-- All Blogs