A new advisory offering details on a remote hacker’s attempted sabotage of an Oldsmar, Florida city water treatment plant has revealed a disregard for certain basic cyber hygiene best practices among employees.
Experts say it’s an indicator that operators of critical infrastructure could use a serious infusion of security controls. However, due to budget restrictions, these controls may first require a thorough risk assessment and prioritization exercise.
When the Feb. 5 incident was first disclosed last Monday, it was reported that a malicious actor exploited remote access software – later identified as TeamViewer – to hijack plant controls and then tried increase the amount of lye in the water to dangerous levels.
But that wasn't the whole story. A security advisory released earlier this week by the state of Massachusetts's Department of Environmental Protection referred to additional unsafe practices or behaviors at the Bruce T. Haddock Water Treatment Plant that exponentially increased the risk further.
For starters, all of the computers used by plant employees were connected to the facility’s SCADA system and used the Windows 7 operating system, which reached its end of life in early 2020 and is no longer supported by Microsoft. “Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed,” the report continued.
“This incident is important because it reflects the status of too many industrial control system (ICS) installations, especially those with smaller budgets and a smaller size, where security is often overlooked,” said Andrea Carcano, co-founder of Nozomi Networks.
The Massachusetts advisory suggested that in response to this incident, public water suppliers “restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network,” adding that one-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely.
Additional guidance included actively using a firewall with logging capabilities, patching software regularly (and especially after the disclosure of a critical bug), using two-factor authentication and strong passwords, and installing a virtual private network.
Of course, plant operators should already know many of these lessons, yet security lapses in critical infrastructure environments are all too common, say experts. That’s why improved controls designed for ICS- and OT-heavy environments may be necessary. But that comes with its own budgetary challenges.
“Traditionally, smaller critical infrastructure organizations around the world have always experienced struggles in obtaining funding for cybersecurity,” said Tim Conway, technical director of the ICS and SCADA programs at SANS Institute. “Budgets are not limitless, and entities have always struggled to expand operating and maintenance expenditures to cover ongoing costs associated with cybersecurity workforce, training, tools and technology.”
When allocating budget, security must be balanced with conflicting demands to invest in infrastructure and operation capabilities, Conway added. “To achieve this balance, there needs to be participation from informed stakeholders who can represent the various risks to the business and obligations to their customers and communities they serve.”
That’s where asset management and risk assessment come into play.
“It is a poignant reminder that the best foundation for effective OT cybersecurity is a detailed and broad asset inventory that includes relationships and dependencies among OT systems and a baseline of configuration settings,” said Eddie Habibi, founder at PAS Global LLC, part of tech company Hexagon AB. “With this in place, risk assessment is far more informed, enabling organizations to more effectively assign and limit remote access at both the system and account levels."
Through these risk assessments, companies can prioritize which controls they need the most.
Malcolm Harkins, chief security and trust officer at Cymatic and a fellow at the Institute for Critical Infrastructure Technology (ICIT), describe some of the key controls ICS environment must consider in order to shore up their cyber hygiene.
“You have to drive a level of real technical and control accountability,” said Harkins. “Have you put in place a capability to make sure credentials aren't reused? Are you forcing password resets? Are you scanning the dark web for… passwords being exposed? Are you looking on Shodan… for where a mistake could have occurred and a component in your critical infrastructure is now listed, and everybody knows how to ping it? Those are real controls, and real technical and process steps.”
Then there’s the matter of finding the right tools to administer such controls. Conway said that with security staffing shortages, critical infrastructure facilities “will need to rely heavily on the vendors and system integrators to really help guide the projects and ensure appropriate levels of cybersecurity protections and controls are addressed in the system design… It is essential to ensure informed decisions being made around the operational and safety risks that exist.”
With controls in place to help abate properly assessed risk factors, critical infrastructure facilities can then enhance their cyber hygiene further through the implementation of security awareness programs. Ideally, such courses will take into consideration critical infrastructure’s unique blend of IT, OT and IoT.
“Ensuring the training is in line with the environment, culture and learning objectives specific to essential job tasks is absolutely necessary,” said Conway. “Find a training partner that understands the unique IT and OT security awareness needs across an organization and can ensure the right training for the right people in a way that will help shape behaviors.”
If critical infrastructure operators don’t starting to apply some of these measures themselves, it’s possible the government will start to impose certain expectations.
Many industrial companies have not stepped up to self-regulate and apply industry standards and frameworks like ISA/IEC 62443 and NIST 800,” said Habibi. “When people’s health and safety are at risk, government will feel compelled to step in. We should expect that Oldsmar will create more desire for government to do so.”
