Water plant cyber attack shows industrial vulnerability
In early February 2021, the control system of the water utility in Oldsmar, USA, fell victim to an external tampering cyber attack. According to the utility's supervisor, a hacker gained access to the central control system around 1:30pm on February 5th. The hacker took control of the screen and increased the addition of sodium hydroxide (also known as lye) by a factor of hundreds. The chemical is used in water treatment to regulate the acidity of drinking water. The water utility serves about 15,000 residents in the county as well as local stores and businesses.
According to management, the hacker had infiltrated the system through remote access. This technology is regularly used by the staff, as well as service providers, to access system controls for water supply and treatment via authorised accounts. It is still unclear whether the attacker gained access via the supervisor's access. If that’s not the case, the installed cyber security system clearly lacked the ability to reliably identify new, unauthorised network participants.
This attack is an almost textbook illustration of the security flaws that still prevail in many critical infrastructures. The lack of damage from the attack was a lucky coincidence rather than due to a thorough security concept. The incident underscores the need for intelligent, real-time monitoring in critical infrastructure.
Even though no damage was caused by the incident, it shows how vulnerable industrial networks really are. It also illustrates how quickly and easily critical infrastructure that serves thousands of people can be targeted for disruption. The consequences of hacks like this can be disastrous. Real-time detection of attacks should not be left to the chance of a watchful operator. Even if subsequent security layers likely would have reported the massive increase in the chemical sooner or later, it is doubtful that the tampering would have been averted if the attacker had been a bit more sophisticated.
A robust intrusion detection system – the missing link?
Incidents like this underscore the need for critical infrastructure to have an end-to-end intrusion detection system. This must detect and report any changes in critical infrastructure networks in real-time. Network monitoring with anomaly detection could have reported the login on the morning of the incident as suspicious and potentially dangerous. To do this, anomaly detection uses various indicators, such as past behaviour of the accessing user account (access time, IP address, access duration) and the actions performed using the account. It would also have identified the actor as malicious if they entered the system through an entirely new account.
In addition, an industrial endpoint protection system would have added the ability to automatically prevent certain operations directly on the remotely controlled assets. These protection mechanisms at the edges of an infrastructure are of particular importance. They are effective where the first access to the system often occurs. As a result, they stop attacks before they progress too far. They also prevent lateral movement of attacks, further reconnaissance of the network and lateral movement across the fleet.
Building comprehensive protection with IT and OT
A successful cyber security strategy is not about finding the one single measure that fits all. As the threat of exposure and the landscape grow ever more complex, it is about finding the right set of measures and implementing them across the IT estate. It is a principle of literally all cyber security approaches and standards that only a systematic set-up of complementary measures – both organisational as well as technical – can lead to a proper level of security.
Generally, this principle is called "Defense in Depth", in order to protect OT networks, several specialised defense layers are required. This concept, operates on the assumption that if you have multiple layers of security, you keep your core network safer.
Think of medieval castles with their hierarchy of walls, gates, narrowings and trenches that ensure that if one measure is breached, the overall structure is still secure. In modern terms of critical infrastructure cyber security, this translates to a combination of risk management, firewalls, VPNs, strong authentication, network segmentation, network and device monitoring as well as anomaly detection.
Of course the ‘Defense In Depth’ strategy needs to incorporate Operational Technology (OT) as much as IT. After all, OT is the backbone of daily operation in critical infrastructure. Since OT presents quite different requirements and challenges to enterprise or office IT, it is useful to combine different measures that fit some specific needs of OT. Most of all, this includes ensuring stability through passive approaches that do not disrupt industrial processes.
Rhebo has supported a large number of critical infrastructures in the end-to-end protection of their industrial control systems. Thanks to a recent partnership between Paessler and Rhebo, Paessler’s PRTG network monitoring solution and Rhebo Industrial Protector interact in a way that the OT data passively collected by Rhebo with anomaly detection can be used by PRTG (which is by definition an active system) for threat analysis and the definition of counter-measures.
There is a lot to be learned from what happened at the water facility in Oldsmar and this incident should be a wakeup call to major infrastructure companies to build a solid and secure ring-fence around their IT and OT systems. As hackers get even more sophisticated in their methods to access IT systems, companies need to be one step ahead and carefully monitor the whole network and identify any gaps in their estate which could leave the system vulnerable to attack.