This is part 4 in our “Back to Basics” series for preventing cyber and ransomware attacks. We write these in the context of recent attacks, highlighting basic security measures you can apply in your organization today. Check out part 1 covering how access control basics could have helped T-Mobile security, and part 2 Identifying and Remediating Device and Infrastructure Security Gaps – The Oldsmar Water Treatment Plant Ransomware Attack Examined, part 3 Back to Basics: Ransomware Attacks Targeting Agriculture and Food Damaging Beyond Ransoms Paid.
Joint Warning Recently Issued by CISA, FBI, EPA, and NSA Regarding Water and Waste Treatment Infrastructure
Sharing a short post pointing you to the longer CISA warning regarding attacks against critical infrastructure water and waste treatment infrastructure and recommendations to help protect against attacks.
Many recommendations outlined in our recent Oldsmar water department attack post, as well as others over the year align to this longer set of warnings.
Tactics, Techniques, and Procedures
WWS facilities may be vulnerable to the following common tactics, techniques, and procedures (TTPs) used by threat actors to compromise IT and OT networks, systems, and devices.
A summary of recommended precautions and extra care to prevent compromise include:
- Attention to people, processes, and technology to combat spearphishing and email compromise (BEC)
- Integration of IT with OT systems
- Control using internet-connected services and applications that enable access, especially remote access, into the network
- Updating of unsupported or outdated operating systems and software
- Use of control system devices with vulnerable firmware versions
The FBI, CISA, EPA, and NSA recommend WWS facilities—including DoD water treatment facilities in the United States and abroad—use a risk-informed analysis to determine the applicability of a range of technical and non-technical mitigations to prevent, detect, and respond to cyber threats.
Here are their recommendations:
Personnel responsible for monitoring WWS should check for the following suspicious activities and indicators, which may be indicative of threat actor activity:
- Inability of WWS facility personnel to access SCADA system controls at any time, either entirely or in part;
- Unfamiliar data windows or system alerts appearing on SCADA system controls and facility data screens that could indicate a ransomware attack;
- Detection by SCADA system controls, or by water treatment personnel, of abnormal operating parameters—such as unusually high chemical addition rates—used in the safe and proper treatment of drinking water;
- Access of SCADA systems by unauthorized individuals or groups, e.g., former employees and current employees not authorized/assigned to operate SCADA systems and controls.
- Access of SCADA systems at unusual times, which may indicate that a legitimate user’s credentials have been compromised
- Unexplained SCADA system restarts.
- Unchanging parameter values that normally fluctuate.
Remote Access Mitigations
Note: The increased use of remote operations due to the COVID-19 pandemic increases the necessity for asset owner-operators to assess the risk associated with enhanced remote access to ensure it falls within acceptable levels.
- Require multi-factor authentication for all remote access to the OT network, including from the IT network and external networks.
- Utilize blocklisting and allowlisting to limit remote access to users with a verified business and/or operational need.
- Ensure that all remote access technologies have logging enabled and regularly audit these logs to identify instances of unauthorized access.
- Utilize manual start and stop features in place of always activated unattended access to reduce the time remote access services are running.
- Audit networks for systems using remote access services.
- Close unneeded network ports associated with remote access services (e.g., RDP – Transmission Control Protocol [TCP] Port 3389).
- When configuring access control for a host, utilize custom settings to limit the access a remote party can attempt to acquire.
- Implement and ensure robust network segmentation between IT and OT networks to limit the ability of malicious cyber actors to pivot to the OT network after compromising the IT network.
- Implement demilitarized zones (DMZs), firewalls, jump servers, and one-way communication diodes to prevent unregulated communication between the IT and OT networks.
- Develop/update network maps to ensure a full accounting of all equipment that is connected to the network.
- Remove any equipment from networks that is not required to conduct operations to reduce the attack surface malicious actors can exploit.
Planning and Operational Mitigations
- Ensure the organization’s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and threats to safety.
- The plan should also consider third parties with legitimate need for OT network access, including engineers and vendors.
- Review, test, and update the emergency response plan on an annual basis to ensure accuracy.
- Exercise the ability to fail over to alternate control systems, including manual operation while assuming degraded electronic communications.
- Allow employees to gain decision-making experience via tabletop exercises that incorporate loss of visibility and control scenarios. Utilize resources such as the Environment Protection Agency’s (EPA) Cybersecurity Incident Action Checklist as well as the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
Safety System Mitigations
- Install independent cyber-physical safety systems. These are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor.
- Examples of cyber-physical safety system controls include:
- Size of the chemical feed pump
- Gearing on valves
- Pressure switches, etc.
- Examples of cyber-physical safety system controls include:
- These types of controls benefit WWS Sector facilities—especially smaller facilities with limited cybersecurity capability—because they enable facility staff to assess systems from a worst-case scenario and determine protective solutions. Enabling cyber-physical safety systems allows operators to take physical steps to limit the damage, for example, by preventing cyber actors, who have gained control of a sodium hydroxide pump, from raising the pH to dangerous levels.
While we have posted the CISA recommendations above, read the full CISA, FBI, EPA, and NSA warning regarding attacks against critical infrastructure water and waste treatment infrastructure as it includes resources and additional reading to help protect your organization against attacks.
Working with a Trusted Partner
For Tech, Financials, Healthcare and other IT-and-engineering-heavy environments, moving towards true Zero Trust is a manageable endeavor. For other verticals it may be more challenging.
Consider the following if choosing a partner or consulting firm to help you on the journey:
- Work Towards 100% Visibility – And Make it Actionable
- WootCloud has developed a very high-fidelity signal to catch the hard-to-catch details and anomalies. Over 4 years of running in production in leading enterprises, we have eliminated struggles caused by these minute but important errors.
- We are agentless so can see IoMT/IIoT/IoT and unmanaged devices, as well as most everything running in your corporate network.
- Boost Accuracy in Inspection and Analysis – And Again Make it Actionable
- Our AI/ML has been trained and refined – over 4 years – everything is automated.
- Predictive and intelligent identification and categorization of devices and their behavior to the Group, Individual, and Operational levels have helped our customers spot behavioral-based anomalies early to avoid disasters.
- Work Towards Enterprise-scale Automation and Remediation
- While visibility, inspection, and analysis is great, all of this cannot work at any significant scale without automated enforcement.
- Automatically identifying and eliminating rogue devices to protect your risk posture in moments of compromise while remaining user-friendly is critical in the era of demanding user bases, increasing compliance regulations, and IoT/5G/Work-from-anywhere megatrends.
Maintaining operational hygiene and intelligent asset management is also critical to modern IT in the age of BYOD and remote procurement.
Our agentless, AI/ML-driven platform identifies, analyzes, and manages device and infrastructure assets automatically to help you close security gaps like those in these Food and Agriculture firms – all in real time – all critical with today’s IoT, 5G, and work-from-anywhere megatrends in full swing.
Leading organizations deploy us, global tech leaders partner with us, and top investors back our vision.
Request a 20-minute demo, specific to your environment today.