By Ghian Oberholzer, Regional Vice President of TechOps – APAC, Claroty
On April 24 and 25, Israeli media reported a series of co-ordinated cyber attacks on the command and control systems of wastewater treatment plants, pumping stations and sewage infrastructure operated by multiple municipal councils.
Israel’s National Cyber Directorate issued a statement confirming the attempted attacks and immediately made contact with the organisations affected by it, ordering them to change their network passwords, reduce their network connections and ensure all control software was updated to the latest version.
There appeared to have been particular concern over the systems related to chlorine control, due to risk of potential water contamination. Operators were told to pay specific attention to the systems responsible for adding chlorine to drinking wells, and organisations operating the wells were asked to respond and update promptly on their status.
The Directorate issued a subsequent statement saying that while the incident was coordinated, there appeared to have been no damage.
Without detailed knowledge of the attack, it is difficult to say whether this was a highly sophisticated attack that they could not reasonably have been expected to anticipate and pre-empt. Furthermore, it is not possible to determine if a security flaw was responsible for the catastrophic damage.
However, this attack — the latest of many on critical infrastructure — illustrates the need for comprehensive and sophisticated cyber security practices, policies, and technology to protect critical infrastructure.
Water infrastructure in particular often eludes the public’s attention as a major source of cyber risk, yet it remains susceptible to both targeted and non-targeted threats.
A recent paper titled 10 Cyber Security Challenges: The Israeli Water Sector Example published in Cyber-Physical Security Protecting Critical Infrastructure at the State and Local Level explores Israel’s awareness of the risk to the water sector as well as its risk mitigation measures.
Modern water treatment systems comprise of multiple subsystems and components that are continuously monitored by supervisory control and data acquisition (SCADA) systems, which are connected to central information management systems for data analysis and control. All of this interconnectivity creates additional risks for operators and new opportunities for anyone with a motive to disrupt operation[1].
For example, in 2000, a disgruntled ex-employee of the company that had supplied control system technology to Maroochy Shire’s waste management system in Queensland hacked the system and repeatedly caused millions of litres of raw sewage to spill out into local parks and rivers[2].
Water treatment is a critical part of society’s infrastructure but unlike other critical infrastructure such as electricity and transport systems, it is often owned and operated by local authorities. This factor, combined with the growing use of legacy systems and increasing connectivity between information technology (IT) and operational technology (OT) networks, warrants a high prioritisation of cybersecurity for the water and wastewater sectors on a global level.
As IT networks converge with OT networks, they become increasing exposed to and accessible by the global community of cyber criminals. This means owners and operators of water infrastructure need to be perpetually vigilant against account compromises that might grant an attacker direct access to industrial control systems.
Operators of OT systems, and especially those monitoring critical infrastructure, need a granular level of visibility to detect not only latent threats on the network, but also anomalies that might indicate a threat or make the network vulnerable to even novice hackers. Misconfigurations and known vulnerabilities effectively lower the barriers to entry for threat actors and increase the risk of exploitation.
Operators need to be especially aware of any third-party vendors that might have access to their networks: they have neither knowledge nor control of the security levels in those networks.
The security and reliability of critical infrastructure—such as water, power, and telecommunications—is more essential than ever amid the current global pandemic. To adequately secure their infrastructure, these organisations need robust cyber security policies and technologies that give comprehensive protection without being overly complex or difficult to operate.
Fortunately, there are readily available security tools designed specifically for OT environments that can investigate networks, identify all connected devices, and the currency of their software. These tools enable security professionals to firstly examine communication pathways between all connected assets, and secondly monitor this communication across the network to establish a baseline of normal behaviour and flag any deviation that might indicate compromise.
Ghian Oberholzer is Regional Vice President, Technical Operations at Claroty, an industrial cybersecurity company. He previously served as Global Principal Cyber Security OT at BHP and is based in Perth, Australia.
[1] Cyber Security Challenges: The Israeli Water Sector Example, 2016
[2] Protecting water supply critical infrastructure: An overview, 2014