On Saturday, November 25th, the OT cybersecurity community was alerted to yet another #cyberincident, this time targeting the US water sector. A small western Pennsylvania water authority was one of several US water treatment operations breached by Iran-affiliated hackers who targeted a specific industrial control device because it is manufactured and supplied by Israel. The group known as CyberAv3ngers, affiliated with Iran’s Islamic Revolutionary Guards Corps (IRGC), claimed responsibility for the attack. The US has designated IRGC a foreign terrorist organization.
The targeted industrial control device regulates pressure, temperature, and fluid flow. Many water treatment facilities as well as other industries, such as energy, food and beverage, and healthcare, use the same equipment and are also potentially vulnerable.
The incident was first detected following a communication failure at a water supply booster station. The initial breach resulted in the defacement of the water authority’s Human-Machine Interface (HMI) screen, rendering it unusable. In response, the water authority immediately shut down the automated system and switched to manual control. Water service and quality were not impacted.
Subsequent to the first attack, several other water utilities employing the same vendor’s equipment fell victim to similar breaches, fortunately without compromising drinking water quality.
Collaboration between the Cybersecurity and Infrastructure Security Agency #CISA, the National Security Agency #NSA and the Israeli National Cyber Directorate #NCD confirmed that the affected devices were directly exposed to the internet and employed only their default passwords. The agencies noted that the hackers likely accessed affected devices by “exploiting cybersecurity weaknesses, including poor password security and exposure to the internet.” The affected devices ship with a default password, a practice experts discourage as it makes them more vulnerable to hacking. Best practices call for devices to require a unique password to be created out of the box.
This incident underscores the continued vulnerability of critical infrastructure and industrial control systems to relatively low-skill attacks, and the importance of:
#Cybersecurity #CriticalInfrastructure #OTSecurity #RiskManagement #ICSSecurity
Restrict OT network and device exposure to the internet and secure all devices
Harmonizing risk and consequence strategies across IT and OT environments for greater cyber resilience
Strengthening OT Resilience: Protecting Critical Systems in a Rapidly Evolving Threat Environment
Quarterly ICS Security Report 2024 Q3