International Water Attack!

On Saturday, November 25th, the OT cybersecurity community was alerted to yet another #cyberincident, this time targeting the US water sector. A small western Pennsylvania water authority was one of several US water treatment operations breached by Iran-affiliated hackers who targeted a specific industrial control device because it is manufactured and supplied by Israel. The group known as CyberAv3ngers, affiliated with Iran’s Islamic Revolutionary Guards Corps (IRGC), claimed responsibility for the attack. The US has designated IRGC a foreign terrorist organization.

The targeted industrial control device regulates pressure, temperature, and fluid flow. Many water treatment facilities as well as other industries, such as energy, food and beverage, and healthcare, use the same equipment and are also potentially vulnerable.

The incident was first detected following a communication failure at a water supply booster station. The initial breach resulted in the defacement of the water authority’s Human-Machine Interface (HMI) screen, rendering it unusable. In response, the water authority immediately shut down the automated system and switched to manual control. Water service and quality were not impacted. 

Subsequent to the first attack, several other water utilities employing the same vendor’s equipment fell victim to similar breaches, fortunately without compromising drinking water quality.

Collaboration between the Cybersecurity and Infrastructure Security Agency #CISA, the National Security Agency #NSA and the Israeli National Cyber Directorate #NCD confirmed that the affected devices were directly exposed to the internet and employed only their default passwords. The agencies noted that the hackers likely accessed affected devices by “exploiting cybersecurity weaknesses, including poor password security and exposure to the internet.” The affected devices ship with a default password, a practice experts discourage as it makes them more vulnerable to hacking. Best practices call for devices to require a unique password to be created out of the box.

This incident underscores the continued vulnerability of critical infrastructure and industrial control systems to relatively low-skill attacks, and the importance of:

• Establishing a comprehensive risk management program capable of identifying vulnerabilities like those exploited in this attack. Radiflow CIARA enables OT operators to perform frequent risk assessments that show them where operations are vulnerable, identifies gaps with security standards and industry best practices, and designates the most cost-effective mitigation measures.
• Avoiding any direct exposure of Industrial Control Systems (ICS) to the internet unless thoroughly justified through risk-driven decision making. Secure remote access technologies, e.g., VPN, should be used wherever possible.
• Not relying on default passwords and credentials, but enforcing the creation of unique ones for all devices.
• Adoption of secure, identity-based asset access for on-prem, remote, and third-party users.
• Implementation of appropriate network segmentation protections to limit the scope of attacks. Radiflow iSID automatically learns ICS network behavior and business processes, and instructs operators on best security practices regarding network segmentation, including zoning according to the widely observed IEC 62443 security standard. 

#Cybersecurity #CriticalInfrastructure #OTSecurity #RiskManagement #ICSSecurity