On the 5th of February 2021, a US drinking water treatment facility in Florida (USA) was compromised. Unidentified cyber-attackers managed to gain access to the supervisory control and data acquisition (SCADA) system and increased caustic chemical dosing levels in the plant process. While an attack like this can have severe and far-reaching consequences, in this particular case, operators were able to detect the changes preventing significant impact.
In this instance, as published in a variety of trusted sources, the attacker appears to have entered the system by researching the plant and personnel who worked there, followed by the exploitation of user details to gain access to a remote desktop tool on an outdated Windows 7 system connected to the SCADA system. Using the remote desktop tool, they significantly increased chemical dosing levels. The remote desktop tool was not being monitored, and there were no audit logs available for quick recovery or identification of the true damage done. The only preventative measure was a keen-eyed plant operator, who managed to identify the drastic increase in the chemical dosing levels.
Attacks on industrial control systems (such as SCADA systems) occur, in large part, due to the lack of cybersecurity present on the outdated technology these systems commonly run on. From available reports, it is evident that some of the vulnerabilities exploited in this attack are similar to other industrial attacks in recent years. Here is a summary of the vulnerabilities exploited in this attack.
Weak Operating Systems
Due to the unique nature of control and monitoring software used at industrial plants, coupled with lack of skilled IT staff, the costs to upgrade software and shut-down plants to update operating systems can be significant. Furthermore, while Windows operating systems are adequate for many business processes, they are not always optimal for remote, unattended, sensitive and/or critical industrial systems. Other operating systems, such as Linux, have proven to be more resilient in such applications.
Poor Password Security
Passwords in distributed and/or remote industrial systems can be extremely difficult to secure and manage. When compounded with brute-force attacks, social engineering, insecure browsers and just plain simple user mismanagement, vulnerabilities can rapidly appear. These are very common and difficult to protect against. In contrast, the use of a PKI infrastructure that uses digital certificates can allow administrators to simultaneously identify, authenticate and encrypt broad system users. Multi-factor authentication can also provide an additional layer of protection.
Legacy Remote Desktop Tools
Working remotely to operate, diagnose and maintain industrial plants is a basic need in most plants today. Such access enables experienced technicians and engineers to work on critical equipment from a distance. Unfortunately, many of the legacy tools including Virtual Private Networks (VPN), Virtual Network Computing (VNC), Remote Desktop Protocol (RDP) and many more such systems, can create a variety of serious security and operational risks. Many of these systems can open ports in firewalls creating entry points in many plants. In other systems, user access control is very poor when it involves large workforces or asset portfolios. Sometimes these systems can provide access to the whole plant network, when the user only really needs access to specific machines within a network or plant. Finally, these tools rarely come with adequate, security grade logging functions. Without this, it is near impossible detect unauthorised access to a plant.
Lack of Auditing and Logging Tools
Industrial automation and control systems do not typically have the IT infrastructure and systems required for comprehensive management. Most concerning from a security perspective is that these industrial systems do not generally have capability for auditing or logging events that occur through the many interconnected machines. To enhance cybersecurity standards, it is imperative to log as many of the commands and actions. If this is stored in an immutable log, cybersecurity forensics specialists can detect irregular activities and possibly network intrusions. This capability is essential if one is to minimise the time from intrusion to detection, and respond adequately to unauthorised activity.
Inability to Update Software
Industrial hacking events are increasing rapidly, if not exponentially. To stay one step ahead of cyber-attackers, an effective security system requires that the latest available software patches and security updates be applied to all industrial controllers, gateways and machinery. Ideally, this means that updating of industrial software be done automatically. What makes this hard, is that common industrial systems do not have the ability to remotely deploy these updates, resulting in software patches not been done at all. Industrial asset owners should consider the methods and tools that enable remote software patching in plants and machinery.
Interested to find out how you can apply these cybersecurity techniques?
Ardexa cybersecurity systems include:
- Intelligent agent to facilitate secure connections
- Secure remote working tools and tunnels, that replace legacy tools
- Message-based infrastructure to support logging of key events and commands
- Digital certificates for all plant devices under a PKI framework
- Remote monitoring and maintenance capabilities
- Immutable audit logs
- Edge and cloud managed software for regular software patching
- Modern cloud-enabled infrastructure, utilising modern secure components
- Advanced scanning tools to detect vulnerabilities in remote networks