How to protect our critical infrastructure from attack
On Feb. 2, the largest ever compilation of breached usernames and passwords was leaked online. Known as COMB, it contained 3.2 billion unique email/password pairs, including the credentials for the Oldsmar water plant in Florida.
Three days later an unknown attacker entered Oldsmar’s computer systems and attempted to manipulate the pH in the city’s water to dangerously high acidic levels by increasing sodium hydroxide (lye) by 100 times. Although the attack was foiled and the lye levels returned to normal, the incident highlighted the ease with which cybercriminals are increasingly able to target critical national infrastructure (CNI).
In this particular case it was thought that the attacker managed to get into Oldsmar’s systems via the plant’s TeamViewer software which allows supervisors to access the system remotely. “As recently as August 2020, our analysts identified several high-risk vulnerabilities and exposures publicly associated with TeamViewer,” claims Evan Kohlmann, chief innovation officer of threat intelligence platform Flashpoint. “This includes an example allowing a malicious website to launch TeamViewer with arbitrary parameters, capturing the victim’s password hash for offline password cracking.”
However, the problem isn’t unique to TeamViewer. As far back as 2013 the Department of Homeland Security (DHS) confirmed that an Iranian hacker group known as “SOBH Cyber Jihad” accessed computer systems controlling the Bowman Avenue Dam in New York at least six times, accessing sensitive files containing usernames and passwords. Similarly, in 2015 and 2016 Ukraine suffered a series of attacks on its power grids believed to be the work of a Russia-sponsored advanced persistent threat group called Sandworm, which left 225,000 Ukrainians in sustained blackouts for several hours at a time.
In July 2020, a CyberNews investigation highlighted just how easy it would be for an attacker to get into critical US infrastructure via unsecured industrial control systems (ICS). This, it claimed, could be done simply by attackers using search engines and tools dedicated to scanning all open ports and remotely taking control. Explains CyberNews Senior Researcher Edvardas Mikalauskas: “Our research has previously highlighted that many ICS panels in the US are critically unprotected and easily accessible to threat actors. The most vulnerable infrastructure appears to belong in the energy and water sector.”
Security vs. Safety Dilemma
Indeed, in its recently published CNI Cyber Report: Risk and Resilience, Bridewell said there is a massive gap between the perceived threat of a cyberattack and the actual threat to CNI. While 78% of organizations are “confident” that their OT (operational technology) is protected from cyberthreats — and 28% very confident — it seems CNI is facing a “cyber siege.” According to Bridewell’s research of 250 UK IT and security decision-makers across five key CNI sectors (aviation, chemicals, energy, transport and water), 86% of organizations have detected cyberattacks on their OT/ICS environments in the last 12 months, with nearly a quarter (24%) experiencing between one and five successful attacks. Water and transport have been the sectors which have experienced the most successful attacks. Similarly, IBM reported a 2000% increase in cyber security incidents targeting OT in 2019, most of them involving Echobot IoT malware (download IBM’s annual X-Force Threat Intelligence Index here).
To read the complete article, visit Dark Reading.