Water-utility hack could inspire more intruders
If past cyberattacks are any indication, success begets imitation. In the wake of last week’s hack of Florida water utility, other water utilities and users of remote desktop software would be wise to shore up defenses, experts say.
The attack on the water treatment system in the small town of Oldsmar, Fla., lacked technical sophistication, showed no insider knowledge of the system, and had all the hallmarks of a hacker joyride through a critical system.
Yet the fact that an unsophisticated attacker compromised a system, changed the chemical mix for treating the water, and could have potentially harmed people will likely have a ripple effect and attract more attackers to test the cybersecurity of municipal water systems, says Padraic O’Reilly, co-founder and chief of product for CyberSaint, an IT risk management firm.
“We don’t care whether it is a joy ride or not because now people know it’s possible,” he says. “It does not matter whether it’s a nation-state, because that is just guessing at this point. But what you are signaling to bad actors is that this is possible and maybe too easy to do.”
Cyberattackers tend to go where there are demonstrated vulnerabilities, researchers say. In 2017, for example, independent research groups identified significant vulnerabilities in the Intel processor, dubbed Meltdown and Spectre. Over the next two years, researchers found numerous variations of the vulnerability class in processors from Intel and other chipmakers.
Previous attack trends have also demonstrated a link between successful exploitation of vulnerabilities and attacker interest. Vulnerabilities in OpenSSL server software — commonly known as Heartbleed — led to widespread scanning for vulnerable systems and attacks. In addition, specific attacks — such as the US-Israeli Stuxnet attack on Iran’s uranium processing capability — arguably led to an escalation in nation-state-level cyber operations.
The water utility sector, which includes facilities that treat drinking water or process waste water, or both, has taken the threat seriously but does have work to do, says Michael Arceneaux, managing director of the WaterISAC, an information sharing and analysis center (ISAC) for such water utilities.
To read the complete article, visit Dark Reading.