Hackers have recently tampered with critical infrastructure entities in the US. This includes the Colonial Pipeline incident that affected the supply of gas and the JBS Foods hack that affected operations of the meat-packing giant. Neither of these ransomware attacks had any severe, real-world consequences. Some people could not put gas in their cars for a few days, or the price of meat might have gone up in some areas, but no lives were immediately threatened.
But what if the hackers decided to attack something a little more important? Say, the drinking water systems that we quite literally might not be able to live without for more than a week? According to a report by the Water Sector Coordinating Council (WSCC), the bulk of the 52,000 drinking water systems in the US have not inventoried some or any of their IT systems.
The WSCC surveyed 606 employees of water treatment facilities and found that only 37.9% had identified all IT networked assets, with 21.7% currently working to that goal. As for operational technology (OT), just 30.5% had identified all OT-networked assets, with an additional 22.5% working to do so.
According to reporting by Brian Krebs: "Identifying IT and OT assets is a critical first step in improving cybersecurity. An organization cannot protect what it cannot see." Krebs also mentions that it is challenging to identify threats you are not looking for, as 67.9% of water systems reported no security incidents in the last month, which is a fairly unlikely scenario.
There have been a few recent attacks on treatment facilities, and those have mostly been caused by a failure to properly secure employee accounts that can be used for remote access. "In April 2021, federal prosecutors unsealed an indictment against a 22-year-old from Kansas who's accused of hacking into a public water system in 2019. The defendant, in that case, is a former employee of the water district he allegedly hacked.
In February 2021, we learned that someone hacked into the water treatment plan in Oldsmar, Fla., and briefly increased the amount of sodium hydroxide (a.k.a. lye used to control acidity in the water) to 100 times the normal level. We conducted a webinar on this attack back in April of this year. That incident was initiated by stolen or leaked employee credentials for TeamViewer, a popular program that lets users remotely control their computers.
In January 2021, a hacker tried to poison a water treatment plant that served parts of the San Francisco Bay Area. The hacker in that case also had the username and password for a former employee's TeamViewer account. Sound familiar?
The Water Infrastructure Act of 2018 requires utilities serving between 3,300 and 50,000 residents to complete a cybersecurity risk and resiliency assessment by the end of this month. A former manager of remote access systems for the Massachusetts Water Resources Authority, says the number of larger facilities compliant with the Act is roughly equal to the number of companies that have inventoried all of its IT, meaning about 37%. What is concerning is that a large portion of the facilities in the US serve less than 3,300 residents, meaning they do not have to report their cybersecurity practices to the Environmental Protection Agency. "A large number of utilities, probably close to 40,000 of them, are small enough that they have not been asked to do anything. Some of those utilities are doing “some” cybersecurity based on self-motivation rather than any requirement.
Many facilities do not have access to a cybersecurity workforce or can afford to pay consultants. In addition, these utilities are struggling to maintain and replace infrastructure, maintain revenues while addressing issues of affordability, and comply with safe and clean water regulations.
The report argues that these water treatment facilities need more funding at the federal and state level. Thirty-eight percent of the facilities allocate less than 1% of their annual budget to cybersecurity.
Regardless, employees need to also be trained on the best cybersecurity practices so that credentials cannot be so easily stolen. So, what is that funny taste in my tap water?
Red Sky Alliance is in New Boston, NH, USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
Interested in a RedXray subscription to see what we can do for you? Sign up here: https://www.wapacklabs.com/RedXray