Earlier this year news rapidly spread about a cyberattack on the Florida water system after the hacker had managed to gain access to the network controlling the system via a remote desktop monitoring application. The hacker had used this access to try and change the chemical composition of the city’s water supply. It was a catastrophe that was only stopped by an eagle-eyed employee who noticed the hacker at work and managed to shut off the attack before the water supply was materially affected.
It was an attack that made headlines around the world and is notable for the openness with which it was dealt with. Pinellas County Sheriff Bob Gualtieri held a press conference to discuss the attack that could have caused so much damage to the city’s water supply.
“This type of hacking of critical infrastructure is not necessarily limited to just water supply systems. It can be anything - it could be sewer systems, it could be a whole variety of things -- it could really be problematic,”Gualtieri said.
“We want to make sure that we're paying close attention to all of it because it's not just an accident when you're taking it from 100 parts per million to 11,100 parts per million with a caustic substance.”
Learning the lessons
This was followed swiftly by a joint statement from the FBI, the Multi-State Information Sharing and Analysis Center, the Environmental Protection Agency, and the Cybersecurity and Infrastructure Security Agency to alert similar bodies about the potential for cybercriminals to use exploits like the one used in Florida to access cyber-physical systems.
“The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system,” the guidance says.
“Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system, although this cannot be confirmed at present date.”
It’s the kind of prompt reporting of cyber incidents that I advocated in an article last year, as just as criminals are increasingly taking a collaborative approach to their work, so too should organizations take a collaborative approach to cyber defense.
With criminals prone to share any security leaks or exfiltrated data, it can easily cause a flurry of similar attacks in a short space of time. By sharing the details of the attack as early as possible it can help similar networks and similar organizations to those initially targeted shore up their own defenses.
Such transparency is not altogether common, however, as cybersecurity expert Brian Krebs highlighted in the aftermath of the attack. Krebs says that smaller utilities are often seen as attractive targets for hackers as these institutions often have limited IT budgets, let alone dedicated cybersecurity budgets. As such, IT teams are often heavily under-resourced, which coupled with unattended facilities make them highly enticing for hackers to find ways in via the cyber-physical systems that power their facilities.
Krebs argues that it’s not the fact that the Florida attack made the news that is the issue here.
Rather, it’s that more organizations aren’t disclosing their own attacks and vulnerabilities with the same level of disclosure and transparency.
While there are federal laws requiring infrastructure such as water treatment facilities to both conduct risk assessments and make emergency response plans, there is nothing in these regulations that mandate the reporting of cyberattacks. This is in marked contrast to the Securities and Exchange Commission, which mandates that companies disclose their cyber risk exposure. Even this scarcely goes far enough, however, and many financial firms pay lip service to this requirement. Without such legal requirements, the reporting of cyberattacks remains patchy at best.
For instance, when a large water plant was victim to the Egregor ransomware attack, the incident was kept under wraps and handled in-house. They did share the incident with both the FBI and the Water ISAC, but it didn’t come close to becoming a press event and nor were any lessons learned widely shared with others in the industry.
While to date attacks have not been sufficiently potent as to put public health and safety at risk, the financial motivation of attackers surely makes this only a matter of time. Many in the industry worry that if attacks are disclosed then they will reveal vulnerabilities to other hackers to exploit.
Water ISAC say that many utilities are extremely reluctant to put attack information into the public domain, or even to have it in any kind of database that could itself become public. Indeed, it was only the actions of the sheriff in Florida in holding the press conference that meant the public knew about the attack. The information-sharing pipeline is a malfunctioning one, and it’s a malfunction that makes future attacks of this nature all the more likely.