A cyber attack against a Tampa, FL water treatment plant is the latest reminder that security control of critical infrastructure must continually improve.
According to a report by Reuters, a cyber criminal gained unauthorized access to an employee’s TeamViewer application (remote access and desktop support software)i and then used the access to gain control of systems that administer chemicals to the water supply. Per the nature of TeamViewer, the employee could see this happening in real time (fortunately he was on his computer at the time of the breach) and alerted supervisors who were then able to reverse the command and limit damage. No further details of the attack were provided in the report.
Quick action on the part of the employee and his supervisors ensured that the water treatment plant wasn’t additionally tampered with. And official statements from the facility assure the public that supplemental controls are in place to prevent future damage of this sort. What if, though, this had been a savvier attacker who knew how to circumvent those controls? This is not some far-fetched SciFi fantasy. This is the reality critical infrastructure (CI) companies must face.
The number of connected devices and systems in CI is increasing all the time, thereby increasing digital risk. This is no different than any other company’s attack surface. The bigger risk with CI, though, is the digitization of traditional industrial control system (ICS) and SCADA networks, systems not historically connected to typical IT networks. Nonetheless, despite the fact that operational technology (OT) cannot or cannot easily be managed, measured, or monitored with traditional IT and security tooling, the IT/OT convergence has already occurred. This presents both risk and opportunity.
Despite any challenges, CI security and operations teams must implement technology and processes that account for the merging and interdependencies of IT and OT systems. They must realize that the exploit of an insecure software deployment can lead to great damage, like excessive lye in the water supply. All the typical cyber threat tactics facing private enterprises and government are also targeting CI—malware/ransomware, escalation of privileges, social engineering, botnets, denial of service. The risks of a missed control are higher, however, when human life is involved—that is to say, when a water supply facility, hospital, transportation authority, or like entity is the target of attack.
Tried and true processes
Though stakes change, the process for protecting CI is similar for every organization. Every attack starts by exploiting the easiest vulnerability—the lowest common denominator—whether that’s insecure software, gaps in controls, or human error. To prevent compromise, organizations must lay the foundation of cyber security by starting with identifying, testing, and improving access controls, authorizations, and permissions. A compromised device, as was the case with the Florida water treatment plant, should not result in an attacker’s ability to affect chemical levels via manipulation of OT.
Access to a device should not offer carte blanche access to every system, program, or connected piece of software or hardware. Contextual and conditional access should be the rule, especially for high-risk systems. Behavioral monitoring, too, will mitigate risk when an attacker asks a system to do something outside the baseline or beyond restrictions. These steps are all part of a zero trust architecture based on workflows and functions.
Organizations need strategies, tactics, and tools that proactively prevent unauthorized access to resources. Access is the nexus of cyber security control. It is, for certain, not the only layer of security that must be applied, but it’s the best place to start. Realizing that determined attackers will find their way into organizations’ networks regardless of endpoint controls, regulating access and the ability to interact with resources—whether that’s human to machine or machine to machine access—are crucial elements of the cyber security plan.
Systems properly protected with a zero trust framework that covers access controls, authorizations, permissions, behavioral monitoring, and, maybe most importantly context, are the key to preventing compromises like one TeamViewer wrought. It’s a simple concept, though one we know is often difficult to deploy. But that doesn’t mean you shouldn’t start somewhere. Why not access?
