The attack last week on the Municipal Water Authority in Aliquippa, Penn., that gave threat actors access to a portion of the facility’s pumping equipment has spurred the Cybersecurity & Infrastructure Security Agency (CISA)and WaterISAC to each issue incident reports and raised multiple questions regarding the site’s security and potential danger to similar plants.
Trustwave has deep insight into properly protecting operational technology (OT) and critical infrastructure, which we will discuss shortly, but first let’s take a look at what took place.
Background on the Attack
According to Dark Reading, the attack was purportedly conducted by the Iranian-backed group Cyber Av3ngers in response to the ongoing Israeli-Hamas War.
The water treatment trade publication, WaterWorld, shared on Nov. 25 that threat actors disabled a programmable logic controller (PLC) at one of the Authority’s booster stations. The attackers only gained access to pumps that regulate pressure to elevated areas of its coverage, and there was no danger to the water supply, WaterWorld reported.
Dark Reading reported this message appeared on the facility’s computers, “You Have Been Hacked. Down With Israel, Every Equipment 'Made In Israel' Is Cyber Av3ngers Legal Target."
The Authority’s affected booster station monitors and regulates pressure for, and provides water and wastewater services to over 6,600 customers in two Western Pennsylvanian townships.
Three days after the attack, CISA issued an alert focusing on the Unitronics PLCs used in the Water and Wastewater Systems (WWS) Sector, specifically citing the Aliquippa attack.
“The cyber threat actors likely accessed the affected device—a Unitronics Vision Series PLC with a Human Machine Interface (HMI)—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet,” CISA wrote.
The WaterISAC also issued an incident report noting that this may not be an isolated incident.
“There have been a few open-source reports about additional incidents with similar characteristics having occurred at other US water and wastewater utilities. WaterISAC is currently attempting to confirm those reports,” WaterISAC said.
Trustwave’s Observations
Nation-state or nation-backed attacks are typically slow-played, exploring and discovering their target’s network before striking. The alleged group Cyber Av3ngers is known for its attacks that specialize in exploiting ICS equipment. Cyber Av3ngers have claimed responsibility for several water treatment stations in Israel and other ICS environments.
Frighteningly, most ICS/OT networks use the manufacturer's default passwords for the majority of their PLCs, HMI, RTUs which are sometimes left unchanged by the users. The attackers of the Municipal Water Authorly of Aliquippa are thought to have accessed the facility via the Internet using default or weak passwords.
Critical Infrastructure at Risk
Unfortunately, the usual cybersecurity hygiene tasks that normally serve to protect a system, such as changing passwords, enabling MFA and removing OT devices from the Internet, may no longer be enough to stop the bad actors. Businesses need to develop a strategic security program for their ICS/OT Environments that addresses monitoring, incident response, and recovery plans.
First and foremost, having a proper inventory program and monitoring the ICS/OT networks is essential to detect rogue activity within the networks. Without knowing your ICS/OT assets, protecting the environment from known vulnerabilities becomes difficult to properly monitor and control.
The good news is security companies like Trustwave have operational technology (OT) products that will safely identify assets, detect known vulnerabilities, and monitor traffic within the ICS/OT environment. Since traffic within an ICS/OT environment is fairly static, detection of rogue traffic becomes a bit simpler.
Monitoring the ICS/OT environment 24/7 and understanding asset behavior can be a daunting task. Behaviors within ICS/OT and IT are not the same, so utilizing a co-managed SOC with ICS/OT experience is essential to protecting the environment.
Without a proper ICS/OT monitoring program, detection of rogue activity can be extremely difficult until the bad happens. Without knowing where or what systems have been compromised, a proper incident response will be hindered and may extend the recovery efforts.
Traditionally, ICS/OT environments lack a proper Incident Response and Recovery Plan. OT Engineers are typically responsible for keeping the OT devices up and running, not eradicating the threat.
The first 24 hours of an incident will bring confusion, uncertainty, questions upon questions. A chain of command and proper communication to and from the trenches will keep the response smooth, less chaotic and create a faster response.
Incident Response isn’t just for the IT Security team, it involves all the key players from the OT engineer to public relations, to the CIO, and everyone in between. However, if the Incident Response and Recovery plan isn’t practiced on a regular basis, the plan is as good as the paper it’s printed on.
Chances are that at some point, the bad will happen.
Having a detection and readiness plan will improve the overall RTO and get you back into the game. Trustwave SpiderLab’s Co-Managed SOC and ICS monitoring solutions can help protect those critical ICS/OT environments.
Our vCISO team can evaluate and construct an effective ICS/OT Incident Response and Recovery plan, and conduct tabletop exercises that rehearse those plans to make effective.
Lastly, nation-state and nation-state backed attacks within ICS/OT environments will only continue to increase in frequency. The Russia-Ukraine war is a perfect example of setting expectations on the level of attacks against critical infrastructure such as utility (water, power, etc.), telecommunications, manufacturing, farming, transportation, and more only to name a few. If you don't have visibility into your ICS networks, now is the time to change that.
