Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Trustwave’s Observations on the Recent Cyberattack on Aliquippa Water Treatment Plant

The attack last week on the Municipal Water Authority in Aliquippa, Penn., that gave threat actors access to a portion of the facility’s pumping equipment has spurred the Cybersecurity & Infrastructure Security Agency (CISA)and WaterISAC to each issue incident reports and raised multiple questions regarding the site’s security and potential danger to similar plants.

 

Trustwave has deep insight into properly protecting operational technology (OT) and critical infrastructure, which we will discuss shortly, but first let’s take a look at what took place.

 

 

Background on the Attack

 

According to Dark Reading, the attack was purportedly conducted by the Iranian-backed group Cyber Av3ngers in response to the ongoing Israeli-Hamas War.

 

The water treatment trade publication, WaterWorld, shared on Nov. 25 that threat actors disabled a programmable logic controller (PLC) at one of the Authority’s booster stations. The attackers only gained access to pumps that regulate pressure to elevated areas of its coverage, and there was no danger to the water supply, WaterWorld reported.

 

Dark Reading reported this message appeared on the facility’s computers, “You Have Been Hacked. Down With Israel, Every Equipment 'Made In Israel' Is Cyber Av3ngers Legal Target."

 

The Authority’s affected booster station monitors and regulates pressure for, and provides water and wastewater services to over 6,600 customers in two Western Pennsylvanian townships.

 

Three days after the attack, CISA issued an alert focusing on the Unitronics PLCs used in the Water and Wastewater Systems (WWS) Sector, specifically citing the Aliquippa attack.

 

“The cyber threat actors likely accessed the affected device—a Unitronics Vision Series PLC with a Human Machine Interface (HMI)—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet,” CISA wrote.

 

The WaterISAC also issued an incident report noting that this may not be an isolated incident.

 

“There have been a few open-source reports about additional incidents with similar characteristics having occurred at other US water and wastewater utilities. WaterISAC is currently attempting to confirm those reports,” WaterISAC said.

 

 

Trustwave’s Observations

 

Nation-state or nation-backed attacks are typically slow-played, exploring and discovering their target’s network before striking. The alleged group Cyber Av3ngers is known for its attacks that specialize in exploiting ICS equipment. Cyber Av3ngers have claimed responsibility for several water treatment stations in Israel and other ICS environments.

 

Frighteningly, most ICS/OT networks use the manufacturer's default passwords for the majority of their PLCs, HMI, RTUs which are sometimes left unchanged by the users. The attackers of the Municipal Water Authorly of Aliquippa are thought to have accessed the facility via the Internet using default or weak passwords.

 

 

Critical Infrastructure at Risk

 

Unfortunately, the usual cybersecurity hygiene tasks that normally serve to protect a system, such as changing passwords, enabling MFA and removing OT devices from the Internet, may no longer be enough to stop the bad actors. Businesses need to develop a strategic security program for their ICS/OT Environments that addresses monitoring, incident response, and recovery plans.

 

First and foremost, having a proper inventory program and monitoring the ICS/OT networks is essential to detect rogue activity within the networks. Without knowing your ICS/OT assets, protecting the environment from known vulnerabilities becomes difficult to properly monitor and control. 

 

The good news is security companies like Trustwave have operational technology (OT) products that will safely identify assets, detect known vulnerabilities, and monitor traffic within the ICS/OT environment. Since traffic within an ICS/OT environment is fairly static, detection of rogue traffic becomes a bit simpler.  

 

Monitoring the ICS/OT environment 24/7 and understanding asset behavior can be a daunting task. Behaviors within ICS/OT and IT are not the same, so utilizing a co-managed SOC with ICS/OT experience is essential to protecting the environment. 

 

Without a proper ICS/OT monitoring program, detection of rogue activity can be extremely difficult until the bad happens. Without knowing where or what systems have been compromised, a proper incident response will be hindered and may extend the recovery efforts.

 

Traditionally, ICS/OT environments lack a proper Incident Response and Recovery Plan. OT Engineers are typically responsible for keeping the OT devices up and running, not eradicating the threat. 

 

The first 24 hours of an incident will bring confusion, uncertainty, questions upon questions. A chain of command and proper communication to and from the trenches will keep the response smooth, less chaotic and create a faster response.  

 

Incident Response isn’t just for the IT Security team, it involves all the key players from the OT engineer to public relations, to the CIO, and everyone in between.  However, if the Incident Response and Recovery plan isn’t practiced on a regular basis, the plan is as good as the paper it’s printed on.   

 

Chances are that at some point, the bad will happen. 

 

Having a detection and readiness plan will improve the overall RTO and get you back into the game. Trustwave SpiderLab’s Co-Managed SOC and ICS monitoring solutions can help protect those critical ICS/OT environments.

 

Our vCISO team can evaluate and construct an effective ICS/OT Incident Response and Recovery plan, and conduct tabletop exercises that rehearse those plans to make effective.

 

Lastly, nation-state and nation-state backed attacks within ICS/OT environments will only continue to increase in frequency. The Russia-Ukraine war is a perfect example of setting expectations on the level of attacks against critical infrastructure such as utility (water, power, etc.), telecommunications, manufacturing, farming, transportation, and more only to name a few. If you don't have visibility into your ICS networks, now is the time to change that.

 

OT-image

 

Latest Trustwave Blogs

Comparably Honors Trustwave with Leadership and Career Growth Awards

Comparably, the leading workplace culture and compensation monitoring employee review platform has recognized Trustwave with two major awards: 2024 Best Companies for Career Growth and 2024 Best...

Read More

Why Removing Phishing Emails from Inboxes is Crucial for Healthcare Security

The adage "data is the new oil" doesn't resonate with everyone. Personally, having grown up around cars thanks to my dad, a master mechanic, I see oil as messy and cumbersome. Data, in my view, is...

Read More

How Deepfakes May Impact Upcoming Elections Worldwide

The common fear regarding election interference is that a threat actor will gain access to either ballot machines or the networks that tally votes. However, there is a much easier method a person...

Read More