On the eve of the Super Bowl in Tampa, a hacker remotely accessed a water treatment system in Oldsmar. He accomplished this by exploiting weaknesses in the water treatment plants security architecture and security best practices. The two weaknesses exploited, as reported by Rick Swearingen, head of the Florida Department of Law Enforcement, were that the treatment plant did not employ a firewall, and second, that a single password for an application called Teamviewer was shared among employees.
Now the Colonial Oil Pipeline was shut down due to a ransomware attack from Russia’s DarkSide hacking cell, possibly a state-sponsored entity. Supervisory Control and Data Acquisition (SCADA) systems control the equipment and machines that provide the electricity, water, oil and gas that we use every day. These systems monitor these structures for capacity, pressure and flow control. They are designed to control these critical infrastructure machines and to ensure that they remain operating at peak efficiency, and when a problem does occur, they are designed to take that system off-line, alert and compensate. So you can imagine if such systems are compromised, what havoc and chaos can occur.
The current gas shortage/outage is a prime example. Critical infrastructure and control systems and all associated computer, network and wireless devices, including cell phones, should always require the best defense-in-depth cybersecurity that companies and organizations can provide.
Colonial Pipeline will eventually discover the root cause of the ransomware. It will likely turn out that Colonial didn’t employ defense-in-depth cybersecurity. Here is a list of basic defense-in-depth Cybersecurity actions that can be reasonably deployed in a short, cost-effective period of time:
1. Keep your computer OS current and patched.
2. Install virus and web protection on all your devices and keep it up-to-date.
3. Use a company-approved VPN solution for remote access.
4. Change your passphrase every 90 days.
5. Change the default password for routers and all network devices.
6. Change the default access ports for all network devices.
7. Use MAC (Media Access Control) authentication whenever possible.
8. Set up a guest network for visitors.
9. Review your router access logs on a weekly basis.
10. Encrypt your devices.
11. Have separate devices for work and personal use.
12. Employ secure communications such as HTTPS, SFTP and SSH.
Long term, companies and organizations should do these things:
13. Review your architecture to make sure you have firewalls, DMZs and IDS/IPS devices deployed and configured properly. The same goes for your routers.
14. Establish an Insider Threat Officer and training program.
15. Establish annual employee Cybersecurity training and testing.
16. Make sure employees know who to contact on your security staff if they have questions about suspicious emails or websites.
17. Do vendor surveys to make sure they are meeting or exceeding your network security and data access requirements.
State-sponsored hackers are here to stay. They employ a technique called probe and record. Simply put, they will attack public and private infrastructure to see how far they can get. They will record what defensive measures have been put in place, what defensive measures they did not encounter, and if there was any offensive response. This helps them build attack profiles across every sector, both private and government. By employing cybersecurity defense-in-depth measures and practices, we can stop hostile actors from shutting down critical systems and infrastructure in the future.
Mark Khan is a senior information assurance cybersecurity consultant in Tampa.