Recently we wrote an article about the dramatic increase in cyber attacks on municipalities. When government-run IT infrastructures are hacked it can impact the normal functions of city utilities, libraries, fire departments, emergency services, local law enforcement, and … the community’s citizens. Cybersecurity breaches like these also hamper the working of the government and threaten the integrity of private information.
But, cyber-attacks that affect the public aren’t limited to “just” government-run organizations, sometimes private-sector businesses that cater to the public are exposed to cyber attacks that can have a devastating effect on citizens. These types of attacks can affect “critical infrastructure” and interrupt the delivery and support of the necessities of daily life.
According to the Government of Canada, “Critical Infrastructure (CI) plays a role in the delivery and support of the necessities of daily life. This includes commonly used services, such as water, hydro, and finances. Disruptions to CI could result in loss of vital services, harm to the public, or even loss of life.
CI refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. CIs are often interconnected and interdependent within and across provinces, territories, and national borders.
The National Strategy for Critical Infrastructure identifies the following Ten CI sectors: Energy and utilities, Finance, Food, Government, Health, Information and communication technology, Manufacturing, Safety, Transportation, and…Water.
Operational technology (OT) and Industrial control systems (ICS) can be threat targets. OT refers to computing systems used to automate industrial processes and operations in many different sectors such as manufacturing. ICS is a major subset within OT that allows CI providers to remotely monitor their processes and control their physical devices on their infrastructure.
OT and ICS that are connected to the Internet or to other networks and systems are attractive targets to cyber threat actors, who may be focused on disruption of OT or ICS, or compromising them as pathways for phishing schemes, spam, or malware attacks.
What are the impacts?
Cyber attacks on CIs can have serious and devastating consequences. Some of the impacts can include:
- interruption of basic essential services we all rely on such as electricity, water and natural gas
- disruption in production and supply of food and medical supplies
- loss of overall public trust and confidence in the economy, national security and defence as well as in the democratic processes
- damage to the environment and risk to public health from chemical spills, toxic waste discharges or hazardous air emissions
- lost revenue, reputational risks, job losses, or legal consequences (e.g. liability from a data breach) for companies and employees
- disruptions to hospital operations, or even compromised medical devices, that could lead to loss of life
Main threats to CI
Cybercrime threat actors may target CI sectors for financial gains. Some CI sectors, such as health care and manufacturing, are popular targets because their owners and operators cannot tolerate long-term disruption of essential services and often have significant financial resources to pay the ransom. Insider threat actors may target for personal reasons, such as an act of revenge by disgruntled former employees or customers. State-sponsored cyber threat actors may target CI sectors to collect information in support of broader strategic goals to influence public opinion or development of policy.
Cyber threats to CI sectors can involve stealing mission-critical information, locking sensitive files, or leaking proprietary or compromising information. Some of the main cyber threats to CI include:
Ransomware is a form of malware that denies users access to systems or data until a sum of money is paid. Other types of malware (e.g. wipers and spyware) are used to target CI by infiltrating or damaging connected systems.
Denial-of-service (DoS) is any activity that makes a service unavailable for use by legitimate users, or that delays system operations and functions. A threat actor could render large parts of a CI sector unavailable and cause potentially catastrophic failure.
Insider threats can result from anyone who has knowledge of or access to an organization’s infrastructure and information and uses it, either knowingly or inadvertently, to cause harm. Insider threats could have a significant impact on a CI sector and its business functions.”
Think these types of attacks will never happen in a civilized continent like North America? Think again…
US and Canada warn critical infrastructure providers of possible Russian cyber attacks
According to excerpts of an article by ITWorld Canada, they wrote, “U.S. President Joe Biden is urging American providers of critical infrastructures, such as banks and energy companies, to be alert because of “evolving intelligence” that the Russian government is “exploring options for potential cyberattacks.”
“If you have not already done so, I urge private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year,” he said in a statement.
“You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which we rely. We need everyone to do their part to meet one of the defining threats of our time — your vigilance and urgency today can prevent or mitigate attacks tomorrow.
He also released a list of things firms should do now, including mandating the use of multi-factor authentication on IT systems.
In response to questions from ITWorldCanada, a spokesperson for the Canadian Centre for Cyber Security, which advises the private sector, said “There has been a historical pattern of cyber attacks on Ukraine having international consequences, such as the malware known as NotPetya in 2017. This is why we have issued unclassified threat bulletins reminding Canadian critical infrastructure operators and defenders to be aware of the risks and take mitigations against known Russian-backed cyber threat activity.
“Now is the time to take defensive action and be proactive in network monitoring and applying appropriate mitigations.”
The spokesperson said the Centre has been in touch with critical infrastructure partners “over the past several weeks to provide briefings on the Canadian cyber threat environment.”
In a press briefing, U.S. deputy national security advisor for cyber Anne Neuberger said the President’s public warning follows classified briefings held last week with 100 select companies on “preparatory” work for cyber attacks it recently has seen.
The classified meetings with the companies were ones Washington thinks might be affected and included sharing resources and threat intelligence to help them harden defenses. The offer included hands-on support from the FBI.
This is part of an effort including classified and unclassified briefings with firms that started last fall, she added, as well as cybersecurity orders directly given by federal agencies to companies.
“Notwithstanding these repeated warnings, we continue to see adversaries compromising systems that use known vulnerabilities for which there are patches. This is deeply troubling. So we’re urging companies to take the steps within their control to act immediately to protect the services millions of [people] rely on and to use the resources the government makes available.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has a regularly updated list of known vulnerabilities that hackers commonly use, most of which have patches available.
Failing to patch makes it easier for hackers, she said. “Lock your digital doors,” she urged companies. “Make it harder for attackers.”
“Preparatory activity” could include scanning websites or looking for IT vulnerabilities, she said. “We’ve given a number of threat warnings over the last number of weeks that Russia could consider conducting cyber attacks in response to the significant economic costs the U.S. and partners have put on Russia” for invading Ukraine. “The latest intelligence “speaks to evolving threat intention and a potential shift in intention to do so.”
“To be clear,” Neuberger added, “there is no certainty there will be an incident on critical infrastructure. But because of evidence of preparations the government has seen, it wants to urge critical infrastructure providers to pick up the pace of their work. “This is a call to action and a call to responsibility for all of us,” she said.
The U.S. and Canada largely have the same list of industries that fit into the definition of critical infrastructure. In Canada, the list appears shorter because industries are folded into one heading (for example, energy producers). On the U.S. side, the list separately enumerates dams, chemical producers, communications providers, emergency services providers, the financial sector, governments at all levels, IT producers, transportation firms, nuclear reactors, water producers, the healthcare sector, food providers, critical manufacturers, the defense sector and commercial facilities (such as malls and hotels).
There are four implications of the new Ukraine-Russia advisory from the White House, said Karthik Kannan, CEO of Anvilogic:
- firms should act immediately on tactical low-hanging fruit initiatives such as multi-factor authentication, disaster recovery/backup practices, and regular patching for vulnerabilities;
- firms should make continuous investments in threat detection;
- application developers must, if they haven’t done so already, start thinking about security in their daily development processes to make stronger and more resilient applications that are harder to breach;
- companies must collaborate with their peers and with government agencies to learn more about threats as well as share best detection/response/mitigation practices.”
It’s not “just” Russia that is a threat to our Critical Infrastructure. As we mentioned previously, there can be a host of different reasons that cybercriminals are motivated to attack CI. It could be financial, personal, political, or… simply for the thrill of it.
Florida Hack Exposes Danger to Water Systems
In excerpts of an article by PEW Trusts, they wrote, “A renegade mouse cursor signaled the danger at the water treatment plant in Oldsmar, Florida.
On Feb. 5, a plant operator for the city of about 15,000 on Florida’s west coast saw his cursor being moved around on his computer screen, opening various software functions that control the water being treated. The intruder boosted the level of sodium hydroxide—or lye—in the water supply to 100 times higher than normal.
Sodium hydroxide, the main ingredient in liquid drain cleaners, is used to control water acidity and remove metals from drinking water in treatment plants. Lye poisoning can cause burns, vomiting, severe pain, and bleeding.
“Now, if you want to poison water, you can do it from the comfort of your home.”
After the hacker exited the computer, the operator immediately reduced the sodium hydroxide back to its normal level and then notified his supervisor, Pinellas County Sheriff Bob Gualtieri said at a news conference a few days later.
The Oldsmar breach alarmed state and local officials around the country
“Officials I’ve contacted are nervous. There is great concern,” said Alan Shark, executive director of the Public Technology Institute, a Washington, D.C.-based nonprofit that provides training and other support to local government information technology executives.
Some states responded to the attack by issuing alerts to water systems. Some also decided to provide additional training and focus more on cybersecurity during their water plant inspections. But many local governments that run water systems lack the money or the personnel to strengthen cybersecurity.
In Wisconsin, state officials sent cybersecurity advisories to all 611 community water systems after the Florida breach, said Miranda Mello, a senior water supply engineer at the Department of Natural Resources. “This incident is opening a lot of people’s eyes because public health is connected to systems that have cybersecurity vulnerabilities,” she said.
The state doesn’t have a comprehensive way to track the cybersecurity measures that water systems have in place, she said. But it does ask about their security and emergency response systems when staffers inspect utilities every three years.
Because of the Oldsmar attack, Mello said, the state plans to incorporate more questions specifically about cybersecurity during its inspections.
In Massachusetts, the state Department of Environmental Protection issued an advisory to public water suppliers after the Florida attack, warning utilities to be “on heightened alert” for any unusual activity and remain vigilant by evaluating system security.
The agency also is planning additional training for state and water utilities’ staff, spokesperson Edmund Coletta said in an email, and is reviewing all regulations and policies.
In New Jersey, cybersecurity officials also sent out a series of alerts after the Oldsmar breach.
“Changing the chemical equation and compounds to treat the water is shocking on the surface, but there’s been a concern about this for a long time,” Jared Maples, director of the state Office of Homeland Security and Preparedness, said in an interview with Stateline.
Officials need to be concerned not just about cybercriminals or terrorists trying to target the water supply, he said, but also about threats from insiders, such as disgruntled employees.
While water plants have fail-safes to prevent hackers from compromising drinking water that gets to the public, Maples said, they still have to be on their guard because there’s “no such thing as 100% safe in this game.”
“Our goal is to continually try to stay ahead of them, to make our system stronger and better,” he said. “It’s a constant cat and mouse [game] that we play.”
About 52,000 community water systems operate in the United States, providing water to more than 286 million people year round. Most systems are run by local governments; many are very small.
Small water utilities often don’t have their own IT or cybersecurity staff. They typically are part of city or county governments, but those too may not have the staff or resources to ensure that cybersecurity is strong.
“Sophisticated hackers could take advantage of weaknesses in the system and affect water quality or distribution,” said Michael Arceneaux, managing director of the Water Information Sharing and Analysis Center, a Washington, D.C.-based group that helps water utilities strengthen their physical and cybersecurity. “It could become a public health issue.”
Water utilities that don’t have the resources, need technical training and help setting up secure systems, selecting software and hardware, and operating the technology, he added.
The Pinellas County Sheriff’s Office, FBI and Secret Service are investigating the Oldsmar incident. Investigators haven’t identified a suspect and don’t know whether the attack originated in the U.S. or why Oldsmar was targeted.
“The important thing is to put everybody on notice … these kinds of bad actors are out there,” Oldsmar Mayor Eric Seidel said at the news conference. “It’s happening. So really take a hard look at what you have in place.”
Oldsmar officials said they disabled the program that allowed the intrusion and will make security upgrades.
In response to the Oldsmar incident, four agencies including the FBI, EPA and a federally funded group that tracks cybersecurity issues for states and local governments released a joint advisory warning that “corrupt insiders and outside cyber actors” were using desktop sharing software to victimize targets, including those in the critical infrastructure sector.
The agencies made a number of cybersecurity recommendations and advised organizations to upgrade their Windows operating systems.
They also cautioned that water utilities should install “independent cyber-physical safety systems” that would prevent dangerous conditions if the control system is compromised. That would let smaller systems that have limited cyber capability take steps that would prevent hackers from gaining control of a pump and raising the pH to hazardous levels, as happened in Oldsmar.
The Oldsmar breach has gotten attention in Congress as well.
Calling it a “serious security compromise,” U.S. Sen. Mark Warner, the Virginia Democrat who chairs the Senate Intelligence Committee, has asked the FBI for a progress report on the criminal investigation and the EPA for a review of the plant’s compliance with federal water security plans.
Shark, of the Public Technology Institute, said it’s been hard for local governments to get the funding to beef up cybersecurity at water utilities.
“States have to step up, and they’re going to need help from the feds to find ways to fortify this,” he said. “There are a whole set of bad actors out there probing for weaknesses to bring certain facilities to their knees.”
In the past few years, water utility systems in Jacksonville, North Carolina, and Fort Collins, Colorado, have been victimized by ransomware attacks, according to a 2019 study in Journal of Environmental Engineering. Ransomware hijacks computer systems and holds them hostage until their victims pay a ransom or restore the system on their own.
The study noted that 25 U.S. water utilities had reported cybersecurity incidents in 2015 and that many cases either go undetected or are not disclosed.
Across the globe, hackers who’ve struck water utilities have ranged from curious amateurs to disgruntled former employees to cyber terrorists, the researchers found.
In Oldsmar, before the breach, authorized users could use software to remotely monitor operations and check chemical levels to troubleshoot any problems. Many utilities use a similar system, which could become an entry point for hackers, cybersecurity experts say.
“Everything is getting automated these days. A lot of these utilities operate with razor-thin budgets and limited staffing. They’ll set up systems where someone can access it from home,” said Alex Hamerstone, risk management director at TrustedSec, a company based in a Cleveland suburb that does cybersecurity testing for water plants and other utilities.
If water utilities use passwords that aren’t strong enough or terminate workers without changing their passwords, Hamerstone said, that can leave them vulnerable to hackers.
Cybercriminals can use phishing or other methods to try to get into email or billing systems at water utilities, just as they do with other government agencies, he said. But Oldsmar’s breach was much more dangerous because it threatened lives, he added.
“Now, if you want to poison water, you can do it from the comfort of your home.”
Mello, of Wisconsin’s environmental agency, said water systems typically have multiple alarms that will alert an operator if there’s an issue going on, and checks and balances to ensure the water quality is at the level that it should be.
But she cautioned that water plants’ operating systems need to be up-to-date and staffers should be using strong passwords and multi-factor authentication, a method of confirming identity before someone logs in, usually by entering a randomized one-time password or number sent to a smartphone or email address.
Arceneaux, of the water utilities’ security group, said since the COVID-19 pandemic began and more people have been working at home, his group has been recommending that utility update software, provide training, and assess what software and hardware they use—as well as vulnerabilities.
“It’s really important that water boards and city councils and top managers take an interest in cybersecurity and provide the investments that are needed to prevent these types of attacks,” Arceneaux said.
And water utility officials and others need to understand that it’s not just something that can hit a small community, said Kevin Morley, federal relations manager at the American Water Works Association, a Denver-based group that represents water utilities and others in the field.
“This could happen to a large city as well,” Morley said. “Water systems, large or small, need to be vigilant. It’s a very real threat.”
How to protect your CI sector from cyber attacks
According to the Government of Canada, they suggest, “CI network operators can reduce their risks of cyber attacks by implementing the following security measures. For more info on mitigation measures check out the CISA advisory (link available in English only).
Isolate CI components and services by implementing firewalls, virtual private networks (VPN ), and multi-factor authentication (MFA) for remote access connections with corporate networks.
When using ICS, test manual controls to ensure critical functions remain operable if your network is unavailable or untrusted. Use Privileged Access Workstations (PAWs) to separate sensitive tasks and accounts from non-administrative computer uses, such as email and web browsing. Implement network security zones to control and restrict access and data communication flows to certain components and users. Be prepared under imminent threats to isolate CI components and services from the internet.
Enhance your security posture by automatically patching your operating systems and applications. Replace devices and products that are past their end of life. Implement offline backups that are tested frequently to ensure you can recover quickly in the event of an incident.
Protect your network from malware by virtualizing your network to prevent it from spreading and infecting your corporate networks. Deploy network and endpoint monitoring through securely configured and enabled anti-virus and anti-malware software, and activate software firewalls on connected devices.
Develop an incident response plan that includes the processes, procedures, and documentation related to how your organization detects, responds to, and recovers from cyber attacks. Test and revise the plan periodically to ensure critical functions and operations continue in case of system disruptions or unexpected downtime.
Train your employees so they understand the importance of cyber security best practices, such as identifying malicious emails and links, using passphrases or strong passwords, and reporting incidents as soon as they are detected.
Monitor organizational activities by collecting, analyzing, and storing records that are associated with user actions on information systems. Enable logging in order to better investigate issues or events. Monitor traffic at your Internet gateways and establish a baseline of normal traffic patterns. Highly sophisticated threat actors may influence or coerce employees (e.g., social engineering , bribery, blackmail, intimidation) to help them compromise security. To guard against these actors, enhance your insider threat monitoring and consider implementing a “two-person” rule when performing critical administrative functions.”
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
Every single device that connects to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.
Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.
To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at firstname.lastname@example.org