The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that malicious hackers continue to be capable of compromising industrial control systems (ICS) and other operational technology (OT) using “unsophisticated methods” – suggesting that much more still needs to be done to secure them properly.
In an advisory posted on CISA’s website yesterday, the agency said that internet-accessible industrial systems could be vulnerable to a number of methods of compromise, including exploitation of default credentials and brute force attacks.
Notably, CISA chose to particularly highlight that organisations working in the water and wastewater systems (WWS) sector were amongst those vulnerable to such unsophisticated hacking techniques.
Industrial control systems manage and regulate processes in the WWS sector such as water filtration, chemical treatment, and pumping stations – ensuring that they operate within safe parameters, maintain the quality of drinking water, and prevent contamination to the environment. It is also used to automatically monitor water levels and flow rates in real-time.
Supervisory Control and Data Acquisition (SCADA) is a particular type of industrial control system, which – in the case of the WWS sector – is used to monitor and control the geographically dispersed water distribution network.
Staff use human-machine interfaces (HMIs) for a graphical overview of ICS and OT systems. enabling a rapid response if there is an equipment failure or emergency.
Unfortunately HMIs have often been found to be poorly secured, and if they have a password at all may only be protected by an easy-to-guess default password. It is commonly understood that those maintaining such systems may be more nervous about what may happen if they “break” critical infrastructure by changing a password than the prospect of being hacked because a weak password is being used.
As we have described before, WWS systems are often considered by attackers to be “target-rich, cyber-poor.”
In the past there have been ransomware attacks launched against the WWS sector, as well as what are thought to have been state-sponsored attacks against water utilities in the United States.
The reminder from CISA for the water sector to defend itself more strongly against cyber attack appears to be well timed.
This week the Red Evil hacktivist group claimed to have compromised water systems used by Hezbollah in Lebanon, gaining control of the SCADA software used at 14 water facilities in southern Lebanon and Beirut and changing chlorine levels.
However, experts note that there has been no independent verification of the group’s claims and even though Red Evil shared screenshots of HMIs it claimed to have accessed, it is possible that the impact of the attack (if it happened at all) has been exaggerated as part of a misinformation campaign.
Earlier this year CISA and the United States Environmental Protection Agency (EPA) published a guide in an attempt to raise cybersecurity resilience and improve incident response in the WWS sector.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.