Attacks on water treatment plants show just how vulnerable critical infrastructure is to hacking – here’s how these vital services should be protected
Criminals plotting to poison a city’s water supply is a recurring theme in TV and movie thrillers, such as 2005’s Batman Begins. But as we’ve seen recently, it’s more than just a plot device: it’s a cyber-threat which is all too real. During the past 12 months, there have been two high-profile attacks on water treatment systems that serve local populations, both with the aim of causing harm to citizens.
The first was in April 2020, targeting a plant in Israel. Intelligence sources said that hackers gained access to the plant and tried altering the chlorine levels in drinking water – but luckily the attack was detected and stopped. And in early February, a hacker gained access to the water system of Oldsmar, Florida and tried to pump in a dangerous amount of sodium hydroxide. The hacker succeeded in starting to add the chemical, but luckily a worker spotted what was happening and reversed the action.
But what could have happened if those timely interventions had not been made? These incidents are a clear reminder that critical national infrastructure is vulnerable to attacks – and that those attacks will keep on happening, with the potential to impact the lives of millions of people. And of course, the Covid-19 pandemic has further highlighted how essential critical infrastructure is to our daily lives.
So how can better security be built into critical infrastructure systems, to stop attackers being able to breach them and disrupt day-to-day operations? It’s a huge challenge, because of the variety and complexity of the networks and systems in use across different industry sectors worldwide.
For example, in water and power utilities, there are large numbers of cyber-physical systems consisting of industrial equipment such as turbines, pumps and switches, which in turn are managed by a range of different industrial control systems (ICS). These were not designed with security in mind: they are simply machines with computerized controllers that enact the instructions they receive from operators. The communications between the operator and the controllers are done via IP-based networks – which, without proper network defenses, means they can be accessed over the Internet – which is the vector that hackers exploit.
As such, irrespective of the differences between ICS controls, the security challenges for all critical infrastructure organizations are similar: hackers must be stopped from being able to infiltrate networks; if they do succeed in breaching the organization’s defenses, they must be prevented from being able to move laterally across networks and gain access to critical systems.
This means network segmentation is one of the core strategies for securing critical infrastructure, to keep operational systems separate from other networks in the organization and from the public Internet and surround them with security gateways so that they cannot be accessed by unauthorized people. In the attack examples we mentioned earlier, properly implemented segmentation would prevent a hacker from being able to access the PC which controls the water plant’s pumps and valves.
With damaging ransomware attacks increasing over the past year, which also exploit internal network connections and pathways to spread rapidly and cause maximum disruption, organizations should also employ security best-practices to block or limit the impact of ransomware attacks on their critical systems. These best practices have not changed significantly since 2017’s massive WannaCry and NotPetya attacks, so organizations would be wise to check and ensure they are employing them on their own networks.
Protecting critical infrastructure against cyber-attacks is a complex challenge because of the sheer diversity of systems in each sector. However, the established security measures we’ve outlined here are extremely effective in protecting these vital systems – and in turn, protecting all of us.
Receive notifications of new posts by email.
We don not ask your personal information to access any of our resources.