What an Attack on a Water Company can Teach Us About SCADA Network Visibility
In a recent case study Verizon describes how hackers were able to penetrate a water company’s SCADA network and change the amounts of chemicals mixed into tap water. Here is our analysis of the event, and what OT and IT managers in critical infrastructure organizations can learn from it to improve their security posture.
The Incident:
Kemuri Water Company (KWC) is a pseudonym for an undisclosed water company supplying water to over 2.5 Million customers. Verizon Security was contacted after a hacktivist group gained access to KWC’s OT network by exploiting a vulnerability in their payment application.
Once hacking the payment application, hackers were able to gain access to an internet-connected AS400 machine and compromise customer PII and payment information residing on the machine. Moreover, this AS400 machine also ran the water district’s valve and flow control application. The attackers were then able to penetrate the OT network and manipulate the amount of chemicals that went into the water supply, luckily with no major impact.
IT and OT Network Convergence is Inevitable
In the KWC network, IT and OT functions resided on the same AS400 machine, with hundreds of Programmable Logic Controllers (PLCs) accessible from the internet. This provided the attackers with convenient access to the OT network. Clearly this was a key vulnerability of the KWC infrastructure.
But can organizations enforce a policy where OT and IT networks are disconnected in order to protect the OT network from external attacks?
Attackers use the IT network as a gateway for penetrating the OT network more often than before, as the number of touchpoints between internet-connected IT networks and sensitive OT networks increases. This convergence is extremely difficult to eliminate: OT and IT networks often interconnect when it comes to billing, statistical information and more. SCADA network devices are often remote and widely dispersed, providing an additional attack vector from field devices. Remote maintenance of network components requires opening a communication link right into the SCADA network and provides yet another means for attack.
Understanding the complete network map is a major IT challenge.
Visibility is Key
In this new landscape, OT and IT managers must revisit their approach to security and strive for network visibility, which will expose the IT/OT touch points and alert about abnormal behavior across both networks.
Network operators must be able to view traffic across their entire network and make sense of it. This will allow them to detect security breaches as well as operational issues, before damage is done.
In KWC’s case, real-time network visibility and continuous analysis, would have allowed the organization to detect unauthorized commands and anomalous values sent by the hackers to the PLCs. The investigation process would have been faster and much simpler.
Summary
Most advanced cyberattacks dwell within the IT network for over 200 days, long enough for the attackers to find a way to penetrate the OT network.
In order to secure the OT network, IT managers in charge of critical infrastructure should:
- Assume IT and OT networks touchpoints are inevitable
- Strive for network visibility that will enable them to understand these touchpoints and discover the entire network including remote devices
- Seek integrated security solutions, which provide advanced detection for both IT and OT
Hope this article was helpful in understanding the challenges in the new SCADA security landscape. Feel free to send me your thoughts and suggestions to: alexey.potekhin@cyberbitsolutions.com.
Alexey Potekhin is SCADA Security Product Manager at CYBERBIT.