Page 34 - MRWATODAYSpring2021flipbook
P. 34
Art
The
of Cyber War
and What Makes a
Water Utility
Vulnerable
by Tom Kirkham, CEO of IronTech Security
December 10, 2020
yber warfare is real. Every water utility is vulnerable for gather data, gather intelligence, learn what controls are on their SCADA servers,
a cyber attack. These attacks come in many different get the network architecture, and then start searching for vulnerabilities and
forms – everything from stolen data held for ransom, other things that they can use to either disrupt the organization or make
to compromised customer billing and, in worst case money off of it by selling customer data.
scenarios, a disruption in water delivery or water supply
contamination. The harsh reality is that the population These are not “might happen” scenarios. Water delivery has been interrupted
cannot live without water. in various parts of the world including the United States. There have been
water quality issues that were believed to be caused by nation-states or cyber
C The Threat Actors at Work criminals.
Criminal enterprises, nation-states, inside attackers, hacktivists and other
malcontents lurk in the cyber sea waiting to feed on unsuspecting victims. The most common distribution methods, also known as the attack vectors,
Water utilities are at great risk for much more than ransomware attacks. include email attachments, apps or Excel spreadsheets, Word documents,
Because utilities are critical infrastructure, leaders not only must worry about or other files that deliver a payload once the file attachment is opened on
not only criminal enterprises and nation-states, but to a greater extent, must the computer. Ransomware can also be delivered by a drive-by hit on a
prepare for potential insider attacks or other malcontents who work like lone compromised website. That’s why it’s critical for websites to be secure.
wolves.
Legitimate advertising networks – especially those that provide news and
First, a water utility should worry about ransomware which is the number one information and have ads - can be fooled into serving up malware. Malicious
concern in organizations today. The ransomware business is a multi-billion USB drives are a great delivery mechanism to attack a system. USB drives can
dollar business that is built on holding data from networks for ransom. contain malware that can hop networks and deliver data such as credentials.
Consider that just a few weeks ago a cyberattack on the city of Florence, If users don’t practice good password hygiene and reuse the same set of
Alabama’s computer network system cost the city nearly $300,000 in ransom. credentials on multiple websites once a criminal gains access to an email
The hackers took possession of personal information on city employees and account the next step is to use them to get into bank accounts, other websites,
customers and it’s not clear how much they actually possess. In Galt, California, and steal identities. Even with good security hygiene both criminal and ethical
hackers took down the water utility’s email and telephone system as well as hackers can use simple penetration testing tools to see what ports are open on
demanded ransom to restore the systems. For days, only emergency services a network. When the tool finds an open port it then queries the server for what
were available. In Texas, 23 cities were involved in a ransomware attack in which services are behind it and what services will answer. Next, the hacker looks for
the criminals were demanding $2.5 million to unencrypt stolen files. And, in vulnerabilities, unpatched software, and other ways to exploit the service. Just
Lake City, Florida, hackers commanded $416,000 to have files re-encrypted. like that, the hacker has access to your data.
There are also other attack types including keyloggers (a software program Take the Prevention Stance
or device designed to secretly monitor and log all keystrokes). They pose a To prevent this, a water utility must secure the information. Imagine an onion
serious threat to users, as they can be used to intercept passwords and other - the core of the onion are the assets that you’re trying to protect such as an
confidential information entered via the keyboard. As a result, cyber criminals industrial control system or SCADA device. The best defense is to adopt the
can get PIN codes and account numbers for e-payment systems, passwords to Swiss Cheese model mindset and assume a control could bend or break. No
online gaming accounts, email addresses, user names, email passwords, and single security accident has been caused by one single error. Holes in the
almost any other information imaginable. “cheese” are all different sizes; some are due to active failures while others are
simply the result of conditions. The security strategy must take into account the
Rootkits are a type of malware designed so that they can remain hidden on hazard, technology, process and people to prevent loss.
a computer. While they might not be noticed, they are active. Rootkits give
cybercriminals the ability to remotely control a computer. Assume that administrative, technical, and physical controls can break so the
best defense is NOT an unhackable single layer. Look at multiple layers and
Cyber criminals also use back door attacks – accessing a system through plan that each layer targets an attack vector. Dozens of layers could be added
unsecured points of entry such as outdated plug-ins or input fields. to a security posture to protect core assets and devices, data, and customer
information. The key is to make certain the “holes” in the cheese are not aligned
These are commonly known as advanced persistent threats (APTS). With nation- to allow penetration.
states, the objective with an APT is to remain undetected on the network,
34 MRWA TODAY S SPRING 2021
