By Michal Erel, Senior Product Manager | March 2, 2021

Claroty Principal Vulnerability Researcher Sharon Brizinov recently hosted a webinar focusing on the recent cyberattack against the Oldsmar, Fla., water-treatment facility, providing his insight into the attack, as well as a number of important issues to water and wastewater officials and critical infrastructure operators, including secure remote access. View an archived version of the webinar here.

Attendees had many questions for Claroty during the webinar, but time expired before we were able to answer them all during the live presentation. We’re taking the opportunity here to address many of those remaining questions:

Q: What made Oldsmar’s facility a target for an attacker?

There were many issues that expanded the Oldsmar water facility’s attack surface, starting with the fact that critical systems were accessible from the internet using TeamViewer account credentials—and allowing them to do so without requiring an additional VPN connection. This is not a best practice. In the Oldsmar attack, the plant was also still running outdated and unsupported versions of Windows 7. Support for Windows 7 ended in January 2020, meaning that security patches and feature updates are no longer available for these systems without an expensive Extended Support Update contract with Microsoft.

Operational technology (OT) systems, in general, often contain unpatched assets due to long product lifecycles and patch-management challenges. This puts an emphasis on defense-in-depth, starting with secure remote access solutions and asset visibility capabilities.

Water utility facilities such as Oldsmar would benefit from security controls such as multi-factor authentication and role-based access controls, along with improved visibility, monitoring and control capabilities. Implementing these measures and establishing alerts to notify personnel of anomalous and suspicious behaviors could help significantly in protecting against such attacks.

Q: If a more sophisticated cyber gang wanted to ransomware a water plant, what would that look like compared to this TeamViewer credential hack?

A ransomware attack against an industrial enterprise would start the way most cyberattacks do: a phishing email or an exploit of a vulnerable internet-facing application would give an attacker a foothold on the IT network at the enterprise level of the Purdue Model. If the attacker is able to obtain domain credentials, for example, they might be able to cross the DMZ and access the operation and control level and compromise an engineering workstation. At any point, an attacker could use that system—usually a Windows machine—to drop ransomware, other types of malware, or exploits. They could also manipulate PLCs, for example, and disrupt or modify plant processes.

Q: With the trend moving toward converged IT/OT networks and manufacturers requesting more data moved from OT networks to IT systems, how do we reverse the trend of increased number of cyberattacks and vulnerabilities in OT networks?

We’re already seeing more attackers—and researchers—looking for vulnerabilities in industrial controls systems. Our Biannual ICS Risk & Vulnerability Report points out that the number of security issues disclosed in industrial control system (ICS) software and OT protocols is growing year-over-year, and not necessarily because vendor products are insecure or companies have poor security practices. Convergence and digital transformation are driving this trend, and it’s critical that organizations understand how to centrally manage these risks and have adequate visibility into the OT network, know what systems are exposed and likely to be attacked, and prioritize updates, patching, and access controls whenever possible.

ICS software is no different than other software products: vulnerabilities are part of the development process and product lifecycle. We’re seeing more OT administrators investing in security, understanding the risks posed by vulnerabilities, and conducting code reviews and pen-tests. This is an important development, since many industrial products have not undergone thorough cybersecurity reviews, and vulnerabilities are only now coming to the surface.

Q: Is the remote desktop platform that was compromised widely used in OT environments? Is it common in water utilities and other sectors?

We can assume that these platforms are being used across water facilities and other critical infrastructure sectors. These solutions are inexpensive and quite easy to adopt and use. It often comes down to a tradeoff between usability and security—usability and cost usually win out. As for water and wastewater, it’s our experience that many of these facilities serve smaller communities that may be under-resourced and lack cybersecurity training and expertise.

Q: In your experience, are OT managers taking cybersecurity attacks seriously, or are they just waiting and thinking they will not be attacked?

Historically, OT environments were air-gapped from IT networks, so cybersecurity was not a high risk or prioritized concern. However, as organizations look to benefit from emerging technology, cybersecurity incidents create a significant risk to industrial enterprises. Many organizations have not adapted their mindset to this new reality.

Q: Should we be treating ICS networks as semi-public at this point and look to change our security stance (tooling, patching etc.) appropriately?

Culturally, change to an OT environment introduces risk, and that’s not going to change overnight. However, many of the principles that we’ve learned in IT security should be adopted and adapted as much as possible within ICS environments.

Q: How can we implement a zero trust model in OT?

Zero trust can be achieved in phases, and there are several things that can be done:

  • Implement network segmentation according to the different levels of the Purdue Model.
  • Implement multi-factor authentication and follow the principle of least privilege where users or devices have the minimum access privileges necessary to do their jobs. This lessens the risk posed by threat actors trying to move laterally within IT networks or between IT and OT systems.
  • Validate that all devices with access to the OT network are compliant with the organization’s security policy.
Q: What is the recommended best method for remote access if needed?

Secure remote access is an essential part of comprehensive defense-in-depth for any industrial enterprise. We recommend a number of safeguards, including:

  • Network segmentation
  • An asset visibility solution
  • An intrusion detection system for OT environments
  • A secure remote access solution that includes auditing, control and monitoring capabilities
  • Proper firewall rules configuration
Q: How do you get customers to recognize the difference between an industrial solution vs. standard IT VPN platforms?

Claroty Secure Remote Access (SRA) is a software solution that can be delivered via a physical box or virtual machine. It was built for the specialized needs of OT and includes monitoring, auditing, access-control capabilities, and additional functions that are unique requirements for OT and generally not available in traditional IT VPN solutions. This is what we do at Claroty, and this where our focus lies.

We’ve built an architecture that supports network segmentation and preserves the Purdue Model approach. Our OT customers’ challenges are being met with The Claroty Platform’s unmatched capabilities and ability to support OT-specific use cases.

We also have an out-of-the box capability to record all remote sessions conducted through our product, along with file-management capabilities for secure cross-site file transfers. Users can monitor these sessions and disconnect them if malicious activity is detected.

To learn more about Claroty’s Secure Remote Access solution and capabilities, request a demo.