One subtlety consistently overlooked about the Oldsmar water treatment facility breach in February was the willingness of law enforcement and plant officials to share details about the attack vector used to gain access to the network, as well as the potential consequences to public safety had controls not been in place to mitigate the attacker’s actions.
Pinellas County Sheriff Bob Gualtieri, flanked by plant management, commanded a press conference disclosing the attack days after the incident and was lauded for telling the public not only that their drinking water was safe, but for being forthright about critical details on how intruders got in to the plant network. His message to the public was equal parts informative and reassuring, stating that certain redundancies and safeguards innate to water treatment facilities would have prevented tainted water from reaching residential or commercial customers.
This is going to be an important case study as conversations ramp up on Capitol Hill about mandating breach disclosure for critical infrastructure sectors in the United States. There is tremendous value in these details for peers across industries. Knowing, for example, that attackers were using stolen TeamViewer credentials to remotely access HMIs and change chemical levels in drinking water would hopefully nudge others in the sector to lock down credentials, implement two-factor authentication, and be more forceful about the need for overall risk and governance assessments.
Compounding the urgency of this narrative around mandatory reporting is the story that broke last week from NBC News that a Bay Area water treatment facility was breached by remote attackers. The intruders gained access via a former employee’s TeamViewer credentials that had not been terminated. Once on the network, the attacker was able to delete applications used to treat public drinking water, NBC News said.
Had details about the Bay Area attack been disclosed in a timely manner one month before Oldsmar, that incident may have been prevented—and almost certainly there have been other breaches, as of yet unreported, that may be linked to this same attack vector. Information sharing has become a pat answer in the aftermath of a breach, yet it can work in a controlled environment, even among competitors (see the numerous industry ISACs supporting such activity).
US Government is Stirring
Hacks that threaten public safety, however, seem to have awoken U.S. leadership and lawmakers, more so than have the endless stream of personal information and payment card data thefts. Government decision-makers are going to get more fuel for their fire in the wake of the results this week of a survey conducted by the Water Information Sharing and Analysis Center (WaterISAC). Almost 600 water treatment facility employees took part, and some of the numbers are not pretty:
Only 38% of water utilities have inventoried IT-networked assets; another 22% are working to do so.
31% have inventoried all OT-networked assets; another 23% are working to do so.
Of those that have identified all IT and OT assets, 75% have implemented cybersecurity programs at varying stages of maturity.
45% of systems allocate less than 1% of budget to OT cybersecurity; 1.7% allocate more than 10% of budget to cybersecurity.
38% of systems allocate less than 1% of budget to OT cybersecurity; 4.1% allocate more than 10% of budget to cybersecurity.
Respondents, meanwhile, want help from the federal government. Many of them are under-funded and under-resourced to handle cybersecurity threats, in particular from advanced attackers who have deep pockets and a wealth of knowledge to exploit internet-connected OT control systems. They’re asking for help from the federal government in four areas: training and education specific to the water sector; technical assistance, assessments, and tools; cybersecurity threat information; and federal loans and grants.
There is some help available, including the American Water Works Association’s “Cybersecurity Guidance and Tool,” which aligns with the NIST Cybersecurity Framework and America’s Water Infrastructure Act of 2018. The tool is a voluntary approach for implementing cybersecurity controls for water systems, many of which serve relatively small communities. AWIA, for example, requires that water systems that serve more than 3,300 people must consider cybersecurity as part of a risk assessment and response plan.
The issue may be that these mandates today aren’t mandates at all. Voluntary disclosures and voluntary measures to handle basic cybersecurity hygiene within critical infrastructure doesn’t leave us as a nation in a safe place.
The U.S. government in 2021, meanwhile, has been both reactive and proactive about cybersecurity, implementing a number of measures that call out threats to industrial control systems and OT networks specifically. There are also a number of bills under consideration that would escalate the timeline for mandatory breach reporting for critical infrastructure sectors.
Already we’ve seen some steps in this direction. For example, in the wake of the Colonial Pipeline ransomware attack, the Transportation Security Administration (TSA) Security Directive was born. It requires pipeline operators to report breaches within 12 hours of detection, regardless if IT or OT systems are impacted. The TSA directive specifies “incidents” to include unauthorized system access, the discovery of malicious software, denial-of-service attacks, physical attacks against network infrastructure, and any other cybersecurity incident that results in disruption of IT or OT systems.
Anything that impacts the safe delivery of products to customers, critical infrastructure, national security, economic security, or public health and safety is in scope. This very likely will be the first salvo of similar requirements among all critical infrastructure sectors in the U.S.
While it’s easy to understand why organizations may want to keep incidents private, disclosing them creates opportunities for information sharing to prevent the same kind of attack from happening to someone else. These gains aren’t always possible when incident reporting is voluntary, and speaks to the mounting congressional desire for mandatory disclosure of breaches against critical infrastructure when public safety is on the line.