Water ISAC on Oldsmar Hack, Sector Security
By Michael Mimoso | Claroty Editorial Director | Feb. 23, 2021
The recent cybersecurity incident at the Oldsmar, Fla., water-treatment facility is noteworthy, not only for the fact that a remote attacker was able to manipulate chemical levels in public drinking water, but also for the actions and transparency of plant operators and law enforcement in sharing crucial details about the hack.
In this episode of Aperture, Water ISAC Managing Director Michael Arceneaux and Cyber Threat Analyst Jennifer Lyn Walker discuss the attack, how it underscores the need for better information-sharing about incidents and improved security hygiene inside critical infrastructure sectors such as water and wastewater.
The Oldsmar hack is the type of event cybersecurity and ICS security specialists have been speculating about for years; an intruder remotely accessing and manipulating a production process. What is unusual and unexpected about this incident was the level of detail and information that was shared in the hours after the attack.
Arceneaux says that utilities are generally reticent to share incident information out of fear of giving other attackers ammunition to target their facilities. Water ISAC, as do other information sharing and analysis centers, anonymizes information that is shared among its member utilities; Water ISAC has more than 400 members utilities that service much of the United States.
“Utilities ought to know they can share incident information with the government, with Water ISAC and get the help they need without having to have press conferences,” Arceneaux said. “Organizations that recognize the value of sharing are really improving their sector-wide posture.”
The attack also underscores the need for secure remote access. Poor password practices, or misconfigured remote desktop sharing applications, can expose organizations to a number of web-facing threats.
“With the increase in remote desktop or RDP attacks in 2020, actors knew that small-medium utilities or small businesses were throwing up remote access and probably weren’t going to secure it. We found out that was true,” Walker said, pointing to a rash of brute-force and credential-stuffing attacks. “It seemed largely that security was snoozed in that respect.”
Walker and Arceneaux cover a number of other areas throughout this conversation, including:
- How utilities’ increased remote access requirements during the pandemic have increased the attack surface available to threat actors.
- Whether small water facilities have the cybersecurity training and resources they need to combat skilled attackers.
- How the public nature of this attack will impact information sharing, and what best practices organizations can follow to safely share attack data.