Securing Water Infrastructure: Lessons from Real OT/ICS Cyber Attacks

Different industries have unique environments, devices, and processes. Study your field and learn from its history. Detecting and responding to attacks gets easier because tactics and methods are often repeated.

Focus on your industry!

If you missed previous article about Energy sector, feel free to check it!

Let's dive today into some real-life attacks on Water Treatment & Sewage Systems. We'll look at how these happened, what went wrong, and what we can learn from them to keep our water safe. And of course, how OT SIEM can help us.

2021 Oldsmar Water Treatment Facility

remote access directly to HMI -> easy

• Vector: compromised remote access credentials
• Target: control systems of the water treatment plant
• Impact: increase of sodium hydroxide from 100 to 11,100 ppm
• Lesson: even 2 firewalls won't save you from direct remote access

The Oldsmar attack highlighted vulnerabilities in remote access configurations and the importance of monitoring and securing SCADA systems in critical infrastructure.

[>] Chain of Attack

[1] Reconnaissance

• attackers likely researched facility's use of remote access tools
• focus was on vulnerabilities in TeamViewer & outdated Windows 7

[2] Weaponization

• no new malware was necessary - the attack leveraged existing security flaws
• weaponization here was more about gathering or guessing credentials

[3] Delivery

• attack vector was via TeamViewer, which was accessible over internet
• attacker possibly used leaked or shared credentials to connect to system

[4] Exploitation

• attacker exploited the lack of secure authentication mechanisms
• with access to the TeamViewer session, they could control the HMI directly

[5] Installation

• no installation of malicious software was needed
• attack was executed by directly manipulating the HMI settings

[6] Command & Control

• real-time control was achieved through TeamViewer
• direct manipulation of the system's controls
• without needing to establish additional C2 infrastructure

[7] Actions

• attacker adjusted sodium hydroxide concentration from 100 ppm to 11,100 ppm via the HMI
• this change was visible to the operator, who quickly reverted it, preventing any actual impact on water quality

[>] How OT SIEM Can Detect Such an Attack

The Oldsmar case serves as a reminder of the need for robust cybersecurity practices in OT environments, including secure remote access, regular audits of credentials, and comprehensive monitoring systems like OT SIEM to detect and respond to threats before they cause harm.

2000 Maroochy Shire Sewage Spill

insider attack using stolen equipment -> no fun

• Vector: physical theft and manipulation of radio-controlled equipment
• Target: sewage control systems in Maroochy Shire, Australia
• Impact: over 800,000 liters of raw sewage spilled into local environments
• Lesson: insider threats can be devastating

The Maroochy attack demonstrated how physical access to OT systems can lead to environmental disasters, highlighting the need for comprehensive security measures.

[>] Chain of Attack:

[1] Reconnaissance

• former employee had intimate knowledge of the system from prior employment

[2] Weaponization

• he stole radio-controlled equipment used for sewage management

[3] Delivery

• he physically introduced the stolen equipment into system's vicinity

[4] Exploitation

• used stolen equipment to access & control sewage treatment plant's operations

[5] Installation

• no new software was installed
• attack was executed via hardware he had stolen

[6] Command & Control

• direct manipulation through radio signals
• control sewage pumps and valves

[7] Actions

• caused pumps and alarms to malfunction
• leading to sewage spills at various locations

[>] How OT SIEM Can Detect Such an Attack

This incident stresses the importance of securing physical access to OT environments and integrating physical security measures with cyber security protocols.

2013 Bowman Avenue Dam Hack

one more remote attack with internet-facing SCADA

• Vector: exploitation of internet-facing control systems
• Target: SCADA system controlling the floodgates of the Bowman Avenue Dam in Rye Brook, New York
• Impact: no physical damage reported, but demonstrated vulnerability in infrastructure control systems
• Lesson: even small, less critical infrastructure can be targets for cyber espionage or sabotage

This attack highlighted the risks associated with internet-connected infrastructure and the potential for cyber-physical attacks.

[>] Chain of Attack

[1] Reconnaissance

• attackers likely identified the dam's SCADA system as being internet-exposed, possibly through public records or network scanning

[2] Weaponization

• used existing exploits for vulnerabilities in the SCADA system

[3] Delivery

• attack was delivered over the internet, exploiting the system's exposure

[4] Exploitation

• exploited vulnerabilities in the SCADA software or network configuration to gain access

[5] Installation

• possibly installed malicious software to maintain access or control

[6] Command & Control

• direct manipulation of the SCADA system's interface or commands

[7] Actions

• no physical action was taken as the attack was detected before any damage could be done
• dam’s sluice gate had been manually taken offline for routine maintenance
• but it demonstrated the capability to control floodgate operations

[>] How OT SIEM Can Detect Such an Attack

This incident underscores the need for securing even seemingly minor infrastructure components from cyber threats, emphasizing network security, regular vulnerability assessments, and proactive monitoring.

2023 Cyber Av3ngers Attack on Water Facilities

multiple water utilities with internet-facing PLC

• Vector: exploitation of vulnerabilities in Unitronics PLC
• Target: multiple water utilities, including the Aliquippa Municipal Water Authority in Pennsylvania
• Impact: disruption of water services, including disabling a booster station, and displaying political messages on HMI screens
• Lesson: the importance of securing internet-facing OT devices and the risks of geopolitical cyber conflicts

This attack showcased how easily accessible internet-facing devices could be compromised to disrupt services.

[>] Chain of Attack

[1] Reconnaissance

• cyber Av3ngers likely scanned for internet-exposed Unitronics PLCs, possibly using tools like Shodan or similar to find targets

[2] Weaponization

• exploited known vulnerabilities, particularly default passwords or other security weaknesses in Unitronics PLCs

[3] Delivery

• attack was delivered remotely through internet connections to the compromised devices

[4] Exploitation

• gained access by leveraging default or weak passwords, possibly using automated tools to test credentials

[5] Installation

• malicious code might have been installed to change operational settings or display messages on the HMI

[6] Command & Control

• controlled the PLCs remotely to alter settings or display messages, possibly through direct manipulation or pre-installed commands

[7] Actions

• altered system settings to disrupt water pressure or disable systems, alongside displaying political messages

[>] How OT SIEM Can Detect Such an Attack

This incident emphasizes the need for securing OT devices from internet exposure, enforcing strong authentication practices, and implementing comprehensive monitoring solutions.

2019 Wyatt the Wichita Wildman

remote access from former employee

Two months after resigning from his position at the Post Rock Rural Water District in Ellsworth, Kansas, 22 old man, managed to remotely access the control system of his former workplace. Still using his old login details, he was able to disrupt water services to approximately 1,500 customers by shutting down the supply.

The reasons behind actions are shrouded in mystery. According to the prosecutor, he was under such heavy influence of alcohol during the incident that he claimed to have no recollection of the events.

Conclusion

The attacks on water infrastructure underscore the urgent need for improved cybersecurity in OT environments.

-> Remote access

-> Insider threats

-> Internet-exposed devices

have all been exploited to cause disruption or demonstrate vulnerabilities.

Lessons from these incidents emphasize securing access controls, implementing strong authentication, monitoring critical systems, and integrating OT SIEM solutions.

By understanding the attack chains and weak points, you can better protect essential water services from future cyber threats.

You are at Level 2 Documentation Tree - Attacks 2/5 Skill

Don't forget to check your main Leveling Guide

And put comments or likes, it helps a lot to get your feedback ☢️