Sodium hydroxide, NaOH, is a commonly used water treatment deployed in safe amounts by water treatment plants across the US. In large concentrations, however, it can be dangerous and even deadly to humans. Now, imagine a hacker from a country of national security concern finding a vulnerability in the remote access software that controls the levels of NaOH, or lye, in the water system. With just a few lines of code, the hacker can increase the NaOH to 100 times the normal level, sufficient to poison every member of the town.
While this may sound like the beginning of a James Bond film, this scenario played out in early 2021 in Oldsmar, Florida. Fortunately, a system administrator witnessed the suspicious activity via TeamViewer and aborted the attack before any harm could occur. Unfortunately, this type of attack is no longer reserved for the big screen and has become a serious threat to state and local critical infrastructure and the everyday lives of private citizens.
You may hear the term “killware” used in reference to this kind of attack, and it’s not just a snazzy marketing term designed to get your attention. As we’ve previously reported, hospitals and healthcare systems have historically made appetizing targets to “killware” hackers because of the potential threat to human life. Now with the Oldsmar incident, we’re seeing how cyber attackers can and will continue to weaponize operational technology environments. This article aims to shed light on these cyber-physical attacks. We’ll cover what they are, why they can’t be ignored, and how Axio360 can help you get started with a Cybersecurity Capability Maturity Model (C2M2v2) assessment, thus preventing a James Bond-esque doomsday scenario in the future.
Our Lives Depend on Operational Technology
According to Gartner, by 2025, cyber attackers will have weaponized operational technology environments to harm or kill humans. To better understand cyber-physical attacks, we will outline the distinction between the two types of technology in cybersecurity: IT and OT.
IT, or information technology, is responsible for moving data from one person to another. IT networks today tend to be regulated and robust. For example, Microsoft Windows accounts for an estimated 75% of worldwide desktop operating systems. OT, or operational technology, on the other hand, is not standardized. It includes a vast spectrum of devices that are designed to gather data about these devices and services.
Some examples of devices that can make up the OT ecosystem include:
- Programmable Logic Controllers (PLCs), which can control things like assembly line processes, or the ratio of materials needed to process chemicals
- Supervisory Control and Data Acquisition (SCADA) systems, which are control systems that oversee, monitor, and aggregate, sensor information necessary to operate plant machines
- Distributed Control Systems (DCS), which control multiple machines in a plant
- Computer Numerical Control (CNC) systems, including computerized machine tools and can be programmed to fabricate a physical object
- Building Management and Building Automation Systems (BMS/BAS), which control temperature, lighting, access and control points, and other necessities
- Lighting Control, both for internal and external applications
- Energy Monitoring for security and safety systems in the physical environment
- Transportation Systems for the physical environment
Why OT Risk Can’t Be Ignored
OT systems are the lifeblood of society. State and local government, as well as critical infrastructure sectors like finance, utilities, manufacturing, healthcare, retail, etc., depend on all types of OT devices. Without them, we can’t expect essential goods and services to function. Hospital patients can be endangered if medical diagnostic systems are made inoperable, the oil pressure in a building valve could be increased to cause an explosion, and, as we saw in Oldsmar, water and wastewater facilities can be lethally compromised.
The risk of connecting OT systems to IT systems and other OT systems stems from a few reasons. Today, operational technology is now almost entirely connected to wireless technologies and IT operating systems, resulting in constantly expanding attack surfaces. OT environments are not industry agnostic and have no standardized security practices. Many are old or legacy devices with little to no authentication or encryption. Operating systems often go without updates, and vendors are unconcerned with software security updates or patches.
Additionally, state and local government utility systems like in Oldsmar often work with limited funds and resources, and their main priority is getting citizens clean water, not cybersecurity. Luckily, the Oldsmar operator was able to escalate and prevent the cyber-physical attacker from causing irreparable harm. However, the system that was accessed was a legacy operating system on an open network that used widely shared login credentials. All of these facts add up to one basic conclusion: poor cyber hygiene.
What Can You Do to Strengthen Your OT Posture?
In 2012, Axio staff played a critical role in the development of the very first version of the C2M2 with the Department of Energy, focusing originally on the electricity subsector. In the years since, newer versions of this model were enhanced to include other critical infrastructure sectors. The most recent version, v2, was released in July 2021 to help critical infrastructure operators determine their risk management and mitigation status, and the Axio360 platform includes all of the new changes.
The Oldsmar incident was indeed a close call, and it’s only one of many OT attacks within the past year. Cybersecurity professionals working in critical infrastructure should be concerned about the growing frequency of these incidents, and a ransomware preparedness assessment offers a quick win. The first step in preventing an OT cyber attack is to understand your OT environment clearly, and an assessment of the controls you have in place can give you a bird’s eye view of your vulnerabilities. By comprehensively documenting your OT environment, you’ll have an easier time tackling these susceptibilities. We recommend getting started with a C2M2v2 assessment, free for a single user in the Axio360 platform. You can also demo Axio’s QuickQuant, a tool to quickly quantify your organization’s most catastrophic OT scenarios and what steps to take to minimize financial impact.
Operational technology hacking events now extend far beyond fiduciary or reputation damage for governments and organizations. Killware and cyber-physical attacks are no longer hypothetical. Businesses must proactively mitigate cyber-physical risks, starting with basic cyber security hygiene (authentication, encryption, network controls, firewalls to block malicious traffic).
A C2M2 assessment will provide qualitative insight into your organization’s level of maturity across specific controls and domains, and Axio software adds a quantifiable cyber risk methodology to guide prioritization. Our methodology allows you to identify which risks matter and also helps you select the best improvements and/or risk transfer mechanisms. Axio360’s risk-based approach can help you better understand your environment and its risks, making your organization a risk-centric and resilient enterprise.