By Dan Schiappa, Chief Product Officer, Sophos
This past February, hackers were able to infiltrate a Florida water treatment plant thanks to an inactive remote access software. That in and of itself wasn’t the problem; the problem was that the plant’s staff all accessed that software using the same password. Between widespread sharing of a single password and out of date Windows operating systems, the hackers were able to breach the facility and nearly poison the water supply, stopped only because an employee noticed what was happening before it was too late. This April, a different man was charged with hacking into a Kansas water treatment plant in 2019 with a similar aim of tampering with the public water supply.
While there is no recorded statistical uptick in cyberattacks on infrastructure assets like water treatment plants, sewage processing facilities or power companies, these twin incidents occurring in the headlines so closely together reflects a renewed focus on the very real threat of infrastructure cyberattacks – and the deadly implications they carry for potentially millions of people. It’s fortunate these two breaches didn’t result in more serious consequences, but the poor cybersecurity hygiene seen at both plants highlights just how unprepared so many infrastructure operators around the country are for cyber threats.
The most vulnerable targets are on the local, municipal level
The unfortunate truth is that infrastructure today is so vulnerable that just about anyone who wants to get in can get in. That’s because many infrastructure organizations lack a level of granular controls and segmentation over their assets. Controls overseeing water treatment processes, for example, aren’t being air gapped to prevent online intruders. Just the opposite, often these controls are open to internet-facing threats.
That makes infrastructure an easy target for both nation-state attackers and organized crime groups alike. There’s a clear national security value for foreign powers to want to shut down power and water throughout the US. Or even just knock out the power to certain government buildings, like the White House or the Capitol. But there’s also a major financial incentive for private groups to launch ransomware attacks against 911 call centers or sewage processing facilities, too. After all, if sewage isn’t being processed, customers are going to react pretty quickly to that, putting urgent pressure on the company to pay the ransom.
The least vulnerable targets are the traditional big power companies, who do have relatively strong security systems and use initiatives like penetration tests to shore up their defenses. Their security is roughly on par with enterprises of similar size. The ones we should be most worried about, and who need the biggest help in ramping up their cybersecurity presence, are cities, towns, and municipalities. These were the targets in the aforementioned Florida and Kansas stories, and they’re the targets that are most attractive to cyberattackers because of their little, if non-existent, security practices.
A couple months ago, I argued that one of the best things the Biden Administration can do on cybersecurity is to leverage the talent that already exists in federal government agencies like CISA and the Department of Homeland Security (DHS), giving these people the resources they need, pointing them in the right direction, and letting them loose. But with municipal infrastructure operators, we’re starting much further back than that. Many of these facilities just haven’t invested in the necessary security talent to begin with, and don’t have anyone specifically assigned to overseeing plant cybersecurity. Small town infrastructure organizations barely have an IT staff, much less a full-fledged security team. So it’s no surprise that these are the targets most commonly sought after by attackers.
Increasing infrastructure cybersecurity might require fewer carrots and more sticks
A major part of the problem with infrastructure cybersecurity, or the lack thereof, is that to date it’s mostly a situation of all carrots and no sticks. There are no compulsory actions that these local and municipal infrastructure facilities have to take. Researchers publish security bulletins that highlight emerging trends and threats, but often there is no one at these facilities who listen to them, read them, or much less know they exist – because they aren’t required to seek out of this information. Federal agencies like CISA and DHS provide similar security guidance – which, because of the diversity of infrastructure facilities in the US, is more generic than it is especially prescriptive – but again there’s no external body forcing infrastructure operators to accept this guidance as gospel.
So if a dynamic of all carrots and no sticks creates incredibly weak – if non-existent – cybersecurity practice among local and municipal infrastructure, then reversing this situation might require a few more sticks. At the same time, we can’t punish critical infrastructure companies for being hacked. Punishing local power companies who have the misfortune of going up against massively well-funded nation-state attackers, for example, doesn’t help the situation at all. Nothing is unhackable; you can do all the right things and still get hacked. But many of these local municipalities aren’t putting in the effort you would expect of critical infrastructure. We need to thread the needle for mandating certain thresholds of in-house security expertise and due diligence on cybersecurity action, so that we aren’t punishing those who get hacked, but are being more stringent with those who aren’t complying with basic security hygiene.
When I recently wrote about supply chain cybersecurity, I mentioned how we’re all part of someone’s supply chain, whether we realize it or not. With infrastructure, we’re all affected – we all rely on some utility company’s ability to reliably deliver heat, electricity, and clean water. The greatest strength US infrastructure has is its diversity – power companies, water treatment facilities, refineries, and plants across the country all utilize varying designs and control systems that are custom to them. This makes it impossible for a cyberattack on any one infrastructure facility to create too large of a blast radius; being able to hack one doesn’t mean you can hack another. If you wanted to bring down the entire Northeastern power grid, it would require breaching dozens of different power companies simultaneously.
This diversity of infrastructure has been our biggest defense to date, but we can’t rely on it forever. Infrastructure operators need to start seriously building up their own cybersecurity staffs, arming them with resources like endpoint protection and expert human-led threat hunting teams, to create a durable and robust measure of cybersecurity readiness. If they cannot provide the expertise, they should leverage the services of an outsourced security operator to do so. Water treatment plants run by local Florida or Kansas municipalities don’t need to have the security capabilities of a Fortune 500 company. But our infrastructure depends on these smaller organizations being able to put forward a real effort to try.
About Dan Schiappa
Dan Schiappa is the chief product officer at next-generation cybersecurity leader Sophos. He’s a transformational and strategic leader who orchestrates the company’s technical strategy, playing an instrumental role in architecting technologies; overseeing product management and research and development; and ensuring product quality. With a passion for education and inspiring the next generation of cyber talent, Dan also serves as chair of the University of Central Florida’s Dean’s Advisory Board, where he oversees various aspects of the school’s elite cybersecurity program.