An Overall Look at Critical Infrastructure of the U.S. and How it is Under Attack (Part II)

To continue from the previous article, the focus was on learning the general concepts of Critical Infrastructure and the Industrial Control Systems that operate within. In addition, a quick overview of Stuxnet was provided.

For ease, Part I is linked below, if you want to review on Medium.com, then use Link Here

Bowman Avenue Dam

While not disclosed publicly until 2015, the cyberbreach of the control systems of the Bowman Avenue Dam, in Rye Brook, New York, in 2013 is a good starting point for beginning to understand how ICSs of critical infrastructure have become the goal of every APT since Stuxnet arrived in 2010. The attackers, later self-claimed to be the SOBH Cyber Jihad, gained access at least six times, from August 22 to September 27, 2013; which allowed from them to access and read file — including employee usernames and passwords (Connor, Winter, & Gosk, 2015). This attack, which took place through a cellular modem, provided the attackers control of the systems that controlled the flood gates, but not the entire system. Initial reports showed with this control, the attackers would have been able to use the SCADA systems connected to operate a sluice gate, but had problems operating consistently. In fact, an indictment leveled, by the U.S. federal government against alleged Iranian hackers responsible noted that one of the assailants, Hamid Firoozi, should have been able to remotely manipulate the sluice gate, “the sluice gate control had been manually disconnected for maintenance issues prior to the time Firoozi gained access to the systems” (Thompson, 2016).

While the breach was successful in part, but for the fact that if the sluice gate had been successfully opened the overflow although causing serious damage to the immediate area, the lack overall strategic value in attacking the facility left agents within Homeland Security confused about why a minor CI facility would be targeted in the first place. One argument made is that this attack was more of a practice run, or an “entry-level” attempt” to develop tools and an understanding of the processes involved in Operational Technology (OT) systems, for these ICSs are “much more complicated, and less prevalent, than attacks on information technology (IT)” (Cohen, 2021). If this is true, then a successful breach here means valuable operational experience was gained by U.S. foreign adversaries about not only what same vulnerabilities may exist in other larger CI facilities, but also gain an understanding of what SCADA systems would need to be controlled to allow for greater potential damage to the facility and the populace that it supports. This narrative is further substantiated by the fact that intelligence analysts for the National Security Agency (NSA) had found multiple computers attempting to “crawl”, or search through, specific internet IP addresses that were reported to belong U.S. industrial control systems — searching for vulnerabilities (Yadron, 2015). Moving forward to future incidents shows how APTs have matured and gained further sophistication, where they are indeed shifting from IT to OT systems, so as to gain access to SCADA functions and their operations — with the intent of causing serious harm to public that CI is intended to serve.

The U.S. Water and Wastewater Systems Sector

Shifting to the Water and Wastewater Systems (WWS) CI sector, we come to see how widespread the issue has become with attacks being directed into OT systems, for recent breaches have showed that APTs have “moved past desktop computers and paralyzed the specialized supervisory control and data acquisition (SCADA) devices that issue mechanical commands to the equipment” (Reuters, 2021). To further illustrate this, this discussion will split into two types of threats — external and internal. This will be done by showcasing several examples of WWS facilities that have been breach, along with more discussion of the Alerts published by the Cybersecurity & Infrastructure Security Agency (CISA) in the Findings and Topic Discussion of this report.

Malicious external actors.

Since the announcement of the breach of Blink Brook Dam, there have been numerous intrusions made by various “alleged,” or unknown threat actors against WWS facilities, which are essential to public health and the environment, as they ensure that the public has an adequate supply of safe drinking water and wastewater services. In 2016, an unnamed water utility, designated as the Kemuri Water Company (KWC) by a Verizon Security Solutions Research, Investigations, Solutions and Knowledge (RISK) Teams Data Breach Digest, revealed a breach had occurred prior the proactive risk assessment had even begun with initial analysis showing that a breach had been in progress for at least 60 days prior to the Version RISK Teams arrival. The timeframe for the breach coincided with unexpected and irregular pattern of duct and valve operations, which these movements “consisted of manipulating the PLCs that managed the amount of chemicals used to treat the water to make it safe to drink, as well as affecting the water flow rate, causing disruptions with water distribution” (Verizon RISK Team, 2016). These manipulations occurred over four separate intrusions over the 60 day period prior to the assessment, with at least two instances of the attacker altering the chemical concentrations that went into treating the water, thus forcing flushes and restarts of systems that increased resupply recovery times for water supply replenishment. The small positive take away from the incidents were that KWC operations personnel were able to quickly identify the adverse changes in chemical additions, greatly reducing the impact to KWC customers. Lastly, while no clear motive was found for the breach, nor was the attack claimed by any particular group, it definitively illustrated how vulnerable WWS facilities could be to an external threat.

More recently, in February of 2021, a WWS treatment facility located in Oldsmar, Florida, was found to have breached its network and attempted to take control of the SCADA Human Machine Interface (HMI) system and alter the levels of sodium hydroxide (NaOH). NaOH, also known as caustic soda and lye, is the chemical used to remove heavy metals and adjust the acidity (pH) within various systems of the facility. While not considered harmful in low concentrations, sodium hydroxide can be potentially lethal if it is ingested in high enough quantities. The breach was orchestrated using Team Viewer, a remote desktop software, which was originally meant to allow for troubleshooting plant system problems by authorized users remotely ( Ilascu, 2021). However, in this instance, the attacker was able to gain access of a logged in employee at the facility, where they gained control of various subsystems, including the ICS that controlled the sodium hydroxide concentration. In fact, the operator was able to watch in real-time as the intruder took control of the mouse and changed NaOH levels from 100 parts per million (ppm) to 11,100 ppm (Cimpanu, 2021).

As with the KWC incident, it was the immediate response by on-site operators that prevented severe contamination of the water supply by reversing the change in concentration to nominal values, in this case for the entire local population of Oldsmar. The attacks were also stopped by the plant operators by having the remote access cut off from the plant systems. The major difference, however, between the KWC incident and the Oldsmar WWS facility is that attack only took three to five minutes, meaning that the attacker understood fully well the ramifications of the actions they were choosing to make, a dangerous precedent — for it meant that now intrusions of this type against CI facilities would have to be considered intentional, instead of accidental.

The unexpected insider threat.

While external attacks have the potential to cause massive damage to any organization, nothing can damage or disable a facility like and insider that has an innate understanding of its systems and what it takes to place the plant in an unsafe condition, or worse — disable critical safety functions designed to protect the environment and public. An insider attempting to threaten any CI sector facility can be challenging to not only identify while the attack is in progress, but also to interrupt or reverse, as they will most likely already have legitimate, or privileged, access to the ICS and their SCADA hardware. An example here, comes from an undisclosed Kansas-based WWS facility, where a former employee “unsuccessfully tried to threaten drinking water safety by using their unrevoked user credentials” (Lauver, 2021). More details about the attack are still withheld by CISA and Homeland Security, but one only has to review the insider attack incident against Maroochy Shire Council in Queensland, Australia to gain a full understanding of what a worse-case scenario would look like. This insider, a disgruntled civil engineer, Vitek Boden, sought revenge against the Maroochy Council for failing to get another job, utilized a laptop containing specialized SCADA equipment to gain control of the sewage management control system and its associated wastewater pumping stations (Hemsley & Fisher, 2018). In addition, his detailed knowledge of how the systems were integrated allowed him to understand that he could use a radio transmitter to block the radio frequency (RF) communications sent to the wastewater pumping stations, and stop the system fault alarms from being received by the system engineer — thereby giving Boden control of nearly 150 sewage pumping stations. The end result was that Boden was able to release “released millions of gallons of untreated sewage into waterways and local parks,” undiscovered over a three-month period (Hemsley & Fisher, 2018).

To be continued in?Part III — Findings and Discussions?based on learned information.

References

Cimpanu, C. (2021, February 8).?Hacker modified drinking water chemical levels in a US city. Retrieved from ZD Net:?https://www.zdnet.com/article/hacker-modified-drinking-water-chemical-levels-in-a-us-city/

Cohen, G. (2021, August 12).?Throwback Attack: How the modest Bowman Avenue Dam became the target of Iranian hackers. Retrieved from Industrial Cybersecurity Pulse:?https://www.industrialcybersecuritypulse.com/throwback-attack-how-the-modest-bowman-avenue-dam-became-the-target-of-iranian-hackers/

Connor, T., Winter, T., & Gosk, S. (2015, December 2015).?Iranian Hackers Claim Cyber Attack on New York Dam. Retrieved from NBC News:?https://www.nbcnews.com/news/us-news/iranian-hackers-claim-cyber-attack-new-york-dam-n484611

Hemsley, K. E., & Fisher, D. E. (2018, December 31).?History of Industrial Control System Cyber Incidents. (Idaho National Lab. (INL)) doi:10.2172/1505628

Ilascu, I. (2021, February 8).?Hackers tried poisoning town after breaching its water facility. Retrieved from Bleeping Computer:?https://www.bleepingcomputer.com/news/security/hackers-tried-poisoning-town-after-breaching-its-water-facility/

Lauver, M. (2021, October 29).?US water and wastewater systems targeted by cybercrime. Retrieved from Security Magazine:?https://www.securitymagazine.com/articles/96418-us-water-and-wastewater-systems-targeted-by-cybercrime

Reuters. (2021, October 14).?US Authorities Disclose Ransomware Attacks Against Water Facilities. Retrieved from VOA News:?https://www.voanews.com/a/us-authorities-disclose-ransomware-attacks-against-water-facilities/6271194.html

Thompson, M. (2016, March 24).?Iranian Cyber Attack on New York Dam Shows Future of War.?Retrieved from Time.com:?https://www.justice.gov/opa/file/834996/download

Verizon RISK Team. (2016, May 21).?Data Breach Digest. Retrieved from Internet Archive Wayback Machine:?https://web.archive.org/web/20160521005216/https://www.verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf

Yadron, D. (2015, December 20).?Iranian Hackers Infiltrated New York Dam in 2013. Retrieved from The Wall Street Journal:?https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559

#cybersecurity #ics #icssecurity #icssecurity #blueteam #cyberdefense #cyberrisk #cyberriskmanagement #cybersecurityawareness #cisa #criticalinfrastructure #criticalinfrastructureprotection #watertreatmentsystems #hacking #research #cyberattack #cyberintelligence