Joemar Zayas Duran (UIN 01157876)
CYSE 200T (CRN 16378)
November 1, 2024
Background
United States infrastructure has been in a rise of cyberattacks in recent years. A lot of the recent attacks take advantage of legacy systems used on Operational Technologies (OT) which have operated off the network for many years until the recent introduction of online interfaces for these systems. With the increase in attacks in critical infrastructure, CISA and other organizations have devised mitigations for these attacks.
Infrastructure and Cyber Attacks
SCADA (Supervisory Control and Data Acquisition) systems present unique vulnerabilities when compared to common use information systems. While regular consumer grade products such as laptops are regularly updated to counteract malware and software vulnerabilities, SCADA systems do not always follow the same practice. It is still common to find integration of SCADA systems of a multitude of manufacturing dates which brings concerns of out of date software and hardware. Without patch compatibility, there is a serious threat in regards to online connected systems, such as common use of online Human Machine Interfaces (HMIs) which interface with the PLCs (programmable logic controllers) and RTUs (remote terminal units). Part of the concerns over patch incompatibility arised from hardware being in use years prior to common use of online HMI systems (SECPOINT)(SCADA systems). Other concerns over basic cybersecurity have risen as well, such as use of default passwords or weak passwords as well as lack of security countermeasures at RTUs and PLCs which can circumvent any online security placed on supervisory stations or HMIs (CISA, 2021a).
Additionally, infrastructure systems have been receiving more attacks from state sponsored threats as well as cyber criminal organizations. For example in July of 2021 BlackMatter actors attacked United States infrastructure by setting ransomware on agriculture and food sectors (CISA, 2021b). The Water and Wastewater systems (WWS) have also experienced multiple attacks in 2021, in August of 2021 a California WWS was ransomware attacked as well (CISA, 2021a). CISA suggested implementing similar mitigation measures for both instances, a common one being the use of two-factor authentication. One of the main reasons two-factor authentication is stated is due to ransomware in these attacks usually staying on site for days to collect credentials which are then used to gain additional access. With the use of two-factor authentication there would need to be an additional set of credentials to confirm access. Additionally, most of these attacks also have a suggested mitigation of implementing Intrusion Detection Systems (IDS). Just like in the world of IT, the OT systems need IDS implementation to notify admins of suspicious activity such as adjustments to RTUs and PLCs at odd times (for example at a time where most personnel are off-work which suggest an outsider gaining entry). CISA also suggests the common mitigation of changing default usernames and passwords as well as not using the same password for groups to limit unauthorized access. CISA also brings attention to policy concerns such as lack of time-limits on administrative accounts. By adjusting the times these accounts can be accessed there can be control over unauthorized users especially in common times for attacks such as holidays. Similar to large businesses outside of critical infrastructure, there can also be implementation of request forms for administrator account use, which can limit the damage a hijacked account can cause by notifying the accounts manager of admin account use outside of allotted times.
To protect valuable information in case of a ransomware attack or other form of attacks, organizations such as CISA strongly encourage the use of an offline backup. Ransomware attacks tend to spread onto a network before encrypting all information and leaving a ransomware note. To help decrease damages from these types of attacks it is recommended to have an encrypted offline backup that is frequently updated and is not readily modifiable (if it can be easily accessed from an altered account this can also be compromised).
Conclusion
Infrastructure systems operate on a mix of legacy and newer systems which brings risks over unpatched software and unnecessary exposure to online interfaces. The increased use of human machine interfaces allows easy accountability of RTU and PLC operations while also allowing for quick adjustments, but this also serves as an attack vector. CISA, NSA, FBI, and other organizations have identified multiple points of improvement to help mitigate attacks from state sponsored and non-state sponsored attacks. These mitigations range from more complex changes such as IDS integration and wide use of two-factor authentication, to even simpler policy changes such as making passwords more complex and changing default passwords and usernames. Implementations over admin account access is also a common suggestion for systems that manage information within OT which can help with spotting hijacked accounts as well as disabling accounts that are activated outside registered times.
References
CISA. (2021a, October 14). Ongoing cyber threats to U.S. water and wastewater systems:
CISA. Cybersecurity and Infrastructure Security Agency CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-287a
CISA. (2021b, October 18). Blackmatter ransomware: CISA. Cybersecurity and Infrastructure
Security Agency CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-291a
SCADA systems. SCADA Systems. (n.d.). https://www.scadasystems.net/
SECPOINT. (n.d.). SCADA systems and their vulnerabilities. Scada systems and their
vulnerabilities. https://www.secpoint.com/scada-systems-their-vulnerabilities.html