By Gregory Hale
A Russia-linked hacking group apparently carried out a cyberattack on small Texas water facilities, but before anyone overacts, let’s put this in perspective and understand the real needs here.

Yes, a small water utility in Texas ended up attacked, but the water kept flowing and there was no service interruption. That sounds like a win. Ignore all the hype and hysteria. What really has to occur is everyone needs to understand the water sector is so vitally important and so vastly under protected, it needs help.

But going back to the attack, industry research giant Mandiant said, through their analysis they were able to determine the attacks ended up conducted by Russian nation-state actors who are a persistent, high severity threat to governments and critical infrastructure operators globally.

The combination of APT44’s (also known as Sandworm) high capability, risk tolerance, and far-reaching mandate to support Russia’s foreign policy interests places governments, civil society, and critical infrastructure operators around the world at risk. However, another group of threat actors linked to Sandworm are apparently bringing attacks up a step as they are claiming they hit systems of a hydroelectric dam in France and water utilities in Texas and in Poland.

Schneider Bold

Why Texas?
In the grand scheme of things, why would Russia threat group attack such a small entity in the middle of nowhere in Texas?

While there are plenty of reasons, but learning how to attack and what to do in an attack comes to mind pretty quickly. Just think about the Russian attacks on small segments of the Ukraine power grid in 2015 and 2016.

Is Russia going to attack? Probably not, but conducting reconnaissance and learning about systems is never a bad thing.

Another approach is to not just think about the water industry, but the big picture for how to advance a nation state’s attack methodology.

“You have to broaden the context,” said Padraic O’Reilly, founder and chief innovation officer at software security provider, CyberSaint. “Think about Volt Typhoon, the Chinese have been lurking in the energy sector for quite some time. They were gaining a foothold.

“The fear is anytime you have got enemies or a nation state lurking around in critical infrastructure, eventually then can weaponize it. They may be just conducting tests like switching things or turning off PLCs like they did in Aliquippa for fiddling with a water tower. You will hear from the state and local people as saying, ‘nothing happened, we are cool,’ but that is not how the feds look at it,” he said. “They are seeing that some of our adversaries are in our networks, and they have access to some of our critical infrastructure like water. If there were ever to be a conflict or a soft war, they now have some options.”

The real issue is our adversaries have access to our critical infrastructure that can end up used in ways that can create fear, disorder and chaos. And the federal government now feels it needs to get involved.

Feds Get Involved
“There is a reason in cyber why we use military’s descriptions of what hackers are up to,” O’Reilly said. “We use TTPs (tactics, techniques and procedures) because a lot of what we have seen from hackers resembles cold war activities. It is reconnaissance, little campaigns to test to see if there will be a reaction. That is why this gets the interest of the Feds. Plus, you have under resourced state and municipal utilities. You see it on other sectors as well.”

This concern of the Russians attacking a small water utility came to light in a Mandiant report saying it appears recent APT44 activity targeted victims in the water utility sector. Mandiant tracks Russia’s GRU military intelligence unit activity through the messaging platform Telegram. In January, researchers discovered a video posted to Telegram by a user likely associated with GRU.

In the video, this user took “credit for the manipulation of human machine interfaces (HMI) and controlling operational technology (OT) assets at Polish and U.S. water utilities,” the Mandiant report said.

“Mandiant cannot independently verify the above claimed intrusion activity or its link to APT44 at this time. However, we note that officials from the affected U.S. utilities publicly acknowledged incidents at entities advertised as victims,” the report said.

In February reports of a town meeting where officials of Muleshoe, Texas, discussed an attack against water infrastructure systems that occurred Jan. 18.

In the attack, hackers broke into a remote system that allows operators to interact with a water tank, city manager Ramon Sanchez said in a CNN report. The water tank overflowed for about 30 to 45 minutes before Muleshoe officials took the hacked industrial machine offline and switched to manual operations. Muleshoe officials replaced the hacked software system and took other steps to secure the network, Sanchez said.

These are small water systems that remain underfunded to ensure a cyber secure environment.

“This was low hanging fruit,” O’Reilly said. “It was an Internet-exposed device that controlled the water tower. It was there and they took it. They could do it in any of the other areas that have Internet-exposed devices controlling operational technology. There has to be some kind of regulation. Some kind of solution has to be found.”

Water Regulations Coming
Industry groups and associations say regulations are not the answer, and they should remain self-policing, but we have seen in the past that does not work.

Some industry that are suffering from attacks are facing the same issue, but the reality is they can afford to fix the problem, they just don’t want to. Water is different. It shouldn’t be, but it is.

“If you ask the employees at the water plants if they would like to have the protections in place, they would say yes,” O’Reilly said. “It is just you have make the resources available to crack this nut.”

Yes, the water keeps flowing and service remains uninterrupted. Fear, uncertainty and doubt should not be in play here. The story just needs to say, the water sector needs help.

ISSSource

Pin It on Pinterest

Share This