A hacker was able to access the system of a California water treatment plant on January 15, 2021. The rogue actor then proceeded to delete several programs used to treat drinking water. NBC News reported that an unidentified hacker carried out the attack on an unspecified water treatment plant in the San Francisco Bay Area by using the username and password of a former employee at the facility.
The attack represents one of a growing number of cyberattacks on U.S. water infrastructure that have recently come to light. This incident also presents serious concerns for the control and security of critical utilities and highlights the inherent weaknesses in many important corporate systems.
Just how weak? “If you could imagine a community center run by two old guys who are plumbers, that’s your average water plant,” one cybersecurity consultant said to NBC.
Looking into the matter for Digital Journal is James Carder, CSO of LogRhythm.
Carder begins by presenting the importance of the issue, noting: “This is a prime example of how cyberattacks can impact citizens’ physical safety, and unfortunately, these types of attacks to our critical infrastructure are only growing. With this most recent attack on critical infrastructure, organizations in the power and energy sector must take immediate action to secure their operations if they haven’t done so already, as this is a seriously overlooked attack vector that’s vital to the United States’ national security.”
He adds that: “Over the past 20 years, industrial control systems have largely neglected operational technology and operational risk by air gapping data to compensate for deficiencies in network security and physically isolating platforms from unsecured networks.”
The risks are high, says Carder: “This means critical infrastructure operations are ripe with opportunities for bad actors to target and take down their systems. In this case, the hack occurred because even the most basic security practice of changing credentials and turning off access after an employee has left were not followed.”
At the heart of the vulnerability is poorly planning and weak security, reckons Carder: “The system was only protected by a username and password with no other layers of security. This left California’s water supply wide open for attack which could have resulted in more serious consequences with the potential to cause harm to U.S. citizens.”
Big improvements are needed, as Carder spells out: “Any organization leveraging technology to enable operations for critical infrastructure needs to ensure proper protection protocols are established, ranging from simple password hygiene, threat detection, preventative controls and response controls to quickly thwart and identify potential catastrophes. Lagging detection and alerts can result in disaster if controls or data are obtained by domestic or foreign adversaries.”