Pennsylvania Water Utility Cyberattack: What We Can Learn
A recent cyberattack on Pennsylvania’s Municipal Water Authority of Aliquippa has sent ripples through the cybersecurity world. Perpetrated by the Iranian-affiliated group Cyber Av3ngers, this breach targeted operational technology crucial for water regulation, resulting in a temporary disruption to the plant’s operations and threatening more significant impacts on the community water infrastructure.
But how did this breach occur? What does it reveal about the current state of cybersecurity in critical infrastructures? And more importantly, what can organizations learn from this incident to safeguard their own systems?
As we delve into the details of this attack, join us in exploring the intricate world of cybersecurity, where every breach provides valuable lessons for the future. Keep reading to learn how this attack happened and what we can learn from it to keep our organizations safe.
What Happened
Based on recent news reports and a CISA cybersecurity advisory from December 1, the Municipal Water Authority of Aliquippa in Pennsylvania was a recent victim of a cyberattack targeting their operational infrastructure.
The attack was claimed by a hacktivist organization that uses the name Cyber Av3ngers and is believed to be backed by or affiliated with the Iranian government. The attack specifically targeted systems developed by Unitronics, an Israeli technology company specializing in automation technology used in various industries, including manufacturing and utilities. Messages on hacked devices conveyed the group’s explicit practice of targeting devices and software produced by Israeli companies.
The ramifications of this breach were significant but not catastrophic. According to reports, Cyber Av3ngers compromised control over the water pressure monitoring system at a booster station, leading to an abrupt shutdown of the automated system. The operators at Aliquippa quickly identified the attack and successfully mitigated the immediate risk. Thanks to effective segmentation between different facilities, the attack was limited to a single station, and the team could turn off the automated systems and assume manual control, ensuring the uninterrupted supply of safe drinking water to the townships.
What This Means For Cybersecurity
The cyberattack on the Municipal Water Authority of Aliquippa is not an isolated incident but a reflection of growing trends in the cybersecurity space. The attack highlights the increasing need for organizations to strengthen the security of Operational Technology (OT) devices, the risk of nation-state supported threat actors, politicized hacktivists, the expanding relevance of supply chain risk management, and the importance of a robust defense in depth.
The Rising Need for OT Security:
Attackers increasingly target OT infrastructure critical for controlling physical processes in factories, power plants, and water treatment sites. Therefore, safeguarding these systems becomes essential for business sustainability and public and employee safety. This incident is a stark reminder that OT environments are no longer peripheral targets but central to cyber threat actors’ objectives.
The Risk of Nation-State Threat Actors:
The involvement of a group like the Cyber Av3ngers, with suspected ties to Iran’s Islamic Revolutionary Guard Corps (IRGC), highlights the escalating risks posed by nation-state-supported threat actors. These entities often have access to more resources and strategic motives. They can potentially be more dangerous than ‘independent’ threat groups and often target critical infrastructure and private companies to exert geopolitical pressure or achieve broader political objectives. Their sophisticated methods and state backing make them particularly formidable adversaries
Politicized Attacks Beyond Financial Motivations:
This attack also signals the ongoing threat of politically-motivated attacks. While most cyberattacks are perpetrated due to financial motives, organizations can’t afford to ignore the risks of politicized ‘hacktivists’ using cyberattacks as a tool for political statements or influencing geopolitical dynamics. Rather than pursuing purely financial outcomes, such as ransom payouts, political hackers will typically aim to achieve maximum disruption and destruction in their target environments, making recovery and remediation more difficult and costly.
Supply Chain Risk Management:
The breach also highlights the critical importance of supply chain risk management. The compromised Unitronics device, a part of the water authority’s supply chain, was a crucial vulnerability point. As organizations continue to rely on more tools and systems from third parties, in our increasingly interconnected world, they need to ensure the security of systems and devices that are critical to their operations. Supply chain components can be unwitting conduits for cyber threats.
Importance of Defense in Depth and Effective Remediation:
Finally, the attack reinforces the need for robust defense-in-depth strategies. The effect on the Aliquippa community may have been more significant if the attack had spread undetected and unopposed. Implementing layered security measures like network segmentation can significantly limit an attack’s ‘blast radius.’ Moreover, having effective remediation measures, including maintaining operational capabilities during an attack, is crucial. This incident demonstrates that rapid response and resilience – the ability to continue operating despite a breach – are as important as preventive measures in today’s cybersecurity landscape.
How to Protect Your Team
The attack on the Water Authority of Aliquippa provides some lessons and takeaways for other organizations with critical OT systems. A few fairly simple policies and changes can significantly reduce your vulnerability to similar attacks.
According to the CISA advisory, the attackers likely employed a brute force attack to gain initial access, exploiting poor password security and the system’s internet accessibility.
Direct and Immediate Changes:
Enforce Strong Password Policy:
Passwords get exponentially harder to crack with increased length and complexity, and most brute force password attacks use dictionary attacks, severely weakening passwords that use common words strings, or worse, that maintain device default passwords.
That’s why it’s essential to establish and maintain a robust password policy. This includes changing default passwords on devices, enforcing unique and complex passwords, and adhering to best password creation and management practices.
Restrict Public Internet Access:
If threat actors can’t access a device, they can’t compromise it. It’s that simple. But of course, the simple things are hard; legitimate users and workers need to be able to access devices and systems as well. It’s worth considering what level of accessibility is the best compromise of security and usability.
In the case of Aliquippa Water and many other OT-dependent organizations, large parts of their operational system probably don’t need to be accessible through the Internet. Ensure that critical OT devices are not connected to public-facing internet connections. This simple measure can significantly reduce the vulnerability of these systems to unauthorized access.
Further Best Practices:
- Multi-Factor Authentication (MFA): Implementing MFA adds an additional layer of security, making it significantly more difficult for unauthorized users to gain access to your systems.
- Control Remote Access: If remote access to OT devices is necessary, it should be strictly controlled. Use a company VPN, gateway, or firewall to protect these critical systems.
- Regular Backups: Create and maintain backups of all system configurations. This practice allows for quick resets and recovery in the event of a system compromise.
- Software Updates: Always ensure that all systems operate with the latest software patches and update versions. Regular updates are crucial in protecting against known vulnerabilities.
- Vendor Compliance: Confirm that your vendors and suppliers are adhering to similar security measures. The security of your supply chain is as vital as your internal security practices.
By following these remediation steps, organizations can significantly enhance their defense against the types of attacks employed by groups like Cyber Av3ngers.
Conclusion
The cyberattack on the Municipal Water Authority of Aliquippa is a reminder of the constant risk cybersecurity efforts protect against. It underscores the urgency for organizations, especially those managing critical infrastructure, to proactively counteract such threats. By understanding the tactics used by groups like the Cyber Av3ngers and implementing robust security measures, organizations can build a resilient defense system capable of withstanding the complexities of modern cyber warfare.
Contact one of our expert advisors for expert guidance and assistance in securing your environment against such sophisticated threats. At Atlantic Data Security, we’ve been keeping organizations protected with cutting-edge security solutions for thirty years.