Over the past decade, we've seen a vast array of different types of devices and systems connected to the Internet. While this feels like technological progress, there's a dark side to bringing the Internet of Things (IoT) online—these systems come under attack just like other connected infrastructure. Unfortunately, many SCADA environments today include connected systems with relatively weak security capabilities and configurations, leading to compromise and breach scenarios that are not only dangerous, but could be deadly.
In February 2021, a Florida water plant was compromised remotely, and the attacker attempted to modify the water's chemical makeup. Researchers at CyberNews found 11 breached credentials linked to the water plant from 2017, as well as 13 sets of credentials right before the attack. The attacker on the water plant leveraged a consumer-grade remote access tool to gain access to the plant’s SCADA controls and subsequently changed the level of sodium hydroxide in the water (commonly known as lye), from 100 parts per million to 11,100 parts per million. Luckily, in this case, the modification was detected immediately by one of the plant operators, who reverted the changes before this breach had any impact on the system or the health of the community. I think we all know that this could have gone terribly, though, and we’ve been talking about these kinds of attacks in the security community for years.
As if that wasn’t bad enough, a bit later, on March 9th Bloomberg reported a massive security breach into the Verkada network that exposed the live feeds of 150,000 of security cameras used in jails, hospitals, and many high-profile companies. The threat actors claimed to have had complete access to an archive of full video for all Verkada customers, which poses major data privacy, security, and even political implications. This breach really illustrated the root of the problem – excessive privileges in IoT/OT platforms and products.
The Verkada breach came about as a direct result of a compromised “super admin” account that was remotely accessible. This last point is important – much has been said about privilege management and admin accounts that should be more carefully controlled, but the remote access to the services and platforms USING these accounts is often less publicized. In the Florida water treatment plant breach, the attacker gained remote access using admin credentials. The same situation happened in the Verkada compromise. So, what have we been missing? How do we overcome these types of compromise scenarios?
First, it’s critical to realize that remote access has often been provisioned without careful consideration of privileged access scenarios. Compounding this issue is the unique challenge facing OT/IoT environments, with services and platforms that may be somewhat unforgiving in their mode of access.
The good news? We have a lot of lessons learned, and much better technology today that can help to resolve these challenges.
To learn from more of these real-world breaches, check out my on-demand webinar: Poisoned Privileges: The Wake-Up Call to Harden Remote Access & Password Security for SCADA & IoT Systems. This webinar will also explore the processes you can implement to mitigate privileged remote access risk for all types of environments, including IoT and OT.
Of course, since the date of my live webinar (April 13th), the attacks on critical infrastructure have not stopped. In May, we saw the devasting cyberattack by DarkSide on Colonial Pipeline, taking much of the U.S. East Coast’s fuel supply offline, causing panic at the pump, and disrupting tens of millions of lives for weeks. To learn more about DarkSide attacks and how to formulate a strong cyber defense posture, check out this BeyondTrust blog: Will DarkSide Pipeline Ransomware Attack Fuel Cybersecurity Upgrades for Critical Infrastructure?
The Operational Technology (OT) Remote Access Challenge
Oxford Properties Group
Dave Shackleford, Cybersecurity Expert and Founder of Voodoo Security
Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies.