The White House issued an official letter to state governors (March 2024) warning of serious cyberattacks on water and wastewater infrastructure across the country. The threats described in his referenced CISA report should serve as a sobering warning and wake-up call for even seasoned cybersecurity professionals.
Vulnerabilities and poor security posture are primarily caused by system issues. In critical sectors such as healthcare, utilities, and public services, cybersecurity is often an afterthought. The best tools are usually the least visible, making it difficult to put improving your cybersecurity posture at the top of your list of financial priorities. A sign of optimal functioning is that it's simply not a successful attack, and of course no one expects to be attacked until it's too late.
For many already stretched professionals maintaining water systems, building cyber defenses can be daunting, especially in the face of advanced foreign state-sponsored threat groups around the world. It may seem like an overwhelming task.
Fortunately, there are many great tools and organizations that can help, and there's no wrong place to start when it comes to improving your cybersecurity.
Most cyberattacks rely on relatively simple intrusion vectors. For example, do not change default passwords such as “1111” for Unitronics devices commonly used in water and wastewater systems. In fact, credentials repeatedly play a critical role in system compromise and persistence.
CISA believes the initial access was due to “insufficient password security” and recommends passwords as the first line of defense in its guidance document on top cyber actions to protect water systems. We encourage the strengthening of Another major threat discussed in the White House letter concerns a China-based group known as “Bolt Typhoon” that is attacking many critical system networks, including communications, energy, transportation, water and wastewater. carried out an attack that extensively and continuously compromised the
What both of these scenarios (and many others) have in common is the use of valid credentials for both initial access and lateral movement. Misuse of valid credentials allows attackers to gain permanent access, often making the credentials a valuable asset under the guise of legitimate use. CISA's detailed description of VoltTyphoon's actions includes a variety of topics, including insecurely storing credentials on network devices accessible over the public internet, dumping credentials using tools such as Mimikatz, and using RDP connections. It provides valuable insight into how these are acquired and used during the stages. Extract plaintext credentials stored in your browser's password manager. On systems using ActiveDirectory, VoltTyphoon has been observed to extract critical NTDS.dit files. This file contains all core user data, including password hashes. You can then take your time and decrypt the hash whenever you want to get the plaintext password. Log in as a legitimate AD user.
The risk of this attack can be reduced by enforcing strong password policies for all users. Strong passwords are much harder to crack, and using a service like Enzoic to constantly screen passwords against lists used by hackers to crack passwords provides protection against attacks. can. This critical vulnerability. Enzoic also monitors credentials to ensure users are not using compromised or exposed passwords.
Apart from the cyber measures outlined by CISA regarding password security, the password guidelines set forth in NIST 800-63b further emphasize the importance of cross-referencing passwords with compromise databases and common dictionary words. I am. If a match is found, these guidelines recommend rejecting or force resetting such passwords. This highlights the imperative to have robust password security measures in place across all sectors, including critical infrastructure such as the U.S. water system.
While confronting these complex threats may seem out of reach for smaller organizations and chronically under-resourced districts and utilities, there is help available. Like CISA, WaterISAC provides helpful guidance. Funding is available through multiple avenues to strengthen organizational resilience and compliance with cybersecurity standards.
Learn more about NIST password guidelines that align with White House and CISA directives.
The post “Strong Passwords: A Keystone of Cybersecurity for Water and Wastewater Infrastructure” was first published on Enzoic.
*** This is a syndicated Security Bloggers Network blog brought to you by Blog | Security Bloggers Network. Created by Enzoic. Read the original post: https://www.enzoic.com/blog/water-and-wastewater-infrastructor/
