The White House put out an official letter to governors (March 2024) warning of severe cyberattacks directed at water and wastewater infrastructure across the country. The threats described in the referenced CISA reports should be a strident warning and wake-up call, even to seasoned cybersecurity practitioners.
The vulnerabilities and poor security postures largely stem from systemic issues; cybersecurity often takes a backseat in critical sectors like healthcare, utilities, public services, etc. It is difficult to get cybersecurity posture improvements to the top of the financial priority list since the best tools are usually the most invisible- the sign of optimal function is simply a lack of successful attacks, and no one expects to be attacked until it is, of course, too late.
Building up cyber defenses may appear a daunting and overwhelming task to many of the already over-stretched professionals who maintain our water systems, especially when faced with advanced foreign state-backed threat actor groups from around the world.
Fortunately, there are many excellent tools and organizations that can assist, and there’s no wrong place to start when it comes to improving cybersecurity.
Most cyberattacks rely on relatively simple entry vectors- for example, not changing default passwords like ‘1111’ on Unitronics devices commonly used in water and wastewater systems. In fact, credentials play an important and repeated role in system intrusion and persistence.
CISA attributes the initial access to “poor password security” and encourages password strengthening as a first line of defense in their Top Cyber Actions for Securing Water Systems guiding document. Another large threat discussed in the White House’s letter concerns a PRC-based group known as ‘Volt Typhoon’ that conducted attacks resulting in extensive and persistent compromise of many critical systems networks, including communications, energy, transportation, and water/wastewater.
Common to both these scenarios (and many others) is the use of valid credentials for both initial access and lateral movement. Abusing valid credentials can allow the attacker to gain persistent access, often masquerading as a legitimate use, making credentials an invaluable asset. CISA’s detailed description of VoltTyphoon’s actions provides some valuable insight into exactly how these are obtained and used at many different stages, including insecure storage of the credentials on network devices accessible through the public internet, credential dumping using tools like Mimikatz, and using RDP connections to exfiltrate plaintext credentials stored in browser password managers. On systems using ActiveDirectory, VoltTyphoon has been observed extracting the critical NTDS.dit file, which contains all the core user data, including password hashes- then they can take their time and crack the hashes at their leisure to obtain the plaintext passwords, and then log in disguised as legitimate AD users.
The risk of this attack can be mitigated by enforcing strong password policies on all users- strong passwords are much more difficult to crack, and using a service like Enzoic to constantly screen passwords against the very lists that hackers use to crack passwords can provide protection against this critical vulnerability. Enzoic also monitors credentials to ensure users are not using compromised or exposed passwords.
Apart from the cyber measures outlined by CISA concerning password security, the password guidelines set forth in NIST 800-63b further underscore the importance of cross-referencing passwords with breach databases and common dictionary words. If a match is found, these guidelines advocate for the rejection or forced reset of such passwords. This highlights the imperative of implementing robust password security measures across all sectors, including critical infrastructure like the water systems in the United States.
While confronting these complex threats may seem out of reach for small organizations or chronically under-resourced districts and utilities, there is help available. WaterISAC provides helpful guidance, as does the CISA. Funding is available through multiple avenues to help organizations bolster their resilience and compliance with cybersecurity standards.
Learn more about NIST password guidelines that dovetail with the White House and CISA directives here.
AUTHOR
Dylan Hudson
Dylan leads the Threat Research team at Enzoic, developing and implementing cutting-edge threat intelligence infrastructure to help protect users and organizations from cyberattacks. When not at work, he can be found hiking and biking in the Rocky Mountains or playing traditional Celtic music on various stringed instruments.