Legacy Cyber Attitudes have Come Home to Bite Operational Technology (OT) Systems

February 12, 2021

By Dr. Ron Martin, Capitol Tech's Professor of Practice in Critical Infrastructure, Industrial Control System Security, and Access and Identity Management

Our critical infrastructure OT systems have legacy computer systems.  To make the problem worse, many OT systems operators are connecting these systems to the information technology (IT) enterprises without cybersecurity planning, resulting in security issues such as the breach of Oldsmar, Florida Water System caused by malicious attackers. These hackers accessed the chemical feed system and increased the sodium hydroxide (lye) to unsafe levels. Unfortunately, this is not an isolated incident.

“An NSSE is a designated event that, due to its political, economic, social, or religious significance, may be the target of domestic/international criminal activity (terrorism) as a result of national significance and high visibility, requiring the lead of Secret Service.” Due to size of the crowd drawn by the Super Bowl, this event matched the description of an NSSE designated event and required heightened awareness of security risks in and around an NSSE location.

On February 9, 2021, the Massachusetts Department of Environmental Protection Agency reported to its system operators that this incident occurred in-part because it used an unpatched Windows 7 system and connected to the internet without firewall protection1. The agency recommended five key recommendations. The most significant advice is for system operators to restrict all remote connections to OT systems, specifically those that allow physical control and manipulation of devices within the OT network. One-way unidirectional monitoring devices to monitor OT systems remotely.

This guidance mirrored an alert issued by the Cybersecurity & Infrastructure Security Agency (CISA)2. The National Security Agency (NSA) and CISA jointly recommended Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems.  Critical infrastructure organizations should review these recommendations like Harden the Network, Create an Accurate “As-operated” OT Network Map, and Evaluate Cyber-risk on “As-operated” OT Assets. An effective tool for operators to perform a self-assessment is The Cyber Security Evaluation Tool. CSET® provides a systematic, disciplined, and repeatable approach for evaluating an organization’s security posture. CSET is a desktop software tool that guides asset owners and operators through a step-by-step process for assessing industrial control systems (ICS) and information technology (IT) network security practices. Users can evaluate their cybersecurity stance using many recognized government and industry standards and recommendations.  Capitol Technology University integrates CSET® within our Critical Infrastructure, Industrial Control System, and Controlled Unclassified Information Courses.

The U.S. Critical Systems are and will continue to be attacked by malicious actors.  Water systems and other OT systems must be assessed and evaluated to mitigate vulnerabilities and reduce successful unwanted intrusions.

Capitol Tech offers multiple Security, Intelligence and Critical Infrastructure, Construction, Facilities and Safety, and Cyber and Information Security bachelor's, master's, and doctoral degree programs taught by experts like Dr. Martin.

References

1. Commonwealth of Massachusetts. Cybersecurity Advisory for Public Water Suppliers. (2021). Cybersecurity Advisory for Public Water Suppliers. Retrieved from https://www.mass.gov/service-details/cybersecurity-advisory-for-public-water-suppliers.

2. Cybersecurity & Critical Infrastructure Security Agency. (2020, July 23). Alert (AA20-205A). Retrieved from https://us-cert.cisa.gov/ncas/alerts/aa20-205.