As we develop the concept of CINET, one of our main challenges is to illustrate how separation of control networks from the public Internet and the existence of a dedicated channel for information sharing could help make our infrastructure more resilient to cyber-attacks. There are only a few public cases of disruptive or disruptive cyber attacks targeting critical infrastructure. At this point, Stuxnet and the Ukraine power grid attacks have been beaten to death.
In a series of posts, we are going to review a few less well-known ones. For those readers who treat the Verizon Data Breach Incident Report as the Bible of cybersecurity, this case study will be familiar. For the rest of you, here is a brief recap.
A water district only identified by the pseudonym ‘Kemuri Water Company’ was the target. Verizon’s team found that the company’s IT system architecture consisted of an organizational management network, payment processing and financial data server and operational technology system were connected to a single IBM AS-400 computer system which was connected to the public internet.
They also found that there was only a single administrator that knew how to operate the IBM system. The AS-400 is a server system that was first released in 1988 and was certainly out of date by 2015. Verizon found that the web application and server being used for payment processing and customer monitoring of accounts lacked the proper access control features and had been exploited by internet protocol (IP) addresses associated with a known hacktivist group to compromise personal identifiable information of customers and their payment information.
Verizon also found the IP address, credentials and initialization program for the AS-400 server were located on the water district’s webserver in an unencrypted easily accessible format as well as “a direct cable connection” between the AS-400 and the webserver.
The attackers used these credentials to gain access to the AS-400 which was also connected to the industrial control systems (ICS) for the water district. Continuing with those same credentials they used the application that controlled PLCs to “manipulate the system to alter the amount of chemicals that went into the water supply and thus handicap water treatment and production capabilities” throughout the water district. The attackers fortunately did not have an intimate knowledge of water treatment operations and their manipulation did not cause significant damage.
The case outlined by Verizon is an excellent example of the need for CINET. The implications of outsider remote control of water and chemical treatment facilities could be catastrophic; especially if the malicious actors have an understanding of how to manipulate programmable logic controllers and other operational technology systems associated with water treatment and processing. This breach highlights a primary function of CINET which is segmentation of services and internet access.
If CINET had been implemented at the Kemuri Water Company, ICS systems would have been run and controlled on CINET without being accessible by public internet. That would have eliminated the link between the payment processing and account applications webserver, AS-400 and the ICS systems. Even if the credentials of the ICS system were inadvertently stored a vulnerable area as they were in this case, the separation would make the system difficult to exploit without an insider being involved. CINET also could have helped the water district know they were being attacked in the first place. The malicious IP addresses used here were known to Verizon (and probably other organizations) as being associated with an active hacktivist group. Using CINET information sharing, these IPs could have been disseminated and firewall rules or intrusion detection devices updated to flag or prevent their access to web applications. Finally the water company was using antiquated servers to administer their ICS systems; this is unfortunately probably more the norm than we would like to think, but with CINET at the very least these servers would be left off of the public internet and therefore lower their exposure to be exploited.
The need for CINET here is clear, had this water company been targeted by an organization or nation state actor with the knowledge and intent not to steal credit card information but to disrupt a resource needed for basic survival it would have succeeded. CINET would have alerted the company to the malicious actors IPs prior to their attempts, which would have prevented the breach of PII and also ensured segmented networks which secure the ICS systems.