Tales from the Road: Water Utilities, Take Warning!

If you don’t want to issue the dreaded boil-water advisory then make sure your wireless network is hacker- proof.

How our team was able to drive up to a municipal water utility, join the wireless SCADA network and gain the access needed to do some major damage to the water supply – all in 10 minutes flat.

If we told you that hacking into the wireless SCADA network of a municipal utility supplying water (not only to the city but also to a nearby government facility) was as easy as sitting in your car just outside the security fence and logging in, no password needed, you might think it seemed pretty far-fetched*. Almost as far-fetched as walking into a municipal facility with a broken door latch and gaining access to the SCADA system by entering a password found on a post-it note next to an operator machine. True. Story. Don’t let it be yours!

*Although if you read this current news story, maybe this wouldn’t seem that far-fetched at all: Hacker altered chemicals in Oldsmar water supply to ‘damaging’ levels, sheriff says… Not the type of publicity you want to get.

The cyber security group of a municipal utility that has three different SCADA systems – power, water and wastewater – enlisted the services of DirectDefense to perform a comprehensive security assessment test of the organization’s SCADA environments. The goal of the engagement was to review the organization’s environment for threats that could affect their overall security posture in a negative way, and provide guidance and strategic support to resolve any identified issues.

While all three systems had their fair share of problems, the water system stood out in terms of the type of damage that could be done if someone with ill-intent got a foothold on the network. Here we reveal some of the biggest issues we uncovered and, more importantly, how they could easily be prevented.

A weak password is your weakest link.
When our team arrived at the water utility site, they found the wireless network in five minutes. Next, they sat down at the SCADA console, and noticed a yellow sticky note with the username and password “operators, operator”, this took another 5 minutes.

Not only was the password for the SCADA system weak and easily guessable, it was also publicly displayed in plain text for anyone to see. Our team also observed that plain-text passwords were displayed in multiple places within this site. As a municipal owned building who gives regular public tours, this represents a significant security risk. To make matters worse, the passwords in use were the defaults that came from the system integrator – they never changed them. (We did a little research and found another city network of the same type that also had been given the same password and it was on the internet!)

Hint: Create strong passwords (we can help you with that) and never physically display full passwords, even if they are masked.

Why have a security fence when your wireless network is open?
The next day, our team went back and tested the water utility from outside the security fence that goes around the perimeter of the building. They discovered that the wireless network had a wireless access point with no password – so they were literally able to drive up, sit in their car and log into the water SCADA wireless network. Just like that.

With complete access to the water SCADA environment, as well as the corporate environment, our team directly utilized this vulnerability, among others, to compromise the organizations active directory domain. Imagine what a true attacker would do? Wait for it…

Hint: It might sound obvious, but please, put a password on the wireless network. While you’re at it, why not go the extra mile and put some wireless security controls in place – such as a Wireless Intrusion Prevention System (WIPS) – to get notified of any unauthorized wireless access points appearing within the wireless environment.

Don’t make it too easy.
If the plain-text passwords displayed throughout the facility and the open wireless network didn’t make it easy enough for an attacker to get in, not to worry… There was the unlocked door and the switch in the public restroom.

Yes, you heard that right.
Our team had no trouble gaining physical access to one water treatment plant by simply walking right in through the unlocked door (the electromagnetic locks were not functioning). The building was therefore, unsecured. Another water treatment plant housed a SCADA switch located within a first-floor public restroom. (No option for video surveillance there!)

Hint: Make sure your door locks work (repair them if they don’t) and be sure to securely locate all sensitive equipment – the public restroom will never cut it.

Welcome to every water utility’s worst nightmare…
Ok, so at this point you are probably wondering just what type of damage could be done if a water supply system became compromised at the hands of an attacker, not to mention, why would they do it in the first place.

At a minimum, they could mess with the water system by turning the pumps on and off, lock them out of their systems and back up the sewers. But if they really wanted to turn up the heat, with access to the drinking water treatment facilities, they could poison the water by changing the chemical levels until the water becomes unsafe to drink*. This could not only make the entire city sick, but it would do the same to the U.S. army special operations residing at the nearby government facility Think war plan. In addition, they could elongate the problem by installing ransomware or malware as well.

*Remember that news story referenced above? According to the local sheriff, the hacker increased the sodium hydroxide levels in the city’s water from 100 parts per million to 11,100 parts per million – a significant and potentially dangerous increase.

But who would want to do such a thing? What exactly is the motivation for attacking a municipal facility?
The reality is, like this one, most municipal utilities support a federal government or DoD facility, making them top targets for state sponsored threat actors, cyber criminals looking for monetary gain and hackers looking to make a name for themselves. These players know that it pays to attack the municipal government who oftentimes have the weakest defenses, and attacks go public the fastest.

The bottom line.
No municipal utility wants to suffer the reputational and financial damage that will come when having to issue a boil-water advisory. However, that is exactly what they would be required to do if someone else had control of the water supply for any period of time – even if they didn’t do anything to make the water unsafe to drink.

Hint: Many SCADA systems were designed in an era when security was not a primary focus and, in many instances, not a consideration at all. The SCADA security consultants at DirectDefense focus specifically on identifying mechanisms to secure SCADA systems without a complete redesign or significant architecture changes in order to enable security controls that will protect the environment.

Tip: Don’t get caught with an insecure network in the first place!

Team Up with DirectDefense
Let DirectDefense put your SCADA systems to the test and make your network hacker-proof. Call us to schedule a SCADA assessment today!