How DirectDefense uncovered weaknesses in a municipality’s SCADA systems and a need for SCADA network segmentation
A large municipality enlisted the services of DirectDefense to perform a Critical Infrastructure Assessment of the SCADA network controlling their water and electric services. During the SCADA assessments, our team identified several weaknesses that demonstrated the need for SCADA network segmentation to minimize two-way communication between the network controlling vital municipal services and the enterprise network.
SCADA Systems: Did You Know?
Many SCADA systems commonly used in critical water and electric environments were created in an era where cybersecurity was not much of a focus or consideration. They were therefore designed with little to no security concerns in mind, making them especially vulnerable to today’s common and emerging threats.
Here’s a little real-world context concerning the dangers of this lacking security: 2019 saw 708 differentiated SCADA security incidents, which is more than the previous 4 years combined. This is a staggering increase in the exploitation of these devices and networks, requiring a call to place a specific emphasis on the security and hardening of these devices.
Sound the SCADA Alarm: A Call to Wake Up
In a white paper published in 2019 by the American Water Works Association (AWWA) it was shared that “Government intelligence confirms the water and waste-water sector is under a direct threat as part of a foreign government’s multi-stage intrusion campaign, and individual criminal actors and groups threaten the security of our nation’s water and wastewater systems’ operations and data.”
Similarly, in a white paper published in 2021 by the North American Electric Reliability Corporation (NERC), it was stated that in relation to cyber-security, the largest contributing factor to Electric SCADA attacks was “Loss of Awareness”. This deficiency can take many forms, from complacency with existing security (or lack thereof) to not keeping security in mind while ensuring continuance operations.
Case in Point
Our assessment provided further evidence that SCADA systems, if left unchecked, can provide an easy way for a bad actor to do some major damage – think contaminating the public water supply or creating a black-out condition. This is the kind of publicity that your municipality doesn’t need.
For our assessment of their internal environment, the municipality gave us access to the SCADA network, and right away we could see the enterprise system, clearly indicating there is two-way communication happening between the two networks that creates a significant security vulnerability.
This access was the first indication that the municipality’s SCADA system needed better network segmentation to ensure adjacent networked environments couldn’t be accessed. One of the SCADA networks in particular had an unauthenticated, but hidden wireless network, which is a significant and largely unnecessary security risk. This wireless network was created for on-the-go administration of the SCADA systems via a tablet, but without authentication, it’s a gallery-sized window into the network for anyone sniffing for traffic or looking to map out the network.
Facilitating this type of access creates the opportunity for a malicious actor to make changes to the water or electric systems that can impact operations, services, or public health – any of which can lead to costly, disruptive, and even dangerous implications for a municipality.
During internal testing of the electric SCADA, DirectDefense was able to:
- Perform coerced authentication attacks.
- Obtain all local domain user password hashes and create a new Domain Admin account.
- Compromise the local domain.
- Egress the electric SCADA network to an Internet-based DirectDefense command and control server via DNS tunneling.
An attacker with this level of access would have full control of domain-joined workstations that are used to manage the electrical distribution and electrical generation SCADA systems.
During internal testing of the water SCADA system, DirectDefense was able to:
- Perform coerced authentication attacks and obtain hashed user account credentials for the local domain.
- Gain access to internal network resources such as domain controllers.
- Egress the unrestricted water SCADA network wired to an Internet-based DirectDefense command and control server via DNS tunneling.
An attacker from the SCADA wireless or water SCADA wired networks would be able to attack systems on the corporate network.
A Secure SCADA Network is a Segmented SCADA Network
The most significant finding was the lack of network segmentation present on one of the SCADA networks. Without proper segmentation, attackers can make lateral movements within the environment, as well as across networks once internal network access is obtained. Ransomware would be able to move from the corporate network to the SCADA network, infecting vital workstations and servers.
For municipalities, internal security gaps like the ones we identified can result in serious consequences. Operations could be completely shut down, forcing manual operation of essential public services, and sensitive customer data could be exfiltrated and divulged.
To manage some of the immediate threats this municipality is facing, both internally and externally, we made several recommendations:
- Deploy advanced endpoint protection across the municipality’s public works networks
- Improve network segmentation
- Implement system securitization and hardening
- Conduct real-time threat monitoring
- Disable unnecessary ports and services
- Change default passwords
- Add password complexity requirements for employees and stakeholders
Got SCADA? Then you need to SECURE it!
The threats to municipalities are always evolving. Regularly scheduled, periodic cyber assessments by independent third parties, such as DirectDefense, provide CISOs and SCADA managers with prioritized recommendations for improving physical security and cybersecurity.
SCADA services are often critical to everyday life. If you have SCADA systems, NOW is the time to deploy our security consultants to assess your critical SCADA infrastructure environments in a safe and non-intrusive manner so you can avoid any disruptions or downtime (or worse).
Contact Us Today!
Get a full picture of your entire networked environment to see how secure your organization is from malicious attackers. Visit directdefense.com or call us at 1 888 720 4633.