Today’s edition of Breach Brief Weekly is a brief but sober one, as it almost hit home for us at Granite State InfoSec Consulting LLC.
CBS’ 60 Minutes just published a report about the water and electric utility company in the small town of Littleton, Massachusetts being unknowingly compromised for well over a year by a foreign entity. They were one of more than 200 known compromised organizations in the US at the time. Some intrusions on those networks trace back as far as five years ago.
Littleton is less than 40 miles from where we live. And even smaller than our hometown is.
A small-town hack, a big warning for U.S. security (CBS Youtube Video)
America’s critical infrastructure is being hacked, former NSA and retired General warns (CBS News)
The attackers had full access to chemical dosage pumps in treatment plants applying chlorine and other chemicals to drinking water, which could cause chemical burns to consumers, or unsanitary water to reach homes.
They also had access to Variable Frequency Drives (VFDs), the electronic devices that determine how much water is being pumped from the source, and at what rate. Controlling these VFDs allows attackers to damage water pipes, distribution systems, overfill holding tanks and water towers – as happened in Muleshoe, TX – or stop the production of drinking water altogether…
Ransom Isn’t The Game
The FBI once more confirmed that these attacks on critical public infrastructure are not commonly used to strongarm hacked organizations into ransom payments, or even to cause physical harm to the public. Instead, the motivation is to gain a position of power to create widespread fear, insecurity, and disruption in our communities at a later time – one chosen to maximize the benefits for the attackers – or their financiers.
We’ve already seen increased cyber-attacks taking place and causing disruption in the Russia-Ukraine war, including the 2024 power blackouts in Kyiv and disabled remote heating infrastructure in Lviv, as well as the shutdown of sewer systems and internet services in Moscow.
Targets are not only drinking water or electricity. Wastewater pump stations and treatment plants, waste disposal, traffic control, town management, they all are on the list of high value assets worth attacking and compromising.
No Doomsday Needed – Just Disruption of Public Lives
Imagine a day in a random small town in the US, where, all of a sudden, the faucets dry up, wastewater backflows into houses and toilets, lights and fridges are out, air conditioning in summer or heating in winter fails, and Main Street traffic lights stop working, all at once. Widespread confusion, fear, anxiety would kick in. People’s behavior would deteriorate fast.
Now imagine 200 such towns all over the country, all at the same time. And throw NYC in the mix just because, well, we all know NYC is ALWAYS on top of the list.
It WILL be a bad day. And the seeds are already planted for this to happen. Most of America’s critical infrastructure is managed locally, often by volunteers on small town supervisory boards. Hired staff are commonly focused on keeping the gears turning, not on defending threats from overseas.
Not Defenseless, But Immediate Action Is Required
There is plenty of low hanging fruit to harden our critical infrastructure against this all-too-realistic scenario.
- Get in touch with your local FBI field office and CISA chapter.
- Become an InfraGard member to stay informed.
- Run a simple gap analysis with CISA or a private consultancy.
- Determine your information, cyber, and business continuity assets.
- Analyze the risks these assets are subjected to.
- Define your risk mitigation strategies: avoid, reduce, transfer, accept, share.
- Implement an Information Security Management System: a set of policies, processes, and resources to proactively protect your assets.
Any of those actions come at no or very little cost to your organization, yet they already have significant impact on your vulnerability. Because unlike the next town over, you’re already acting on behalf of your community’s security.
Following these steps will open the pathway to further protective measures:
- Air gapping (physically separating) your Information Technology (like your office environment and customer portal) from your Operational Technology (like your treatment plants and pump houses).
- Migrating to .gov domains, which are inherently more secure than e.g. .com.
- Updating your firewall infrastructure.
- Migrating outdated, vulnerable, but critical legacy software and hardware into virtualized server environments, screened from modern threats with modern tools.
- Employee training.
- Supplier security.
Protecting our infrastructure, our businesses, our non-profits, even our personal security is not a one time “fire and forget” effort. It is an ongoing, ever evolving, top priority duty. But it starts one small step at a time.
Organizations like ours – Granite State InfoSec Consulting LLC – are fully committed to helping you along the way, with clear, tangible actions, building the defense one piece at a time.
We are looking forward to guiding you along this path. All you need to do, is to reach out.
Your Granite State InfoSec Team
#Water #DrinkingWater #CriticalInfrastructure #ISMS #InfoSec #InformationSecurity #CyberSecurity #ISO27001 #RiskManagement #GSInfoSec #AWIA
