The Cybersecurity and Infrastructure Security Agency (CISA) has once again raised alarms about the ongoing exploitation of operational technology (OT) and industrial control systems (ICS) across critical infrastructure sectors.
The warning comes amid an active investigation into a cybersecurity incident at the City of Arkansas’s Water Treatment Facility, which was targeted early Sunday on 22 September, 2024.
While the City of Arkansas City has reassured residents that its water supply remains safe and operations continue uninterrupted, the incident shines a light on the fact that malicious actors are targeting vital OT/ICS systems using relatively unsophisticated methods.
Unsophisticated Attacks Still a Major Threat
In its recent advisory, CISA detailed how attackers are capitalizing on exposed and vulnerable OT/ICS systems, particularly in the Water and Wastewater Systems (WWS) sector. The simplicity of these attacks is what makes them so concerning.
Systems that fail to implement fundamental security measures—such as changing default credentials and restricting internet access—are prime targets for bad actors.
CISA’s warning is the latest in a series of alerts concerning the vulnerability of OT/ICS systems. As the technology running critical infrastructure becomes more interconnected, it remains a high-value target for threat actors.
According to the agency, malefactors are exploiting internet-accessible devices using default credentials, brute force attacks, and other basic techniques, often with severe consequences.
Arkansas Incident Underscores Broader Risk
In the case of the Arkansas Water Treatment Facility, City Manager Randy Frazer emphasized that there was no impact on water quality or service disruption. As a precaution, the plant switched to manual operations, and enhanced security measures have been implemented.
Although no immediate damage was reported, cybersecurity experts warn that this incident could be a precursor to more serious attacks. Water treatment facilities, often under-resourced in cybersecurity defenses, are attractive targets for attackers looking to cause widespread panic or extort municipalities.
CISA’s Call to Action for OT/ICS Operators
CISA has urged operators in critical infrastructure sectors to follow best practices outlined in its report, Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity. Recommendations include securing OT/ICS systems by changing default credentials, patching vulnerabilities, and segmenting critical devices behind firewalls.
CISA also stressed the importance of adhering to secure-by-design principles, ensuring that security is baked into the architecture of critical systems rather than being an afterthought.
To further assist operators, CISA has made available its Cross-Sector Cybersecurity Performance Goals, offering guidance on how to protect against the most common and impactful cyber threats.
Expert Commentary: Emphasizing Practicality and Efficiency
Evan Dornbush, a former NSA cybersecurity expert, weighed in on the practicality of CISA’s recommendations.
“CISA’s guidance of recommended practices may be ideal for defenders who are well-staffed or are perhaps building out new networks. But for established OT/ICS operators, the reality of changing default passwords, patching, and moving HMI devices behind firewalls or hardened VNC can be laborious,” said Dornbush.
Instead, he advocates for a more streamlined approach: “Keeping with the defense-in-depth philosophy, it may be more efficient for operators to add a network detection capability to their existing infrastructure. Using modern advancements in computation, the market is full of quality options for those looking to glean intelligence from their network data.”
Additionally, subscribing to a cyber threat intelligence platform can be a low-effort way for operators to stay ahead of known exploited vulnerabilities (KEVs), guiding their efforts to protect the most critical aspects of their infrastructure.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.