Tales From the Road: When the City Library Can Access the SCADA Network, It’s Time to Rebuild
How a cybersecurity roadmap can put you on the road to recovery.
During a client engagement, we uncovered a significant security gap in which the city library network was able to access the city’s municipal SCADA network – a serious issue that would give attackers a field day. Here’s what we did to identify the issue, and how your own municipality can take action to prevent the same.
A large municipality had a hunch that their cybersecurity needed to be improved (the fact that they fall prey to the regular business email compromised [BEC] scams and have lost money, as a result, might have been a dead giveaway), so they hired a new cybersecurity professional to lead their security team.
This cybersecurity professional brought in DirectDefense to perform a comprehensive three-part security assessment of the organization’s networking environment relative to SCADA and IT security:
- Internal (in-network) penetration testing of the SCADA and IT environments
- External (internet-facing) penetration testing
- NIST CSF assessment
Our team was able to assess several facilities within the municipality, including its water and wastewater utilities, ultimately uncovering a number of security vulnerabilities right away – one big one being that the city library provided access to much more than the online card catalog (hello SCADA network)…
Exposing the Vulnerabilities
DirectDefense used three tests to assess the security of the municipalities’ IT and SCADA systems:
- Internal Penetration Testing Phase
For the IT side, we kicked off the internal penetration testing phase by providing the municipality with a remote testing device they deployed on their internal network, simulating a compromised workstation. We used this access to conduct spoofing attacks over the network that captured and redirected traffic.
Our consultants were able to command the network as an authorized user, and eventually gain access to the host. While some of our activities to query the domain using a domain user’s credentials generated alerts, several of our attacks did not, allowing us to access users, groups, and domain administrators.
For the SCADA side, we were on site and locally reviewed the SCADA servers and historians. We coordinated with the local instrumentation technicians to log into Programmable Logic Controllers.
Vulnerabilities exposed: Poor network access controls, enabled legacy protocols, pass-the-hash vulnerability & weak passwords. - External Penetration Testing Phase
During our external penetration test, our consultants identified a remote management interface that was exposed to the internet via an external web host. If compromised, a malicious actor could gain remote access to the municipality’s internal host system. Additionally, we identified other external services that not only were potentially unnecessary, but further exposed the municipality to attack by widening the threat surface.
In this case, we were able to use compromised credentials we gathered during the internal penetration testing phase to access the network via these exposed remote management services.
Vulnerabilities exposed: Weak and default system passwords, single-factor authentication for remote solutions, third-party patching issues.
- NIST CSF Interview Phase
During the NIST CSF interviews with IT and SCADA support, our biggest finding was a significant lack of segmentation that resulted in unnecessary network access, such as the library, having access to the SCADA network, creating significant security gaps that could be exploited by a malicious actor anywhere in the municipality.
Given this lack of segmentation, an attacker is able to walk into nearly any municipal building and connect a device in an open jack and would be able to gain full visibility of the entire network. Attackers could then enjoy lateral movement within the environment once internal network access is obtained. Ransomware would be able to move from the IT / Enterprise network to OT networks and infect SCADA workstations/servers. Without proper segmentation, this type of breach could halt operations throughout the municipality, forcing manual operation of the water and wastewater treatment plants.
Vulnerabilities exposed: Gaps in network segmentation; gaps in IT policies, SCADA policies, procedures, standards, and guidelines; gaps in Continuity of Operations Plans & gaps in asset and software inventories.
The Road to Recovery
Although our findings exposed many vulnerabilities, there is a road to recovery, and it starts with a plan. We provided the municipality with a detailed cybersecurity roadmap which included these three strategic, high-priority recommendations:
- Build a cybersecurity program with executive buy-in, business impact analysis, risk management, policy review, and plan of action with milestones
- Rearchitect the network for the entire municipality, which would create critical segmentation of the SCADA networks and other departments
- Adopt monitoring software capable of detecting and alerting abnormalities or unusual traffic on the IT or SCADA networks
Four Steps to Avoiding a Cybersecurity Breach
No doubt, our client has their work cut out for them. Whether you are dealing with an outdated SCADA system or not, every organization wants to avoid a cybersecurity breach at all costs. By taking these four important steps, you will be on your way to achieving a tighter security posture regardless of what type of network environment you are dealing with:
- Conduct an annual assessment of both your internal and external networks
- Have an incident response plan in place to ensure everyone in the organization understands their roles and responsibilities in the event of a breach
- Have continuity of operations plans in place to allow the maximum effectiveness until the computers are restored
- Put your compliance efforts in front of a third party even if you can self-assess to ensure you’re ready in the event of a security attack
Contact Us Today!
Take stock of how secure your organization is from malicious attackers. Set up a security consultation or call us at 1 888 720 4633.