Security experts have long warned about the dangers of exposing industrial control systems (ICS) to the internet, where they can become easy targets for government-affiliated threat groups and hacktivists. In a new alert urging CISOs to take action, the Canadian government’s Centre for Cyber Security provides recent examples of real-world attacks that impacted operations at a water facility, an oil and gas company, and a farm.
“While individual organizations may not be direct targets of adversaries, they may become victims of opportunity as hacktivists are increasingly exploiting internet-accessible ICS devices to gain media attention, discredit organizations, and undermine Canada’s reputation,” the agency warned this week.
Attacks impacting the water supply
In one incident, hackers gained access to a control system used by a water utility company and tampered with water pressure values, negatively impacting service to customers.
This echoes similar incidents in the US in recent years. In 2023, an Iran-linked hacktivist group known as Cyber Av3ngers took control of an industrial control system belonging to the Municipal Water Authority of Aliquippa in Pennsylvania. The system was similarly used to regulate water pressure, but the intrusion was detected before the water supply was impacted.
In 2021, a hacker used a TeamViewer remote connection to access a control system at a water treatment plant in Oldsmar, Fla. The attacker modified the levels of sodium hydroxide, commonly known as lye, added to the water, increasing it by over 100 times. Luckily, the attack was detected and the change was reversed immediately by the plant’s operators. A very similar attack occurred at a water treatment plant serving parts of the San Francisco Bay Area.
Cyberattacks against water utilities in particular have significantly increased over the past year, with hackers affiliated with or showing support for Iran, Russia, and China all demonstrating interest in these systems.
Hacked fuel tank gauges can lead to dangerous situations
In another incident reported by the Canadian Centre for Cyber Security, attackers accessed an internet-exposed automated tank gauge (ATG) belonging to a Canadian oil and gas company and manipulated its values, triggering false alarms.
ATGs are used to monitor fuel level, pressure, and temperature inside fuel tanks. They are also designed to detect potential leaks and trigger countermeasures, and are deployed at gas stations, power plants, airports, and even military bases. Last year, researchers disclosed critical and high-severity vulnerabilities in six ATG models from five manufacturers and noted that more than 6,000 ATGs were directly exposed to the internet without authentication at that time.
Food supply can also be impacted
A third incident noted by the Canadian government agency involved equipment controlling temperature and humidity levels in a grain-drying silo belonging to a Canadian farm. The manipulation of these levels could have resulted in potentially unsafe conditions if they hadn’t been caught in time.
These incidents highlight the variety of organizations, industries, and installations that could be impacted by opportunistic hackers, sometimes with serious potential consequences for human safety and health. The increase in hacktivist activity against ICS also prompted the US Cybersecurity and Infrastructure Security Agency (CISA), along with other government agencies, to issue an alert to operational technology (OT) asset owners last year.
Organizations have a legitimate need to remotely manage and monitor their industrial control systems. However, this should be done through secure and tested protocols such as VPNs with multi-factor authentication, rather than exposing control interfaces directly to the internet. This applies to programmable logic controllers (PLCs), remote terminal units (RTUs), supervisory control and data acquisition (SCADA) systems, human-machine interfaces (HMIs), safety instrumented systems (SIS), building management systems (BMS), and industrial internet of things (IIoT) devices.
“Provincial and territorial governments are encouraged to coordinate with municipalities and organizations within their jurisdictions to ensure all services are properly inventoried, documented, and protected,” the Canadian Centre for Cyber Security said in its alert. “This is especially true for sectors where regulatory oversight does not cover cybersecurity, such as water, food, or manufacturing.”
The agency’s alert contains links to multiple documents with both general and ICS-specific security guidance.
No Responses