Hot on the heels of this CISA, FBI, EPA incident response warning, we have a video released showing some menancing music and some HMI manipulation for two US cities. The Cyber Army of Russia is targeting US water facilities. The HMI appears to be via VNC. The user changes all the set points, enables manual operation. You can almost hear the click of limit switches feeding safety PLC’s as the pressure builds. Is this the equivalent of an Austrian archduke getting shot?
CISA et al have some simple to read yet hard to implement common sense advice on the topic:
- Preparation: WWS Sector organizations should have an incident response plan in place, implement available services and resources to raise their cyber baseline, and engage with the WWS Sector cyber community.
- Detection and analysis: Accurate and timely reporting and rapid collective analysis are essential to understand the full scope and impact of a cyber incident. The guidance provides information on validating an incident, reporting levels, and available technical analysis and support.
- Containment, eradication, and recovery: While WWS Sector utilities are conducting their incident response plan, federal partners are focusing on coordinated messaging and information sharing, and remediation and mitigation assistance.
- Post-incident activities. Evidence retention, using collected incident data, and lessons learned are the overarching elements for a proper analysis of both the incident and how responders handled it.
I have a simpler, more actionable item: Use Agilicus AnyX as a Zero Trust platform to put strong authentication with multi-factor in front of that VNC. No change in operations, but an improvement in cybersecurity and reduction in risk.
Now that we have seen the scary video with the old school industrial interfaces, the call to action should be more actionable:
- No inbound open ports (nmap, shodan should show empty)
- All inbound connectivity should be per resource, not broader (no VPN)
- All inbound authentication should be per person, not broader (no shared accounts)
- Authorisation should be pairwise (person <-> resource)