The Environmental Protection Agency and cyber security authorities yesterday issued a stark warning: Iranian cyber actors are actively conducting a critical targeting campaign against programmable logic controllers in U.S. water and wastewater systems. This isn’t a theoretical exercise. These threat actors are actively exploiting these networks to get to Rockwell PLC, exploiting weak or default passwords, and taking control of the very systems that keep our drinking water safe.
The specific devices under attack:
- Rockwell Automation CompactLogix 5370 Series (1769-L series including L16ER, L18ER, L19ER, L24ER, L30ER, L33ER, L36ERM variants)
- Rockwell Automation Micro850 Series (2080-L50E variants)
For facility operators, this is a wake-up call. The methods these attackers use highlight a fundamental flaw in how many utilities approach remote access and network security. Relying on a hardened perimeter while leaving the soft underbelly of the network exposed is a recipe for disaster. It is time to seriously re-evaluate how we implement defence in depth.
The threat of lateral traversal
Advanced persistent threats rarely break through the front door of your most secure facility. Instead, they look for the path of least resistance. This is often an unlocked window in an adjacent, less-secure network. This technique is known as lateral traversal.
An attacker might compromise a third-party vendor’s laptop or find a vulnerability in a secondary IT system. Once inside that adjacent network, they pivot. If your architecture relies on traditional virtual private networks, that compromised laptop suddenly has a direct bridge into your operational technology environment. The attacker can quietly scan the subnet, discover legacy devices, and move laterally until they find a critical system they can manipulate. As we have seen with the recent alerts from CISA regarding targeted water facilities, the results can be devastating.
Rebuilding defence in depth
True defence in depth for critical infrastructure requires moving away from the illusion of the perimeter. We must protect the individual resources themselves, assuming the network is already hostile. This requires a fundamental shift in three key areas.
The requirement for strong identity
A password is not an identity. The fact that nation-state actors are successfully exploiting default passwords on industrial controllers proves that shared credentials and simple passwords are an unacceptable risk. We must cryptographically verify exactly who is requesting access before a connection is ever established.
This means implementing multi-factor authentication universally, even for legacy systems that don’t natively support it. Every operator, contractor, and engineer must be authenticated through a unified identity provider using strong factors, ensuring that a compromised password alone is useless to an attacker.
The requirement for fine-grained authorisation
Once we know exactly who a user is, we must rigorously control what they are allowed to do. Broad network access is the enabler of lateral traversal. If a pump technician only needs to view a specific interface, they should not be granted access to the entire subnet.
Authorisation must be pairwise. This means creating a specific, isolated connection between the verified person and the single resource they are authorised to use. By enforcing fine-grained authorisation at the application layer, we ensure that even if a user’s device is compromised, the blast radius is contained entirely to that single application.
The requirement for segmentation
Flat networks are a playground for threat actors. We must isolate critical cyber assets from the public internet and from each other. However, traditional network segmentation using firewalls and virtual local area networks is notoriously complex to manage and prone to configuration errors.
Modern segmentation means eliminating inbound open ports entirely. Your infrastructure should be completely invisible to automated scanners like Shodan. By using outbound-only connections to an identity-aware proxy, we can achieve absolute segmentation. As we detail in our analysis of why traditional VPNs fail compliance standards, removing the attack surface is far more effective than trying to patch it.
Securing the future of water infrastructure
The campaign against our water systems is a stark reminder that legacy security models are no longer sufficient. We cannot bolt security onto the outside of our operational technology and hope it holds. We must build it into the very fabric of how users access these systems.
By enforcing strong identity, implementing fine-grained authorisation, and ensuring strict segmentation without inbound ports, we can stop lateral traversal in its tracks and protect our critical infrastructure from the next wave of attacks.
Don’t wait for an incident response warning to upgrade your security. Contact us today. We are the experts in cyber defence for critical infrastructure for water, and we can help you implement a zero trust architecture that fundamentally reduces your risk without disrupting your daily operations.