On Tuesday February 2 a massive trove of usernames and passwords was placed online. The attack is now known as the COMB breach, Compilation of Many Breaches. These types of attacks have been happening for decades. An attacker gets access to a password repository and then publishes the hack. This by itself is not new but the scale of this attack is. This collection included over 3.2 billion accounts and it also included the username and passwords for personnel that operate the Oldsmar water plant in Florida. An attacker took notice and utilized this now publicly available username and password combination and started tweaking the additives to the counties water in a bad way.
Just days later as the cyberattack on the Oldsmar, FL water treatment facility on Super Bowl weekend made abundantly clear, the need for stronger authentication into the cyber-physical systems that manage our critical infrastructure is imperative. Our nation’s critical infrastructure, especially energy and water, are controlled more and more from SCADA and OT, or operational technology, systems that enable change by remote users. Sometimes we don’t have the time or know how to properly lock these external facing systems down. There’s often a shortcut that’s taken when it comes down to identifying persons at shared systems. The opportunity for bad actors, whether from a hacker, adversarial foreign state or disgruntled internal employee, is often protected by nothing more than a username and password.
Despite the known vulnerabilities of passwords – and we won’t rehash all the known statistics of how bad they are here - their use is still prevalent throughout electric utilities. NERC CIP regulations do require the use of multifactor authentication (MFA) in certain circumstances, but also go to great length to govern password complexity. Every utility should look at how they can eliminate the use of passwords not only in critical OT systems, but also in all traditional IT systems as well.
At the end of the day there are many ways that this type of attack may have been avoided. You really need multiple layers protecting your utility and we’re not beyond stating that many security components need to work together as part of a larger whole. One area that would have been a major contributor to deterring this attack and/or making it that much more difficult is the outright replacement of passwords with something much stronger.
A word on shared accounts
Although shared accounts provide a faster way for staff to switch between shifts, access environments and keep track of passwords this is a poor practice in any environment. You’re giving this same ease of use to your attacker. There is less effort required to target individual accounts and most times compromising one password means gaining entry into various systems. This mind frame has to change. They used shared accounts at Oldsmar.
A word on shared passwords
If multiple people use the same account they’ll also have the same password. Possibly to multiple systems, this means more places that this can be captured during weak authentication. Key loggers, phishing attempts and rogue notes left around the office are all ways that passwords can be stolen. If more people are using it the likelihood of it being stolen goes up as well. Everyone needs their own PIN or password that they’ve setup for themselves. There’s little that can be done in today’s world without your own password. The operators have an online banking account, e-mail, Amazon, Facebook, Twitter and other passwords … you get the idea. The concept of each person having one to get into a system should not be a hurdle, get your own. Even better get something beyond a password which is vulnerable in many ways. Many knew the password to the shared accounts at Oldsmar.
Password Managers
Password managers sell themselves by providing the benefit of protecting many different passwords from many different accounts with a master password and some levels of data encryption. You’re able to make the password as long as you want and introduce as many special characters as the authenticating application supports. All you’re really getting here is the introduction of complexity requirements within the tool itself. All the major problems with passwords are at the root of this solution resulting in an identity management tree that just won’t hold up.
So what are some of the things utilities and others should be looking at to replace the use of passwords. Let’s take a look at some of the alternatives that are available today as username and password replacements.
One Time Passcodes
One-time passcodes (OTP) are a frequently used and often inexpensive way to comply with rules regarding MFA (Multi-Factor Authentication). They add a layer of authentication that makes it more difficult for a remote access hack by using two factors – something you know (username/password) and something you have (typically a mobile phone). OTP can be susceptible to a social engineering or Man in the Middle attack. The passcode themselves are easily intercepted, rerouted and if you have enough information to determine the sequence, an attacker may even determine the next number. There are many documented cases of hackers who have contacted mobile phone providers in a social engineering attack and had a specific number ported to another phone in order to steal OTP as well as other important data.
NIST deprecated the use of OTP in 2017 for all government and military functions. If the government is not willing to absorb the risk of an OTP, utilities and other critical infrastructure entities shouldn’t either.
Hardware Tokens
Hardware tokens provide the Something You Have factor. These are most commonly seen as an access card for building access but include other forms such as a USB key or a FOB. When using some of these devices you’ll have to know the PIN or password that you’ve setup for yourself while also being in possession of the physical token itself. This is a good way to implement multiple factors of authentication within your organization. It’s less risky to require physical possession since sometimes it’s resource intensive to try to duplicate the identifying information on the token and having the token in hand is sometimes sufficient enough of a hurdle for an attacker. This method does have limitations.
For a determined attacker or those that have unlimited resources available, duplication of some hardware tokens is possible. Some card-based systems such as those for building access offer limited protection to the information that is stored on them. These devices may be lost or stolen. If you only require physical possession for access or entry this is a big problem. There are ways to improve upon the authentication model that hardware tokens provide us. It’s best to implement multi-factor authentication and knowing that what you’re storing in the token is quality is best.
Hardware tokens are another form of MFA. By issuing a hardware token, such as a USB key or a fob, an organization can more securely lock down an application, network or other point of digital entry. A hardware token certainly meets the requirements for MFA. You still have to know a PIN or password and the token itself must be in your physical possession. The possibility of a social engineering, Man in the Middle or other type of attack is much less than with an OTP, however security risks are still ever present with a hardware token. A small token can be lost, or worse, stolen rather easily. A token that only requires having possession of the token can easily result in a breach.Â
Certificate Based Authentication over PKI
A good piece of information to encode on hardware tokens is a digital certificate. A digital certificate is one of the better ways to identify yourself to services and systems today. You’re taking identifying attributes from an individual and associating them to the digital certificate that will in turn be used to authenticate, validate and authorize access. These digital certificates may also be used to encrypt e-mails and digitally sign documents. These certificates are obtained from a certificate authority and an environment of third party trust. One thing to keep in mind is that not all certificate authorities are created equally so you need to keep the organizations practices in mind and if you’re issuing these certificates internally you should audit your security to identify any risks to mitigate them. These digital certificates may be placed within the secure storage of a device or they may be placed within special hardware like we’ve mentioned.
Used in combination with other authentication factors, possession of a digital certificate is one of the more secure approaches to authenticating personnel at critical systems.
A good model that incorporates a physical smart card with the use of a digital certificate issued from an environment of trust is the PIV model. The use of a PIV card in critical infrastructure can secure IT and OT systems as well as physical spaces for any utility with one unified credential. This would allow an organization to move to a passwordless environment across the board including substation control houses, security operations centers, distributed energy platforms or even customer service and financial systems. The PIV SmartID card can also add a layer of security wherever a personnel badge or swipe card is used. In the most secure areas of a utility, the use of all three factors of authentication adds a layer of security that cannot be matched with other access systems.Â
For mobile applications, these same credentials can be extended for the user in what is termed a Derived Credential. This allows an employee to use a mobile phone, tablet or laptop in the field without having to use or necessarily be in possession of the SmartID card. This allows an organization to maintain high levels of security while adopting  a more mobile and modern workforce.
Our utilities, whether it is electric, water or gas are critical to the safe operations of our country. Utilities, power producers and other critical infrastructure organizations should be moving away from shared accounts. They should implement one of the solutions listed above. If you’re in an area that is deemed critical you should only really be considering the highest level of security. We really need to avoid another Oldsmar type attack since they are completely preventable.
Danny Vital is the Senior Cybersecurity Engineer for Critical Infrastructure Initiatives with XTec, Inc. For questions, comments or to find out more information, please contact him at [email protected].
Â