Cyberattack On Pennsylvania Water Facility Demonstrates Need For Device-Level Security

By Sagi Berco

Recently, the Municipal Water Authority of Aliquippa, Pennsylvania, suffered a cyberattack targeting its industrial control devices, and more specifically its programmable logic controllers (PLCs) and human machine interface (HMI). The actors behind the attack obtained login credentials, likely through stolen passwords, and used this access to gain control over the facility devices. Fortunately, their efforts did not prove successful. However, had they succeeded, the attackers would have had the ability to manipulate the configuration of equipment responsible for regulating water pressure and distribution.

Today, multiple technicians share passwords across a number of PLCs at a single site. This means that creating and managing new stronger passwords presents difficulties. In addition, multi-factor authentication (MFA) and advanced security policies only apply to newer PLC models, with long deployment timelines. This leaves legacy systems exposed, while disconnecting older PLCs from networks hampers the operations manageability.

In a recent report, the United States Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with additional parties such as the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Environmental Protection Agency (EPA), offered specific recommendations on securing critical systems like those attacked in Aliquippa. Their advice focuses on MFA for network access, firewalls, VPNs, and backups of PLC logic and configurations. While the CISA recommendations are important and can be helpful, these steps still leave the PLC devices themselves vulnerable to attacks.

Comprehensive protection at the device level, including PLCs themselves, bridges this gap. It's imperative to apply zero-trust security measures directly to OT devices, such as PLCs. Extending the scope of CISA guidelines to cover devices, not just networks, by implementing access control and MFA directly on individual PLCs can prevent unauthorized changes, even when login details are compromised.

Another important aspect is providing traceability to operations teams through audit trails, offering visibility into all actions taken on any protected devices. Lastly, performing backups of logic and configurations of PLC devices is essential, as recommended in the CISA report.

By recognizing device level (level one PLC) protection as the most vital component at risk, water facilities, along with any other critical infrastructure sites, can implement impenetrable safeguards at the source, no matter the attack vector. As threats evolve, isolated device-level protections provide robust frontline defenses for keeping critical water infrastructure operations protected, and employees safe.

Sagi Berco, CTO of NanoLock Security, has more than 20 years of experience in cybersecurity and technology management. Previously, Sagi worked in the Israeli Prime Minister’s Office and took part in the development of groundbreaking systems and projects that were awarded the Israel Defense Prize. www.nanolocksec.com