A Southeastern US municipal water authority with a fairly common networking environment. The OT network is flat and breaching any one location would provide open access to the network. Multiple methods of connectivity with distributed assets include cellular, fiber, and microwave radios. Many of the unmanaged OT assets are exposed with simple fencing and gate/door locks as physical protection. This city serves 6,000 residential customers with a primary water treatment plant and roughly two-dozen connected conveyance system assets spread over 200 square miles.
The Cybersecurity Challenge
Protecting unmanaged, essential distributed water assets is challenging. This difficulty is compounded based on asset location and the time it takes to ‘roll a truck’. Threat vectors of concern not only include digital hackers but also “known good” vendors and system integrators who oftentimes connect to the network for normal and customary maintenance and monitoring. These physical connection threats are addressed in this exercise.
These Red Team exercises simulated a physical breach whereby the team gained access to the network via a physical connection at a control panel at two of the unmanaged locations. At the first location, an IP address was obtained, and the attacker attempted to identify other devices on the flat network and gain access to additional resources using an IP scanning tool. At the second location, the attacker silently connected to the network and passively listened to identify other devices and gain access to additional resources. In both cases, the Red Team activities also included attempted access to internal web-based portals and other network devices and/or PLCs.
PacketViper’s agentless OTR solution was deployed with a ruggedized appliance and configured inline as an undetectable bridge at three unmanaged locations. Centralized management of the remote assets was set up on the unit at the water treatment plant. Sensors and proprietary deceptive, threat detection tools were created to detect anomalies outside of normal traffic conditions such as expected PLC/HMI communications. Anomalies would then trigger the solution to automatically create a blocking rule and issue an alert.
The attacker will fail to identify and access the network and operators will be alerted
Automated containment of threats inserted onto the network
Automatic, real-time cross-site synchronization of blocking rules created upon detecting anomalous behavior
Maintain secured 2-way communications with the OT assets
The outcome was a success. Once on the network, the Red Team was not able to gain scanning visibility into the rest of the network. The threat in both cases was unable to move within the network due to an automated containment response directed by the solution, without orchestration with any other technology. Upon detecting the threat, the blocking rule was pushed to all of the locations involved to ensure the threat was contained. Furthermore, an alert was sent to the operators notifying them of anomalous behavior within the network.