back to article American Water rinsed in cyber attack, turns off app

American Water, which supplies over 14 million people in the US and numerous military bases, has stopped issuing bills and has taken its MyWater app offline while it investigates a cyber attack on its systems. On Thursday, the dihydrogen monoxide business, which claims to be the US's largest regulated water provider, spotted …

  1. jake Silver badge

    It's 2024 ...

    ... and STILL there are idiots who think connecting SCADA to publicly accessible networks is a good idea.

    The mind absolutely boggles.

    1. IGotOut Silver badge

      Re: It's 2024 ...

      this is nothing to do with SCADA. It's customer billing,you know, the public facing side.

      1. jake Silver badge

        Re: It's 2024 ...

        Did you bother to read the article? Did you see this sentence:

        "The company currently believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident."

        If those systems were properly airgapped, they would KNOW that they hadn't been compromised.

        Also, take in the final four paragraphs.

        1. Richard 12 Silver badge

          Re: It's 2024 ...

          Weeeelll, just because they're airgapped doesn't mean they're safe.

          If a technician's laptop has been compromised it could be uploading who-knows-what to every PLC it connects to. Previous nation-state attacks have used exactly that technique to do things like damage centrifuges.

          So it makes sense to work on the assumption that could have happened, even if there's no evidence of that yet.

          1. Claptrap314 Silver badge

            Re: It's 2024 ...

            I am getting SO VERY TIRED of hearing this nonsense. There were many, MANY warnings about bridging air gaps BEFORE Stuxnet. And if you have actual grey hairs, you will know that we had massive boot sector infectors LONG before most computers were networked at all.

            NO ONE is saying that air gapping makes a system secure. Get over yourself.

            What we ARE saying is that if you don't air gap, you're not actually trying.

            1. jake Silver badge

              Re: It's 2024 ...

              Also note the word "properly" in mine ... if it's accessible via sneakernet without permission, in my mind it's not properly airgapped.

          2. collinsl Silver badge

            Re: It's 2024 ...

            Right, but unless that malware is either self-starting (in which case it'll become immediately obvious that something is wrong) or you can get a trigger into the airgap later (relying on continuous access to the compromised device, and that device then reconnecting to somewhere to trigger the planned actions) then it's functionally useless as you can't get a trigger signal in to it or data out from it.

            1. Nick Ryan

              Re: It's 2024 ...

              In this instance it reads that the water co had some segregation between operations and billing. However, the article does highlight where some moronic suppliers have blindly connected their operational systems to wider area networks and were hacked as a result.

              This does not mean that every damn PLC needs to be secured with costly and bloated software, which the requires continual updates, just that there is a very hard distinction made between insecure devices and networks and wider area networks. Security is always a balance between security, convenience and cost.

              The usual analogy for this is the doors in one's house. We secure the doors that connect with the outside with (hopefully) decent locks. We don't bother to do the same on internal doors as that is rather disruptive. Some of us will have additionally locked units, such as safes or cabinets, in which we keep more valuable items, which is a neat demonstration of additional security when we need it. Unfortunately, should a clueless lackwits get involved in this scenario and decide that the exterior doors are annoying and instead just knock a hole in the wall so they can easily walk in and out without bothering with a key, the entire security gets degraded significantly. This is exactly what happens when a clueless lackwit connects a private operational network directly to an insecure one.

            2. doublelayer Silver badge

              Re: It's 2024 ...

              "unless that malware is either self-starting (in which case it'll become immediately obvious that something is wrong)"

              Not necessarily. Time delays are really easy to build in. They can let you clean up your first exploit before things go wrong so the investigation takes longer or, if you put more time into it, you might be able to pretend that your sabotage is just a cascade of normal failures that happens at an inopportune time. If your aim is destruction rather than getting data, you can manage it even through an airgap that you can only bypass once.

        2. doublelayer Silver badge

          Re: It's 2024 ...

          I did read the article. It is not as definitive as you say it is. For example, the sentence you quoted could have a lot of explanations. Here are two possible ones, neither of which you can disprove from the text of the article:

          The company currently believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident because they were airgapped, so you'd have had to do something quite specific to get at them, but they don't know for a certainty that that didn't happen. Sure, they're running now, but if some theoretical attacker inserted malware into them which is going to switch them off in three days, they haven't found it yet.

          The company currently believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident because the PR employee checked and water is still coming out at least in their house.

          And the last few paragraphs are not about this incident, but about one last year. Yes, in that case, the people concerned did connect their systems to the internet, but that doesn't provide that these different people also did so.

        3. Potemkine! Silver badge

          Re: It's 2024 ...

          If those systems were properly airgapped, they would KNOW that they hadn't been compromised.

          Complacency has no place in cybersecurity. Even with an airgap a network can be contamined. Maintenance is always required on a network and a device could bring the payload.

  2. Guy de Loimbard Bronze badge
    Alert

    No easy fix!

    Having worked in this sector before, I understand the size of the challenge.

    Vendors/Suppliers can provide support remotely.

    Operations Management are being sold/hoodwinked into allowing this remote connectivity/service, as they are sold on quicker resolution than having to wait hours, days or even weeks for an engineer on-site call out. (Depending on severity and criticality of the systems affected)

    Ever since COVID lockdowns, this have become a prevalent stance on OT operations I have reviewed.

    Some of these solutions come into play via localised purchases (Shadow IT) with 4G Router/Dongles being put onto infrastructure, by well meaning but misinformed engineers and suppliers, trying to do the right thing, without necessarily understanding the exposure risk and increase in attack surface.

    These are not phrases that a lot of OT engineers are familiar with, so risk is rarely considered.

    The security experts, plus the OT Wizards, know what the "Gold Standard" should be, but ageing infrastructure doesn't allow this approach at times. New build infrastructure is a different matter, but legacy installations are the challenge in today's always connected, data rich, data everywhere environment.

    We need to start with education and cultural changes.

    It's a security nightmare with no quick fix.

    It needs teamwork and really good collaboration for a successful outcome.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like