[BreachExchange] What the Onslow Water and Sewer Authority Can Teach About Responsible Disclosure

[Destry Winant]

https://www.securityweek.com/what-onslow-water-and-sewer-authority-can-teach-about-responsible-disclosure

Critical Infrastructure Operators Must Plan for Scenarios in Which a
Physical and Cyber Event Occur Simultaneously

Malware attacks, and their effect on industrial enterprises, are among
the most significant trends driving cybersecurity over the last 18 to
24 months. These incidents are vicious because they can cripple IT
operations and bring business to a screeching halt. But as the
infamous WannaCry and NotPetya experiences taught us, these attacks
can also impact operational technology (OT) networks. An infection
that begins on an office desktop can find its way into industrial
environments thanks to the rapid growth in interconnectivity that is
sweeping across nearly all industry verticals.

We’ve witnessed malware victimizing enterprises ranging from small
government agencies to massive, multinational corporations and, last
month, we saw another high-profile chapter unfold as Onslow Water and
Sewer Authority (ONWASA), a water utility in North Carolina, disclosed
that a ransomware attack had left it with limited computing
capabilities. But out of the damage caused by the attack also came
some valuable lessons and best practices for responding to a crisis.

This case study is worth exploring in more detail for several reasons.
First, it is commendable to see such a swift, responsible, and
transparent disclosure by the water utility. Second, the fact that the
malware did not bleed into ONWASA’s OT networks is indicative of
either luck, good cyber hygiene, or a combination of both. And lastly,
the proximity of the attack’s timing to Hurricane Florence highlights
the degree to which incident response plans must account for physical
and environmental conditions.

Let’s delve deeper into each one of these points.

Swift, Responsible, and Transparent Disclosure

As mentioned, ONWASA first discovered the malicious activity on
October 4th. The malware EMOTET, a known trojan that typically targets
the financial sector, was persistent on their network and ultimately
launched the Ryuk ransomware on October 13th. Just two days later,
ONWASA’s CEO, Jeffrey Hudson, released a detailed press release
outlining the background of the infection and the steps taken by the
utility to mitigate what he described as a “targeted” operation
carried out by cyber criminals. By this point, at least some of their
customers were undoubtedly experiencing problems interfacing with the
utility, either online or otherwise. Hudson’s statements were critical
to assuaging any concerns among ONWASA’s customers that the water
supply was threatened or dangerous to consume. He drew a clear
distinction between ONWASA’s business operations and their water
operations. “The safety of the public’s water supply and the area’s
environment is not in danger,” Hudson said, noting that “the crisis is
technological in nature.” It’s clear and concise messages like this
that engender public confidence and combat unnecessary hype about
these incidents.

Containing the Incident

Part of the reason the messaging was so successful in this instance is
because the scope of the incident was limited to business services. In
cases of ransomware impacting organizations with a sizeable OT
footprint, such as public utilities, containing the incident is
usually a product of good cyber hygiene, luck, or some combination
thereof. Without knowing the specifics of this case it’s impossible to
attribute a reason to the lack of operational impact, but suffice it
to say, they likely had at least some network segmentation in place to
avoid a spillover. The press release states that ONWASA had “multiple
layers of computer protection in place, including firewalls and
malware/anti-virus software.” Given that ONWASA’s main office was
penetrated but it’s OT networks were not, it’s likely that the
infected PCs and servers did not have access to the OT networks.

Ryuk, unlike some other commonly observed ransomware variants, tends
to be highly targeted so it’s highly likely that the perpetrators did
not intend to impact ONWASA’s OT networks. That said, and as we’ve
learned over the last two years, these attacks can easily exceed the
intended effect due to poor cyber hygiene on the part of the victim.
In this case, that did not happen.

Timing is Everything

Finally, perhaps the most consequential part of this story is that the
attack occurred relative to Hurricane Florence, the Category 4 storm
that struck the Carolinas less than a month earlier in September and
brought more than 35 inches of rain. The aftermath of such a storm is
perhaps the most critical time for a water and sewage utility like
ONWASA. Their operations are fundamental to ensuring the health and
safety of citizens during the recovery process.

Fortunately, in this case, water and wastewater services were not
disrupted and ONWASA’s plants were capable of operating manually until
the affected systems were restored. This highlights two critical
points.

First, all critical infrastructure owners and operators must plan for
scenarios in which a physical and cyber event occur simultaneously.
Critical infrastructure in general and OT networks specifically are
most vulnerable to cyber attacks during or immediately after a
significant natural disaster event. It is entirely possible that the
actor behind this ransomware attack seized this specific moment to
achieve their objective.

Second, asset owners and operators must exercise the transition from
computer-based to manual operations in the event of a compromise, even
if it is limited in scope to IT systems. If resilience is measured by
how organizations perform while under threat, be it natural or
man-made, then operating without relying on computer-based systems is
a foundational requirement for success.

It’s rare that we look back on these incidents with positive
takeaways, but while monumental efforts still remain for ONWASA to
return its services to a normal state, they should be commended for
how they responded to this event. From a communications and technical
standpoint, they turned a horrible event into a strong success story
on many fronts.