How the Florida water hack shows everything wrong with OT security
ICS Detection is useless
Over the last couple of years about $500 million in venture capital were pumped into ICS Detection startups. Their central proposition is that you don’t have to worry about those evil hackers if you just detect ICS attacks early, with the help of network anomaly detection. Guess what, in the first prominent ICS attack on US soil, the attack was detected without any deep packet inspection! It was so obvious that it could be spotted with the naked eye!
One could go further and make the point that ICS Detection products wouldn’t even have caught the intruder because he was using a legitimate remote access channel. No anomalies in network traffic, no privilege escalation, lateral movement and all the other hacker stuff that these products claim to detect.
See also: The ICS Detection Bubble (video)
ICS threat intelligence has no clue
If you are in OT security, you will probably have heard a lot about scary threat actors with funny names such as Xenotime — even though these names admittedly doesn’t refer to real people sitting in real buildings. But when it comes to the Florida hack, the overfunded threat intel community has no clue. For the first noteworthy attack attempt on US critical infrastructure they have no idea where it came from. The irony!
In the meantime I’m betting $20 that it was an Iranian bottom feeder skilled enough to use Shodan and look up default passwords. Let’s call them Crazy Weasel if you need a sticky name. And since the prevalent school of thought argues that real attribution is bad and the only thing that matters is commonality in tactics, tools and procedures, I link Crazy Weasel also to the recent and very similar attack against an Israeli water facility, or honeypot. There you got your threat intel, free of charge. You’re welcome.
See also: The three things you need to know about ICS threat intelligence (video)
Fancy ivory tower frameworks are irrelevant
Comparably irrelevant is all the fancy bullshit in and around the MITRE ATT&CK for ICS framework. There are lots of practically useful things that the US government could do to improve cyber security, such as fixing the broken SCAT process. Developing ivory tower frameworks isn’t one of them.
In order to protect critical infrastructure against cyber attacks, you don’t need ICS Detection products, ICS threat intelligence, or fancy frameworks. You just need to practice what you have been told for decades: Implement a structured cyber security program and exercise periodic audits. Today there is no shortage of competent OT security experts that are happy to help you (in case you wonder: We’re not one of them). They would have spotted the insecure remote access at Oldsmar long before a fearmongering media had another opportunity to turn blatant lack of security protocol into clicks.