Risky Business: Preparedness Lessons Learned from the Florida Water Plant Hack
We can all learn a lesson from the recent hack into a Florida water plant's cyber infrastructure — namely, cybersecurity is a vital component of every business.
Join the DZone community and get the full member experience.Join For Free
You’d be hard-pressed to find someone in the IT security space who will argue against the importance of risk preparedness. Unfortunately, more often than not, people will talk-the-talk without walking the proverbial walk. It sounds smart: be ready for potential attacks before they happen. But we have a long way to go to put this sentiment into practice. Accidents are unplanned, and we're never quite as prepared as we should be. The "that will never happen to us" attitude is rampant among the enterprise, especially when it comes to cybersecurity.
Risk preparedness is something organizations need to start taking seriously, as seen by the recent Florida water plant hack, among others. If they don't, the outcomes could be devastating. Imagine a stadium of sick Super Bowl attendees or worse. While the focus has been largely on protecting big businesses or federal entities with lots of valuable data, no one is truly safe from bad actors — not even local municipalities. In fact, these could be even more dangerous targets when you consider something as serious as compromising a community’s water supply or information theft.
Whether a business, organization, or government entity, we should be auditing ourselves, assessing the risks, and adapting to new threats to prevent what could be far worse outcomes than what we saw in Florida a few weeks ago. So, how can we better prepare for attacks at any level? Here are several ways enterprise organizations, from big brands to local governments, can mitigate risks and take control of their security posture.
Practice Makes Perfect
Conventional knowledge and sports analogies tell us the best offense is a good defense, and the same can be said for cybersecurity. But the only way to tell if you have a good defense is to practice — over and over again in a multitude of different scenarios that may or may not occur during a game. From a federal level, the US government is focused on cybersecurity posture with foreign adversaries. We have red teams that attack and test the safety of our own systems. On a municipal level and in the private sector that’s not necessarily happening, but it should be. Self-auditing is a great way to test the security of your network and take the appropriate action to fix the holes before someone less desirable penetrates them.
Penetration testing can help achieve this. By simulating an attack in a controlled environment with ethical hackers to assess the risk exposure of the servers, organizations can identify vulnerabilities in the system and work to resolve them. Cybersecurity training courses are now widely available on platforms from LinkedIn to Udemy — empower your employees with these tools to beef up their skills. Organizations like GIAC Certifications now have Cloud Penetration Testing (GCPN) certifications to prove practitioners have mastered the skills necessary to conduct cloud-focused penetration testing and assess the security of systems, networks, architecture, and cloud technologies. Fortunately, today there are many resources to help organizations get started.
Start From the Inside Out
Not all threats originate from outside the perimeter, and organizations would be smart to have protocols in place to address that. Permissions for current employees and proactive removal of access for former employees are something businesses need to stay on top of. According to BLS data, 10.7 million Americans are still out of work as a result of the Covid-19 pandemic. Initial unemployment claims have reached as high as 1.5 million in just one week. Unfortunately, the job market is ripe for disgruntled employees dealing with the aftermath of a stunted economy, and for some individuals out of a job, desperation may set in.
An employee in a work-from-home environment, unsupervised by managers and unencumbered by IT staff, may be tempted to sell corporate information, intellectual property, trade secrets, and passwords, or other personally identifiable information (PII). Corporations need to be aware of this potential risk and promptly take action to remove individual access ahead of time. Compromises like this are easily avoidable and should be standard protocol across the enterprise. While this isn’t necessarily the vector of the Florida water plant attack, it is absolutely a vulnerability that should be addressed.
Passé Passwords Need to Go
According to Axios, investigators suspected a desktop-sharing software was likely used to access the Oldsmar drinking water treatment facility system, which was running on Windows 7 with every person using the same password. In addition to not having updated to the latest operating system, the pitfalls of passwords are the real problem. According to researchers at Carnegie Mellon University, the familiar rules for strong passwords designed to make it harder for hackers to get in — capital letters, numbers, special characters, length requirements, and more — don't really make a password any stronger. Why? Because people are creatures of habit, and most exhibit the same behaviors to meet these standards.
Multi-factor authentication (MFA) is one simple way to improve password security. By requiring user’s enter two or more pieces of evidence — a PIN from your phone or hardware, a security question, or a physical token — to prove they are who they say they are, MFA can help protect the login process. One of the barriers to MFA adoption is ease of use. It’s hard enough to remember your password, now add yet another step users need to take to get their job done. From a higher level, rolling out MFA organization or customer-wide can also seem daunting. Change is hard and finding someone to lead the charge, understand the resources needed, and deal with bumps along the road is not for the faint of heart. It also may not be a priority if the system hasn’t been compromised before. But as attacks become more sophisticated, and targets broader, it’s better to be safe than sorry.
Risk preparedness is no longer something that’s nice to have in place — it could be the difference between the success and failure of your business, and in some extreme cases, like the Florida water plant hack, life and death. The enterprise needs to do a better job of getting ahead of attacks before they happen, and the only way to do this is to put measures in place that safeguard against the unknowns. Self-auditing, identity and access management, and MFA are three easy and effective ways to ready your organization for battle. Remember, in most cases, it’s not a matter of if, but when, so make sure you’re ready when it happens.
Opinions expressed by DZone contributors are their own.