Lessons from ransomware attacks at Maine water-treatment facilities

Aug. 27, 2021

We should not rely upon the “goodwill” of attackers to not fully exploit control systems in future attacks.

A recent disclosure from two Maine rural wastewater systems hit by ransomware attacks earlier this year caught my eye. The towns of Limestone and Mount Desert Island should be lauded for their ability to recover operations without paying the ransom. It is encouraging that the water-treatment facility recovered from the attack without compromising taxpayer data, generating a public safety threat, or paying the ransom.

However, my concern lies in how often the typical company or government-run organization is reactionary to cyber-events. Once bad actors know critical infrastructure is vulnerable, repeat attacks will become more common. In the case of Mount Desert Island, officials say the attack took computers offline for three days. In Limestone, the obsolete operating system, Windows 7, was compromised and subsequently upgraded after the attack. Officials confirmed the attack infiltrated a computer connected to the plant’s supervisory control and data acquisition (SCADA) system—had they been willing, the attackers could have overridden alarms or disabled critical pumps and other equipment.

Fortunately, this did not take place, but we should not rely upon the “goodwill” of attackers to not fully exploit their ability to manipulate control systems in future attacks.

In order to proactively prevent future attacks, industrial/manufacturing companies should adopt a risk-based approach and remain vigilant. This requires keeping a careful watch for possible threats and addressing them before they succeed. The computers would not have been offline for three days if the operating systems had been upgraded earlier or had leaders taken every possible action to prevent threats from reaching obsolete or vulnerable assets.

This is the risk-based approach we all should adopt.

The weakest link in cybersecurity is the human element. It is encouraging that municipalities can seek American Rescue Plan funding to strengthen their systems and provide cybersecurity training for Maine water plant operators. It surprises me that Maine does not require any form of cybersecurity training to obtain a wastewater-operator license. 

To reduce future risk and limit the damage of the inevitable next attack on critical infrastructure, I recommend industrial and manufacturing companies take the following actions:

●      Conduct a regular risk-assessment to identify actionable-threat and vulnerability information, and attend them before potential threats exploit them

●      Identify the “crown jewels” and implement additional cybersecurity controls on these assets

●      Develop and continue to mature an incident-response plan and playbook to reduce the impact of an attack

●      Train internal employees to not only detect an attack at the early stage, but to also avoid accidents caused by the non-hostile threat actors

●      Conduct “lessons learned” sessions after every incident and continuously improve the process

The fact that the water-treatment facility was able to recover from the attack without having to pay the ransom is a great result. Moreover, it has caught their attention. They have attended the vulnerable systems, sought to strengthen their systems, and provided cybersecurity training for the water-plant operators. This should be a wake-up call and similar vulnerable entities need to recognize that they should assume their networks can and most likely will be compromised.

Syed Belal is director of OT cybersecurity consulting services for Hexagon PPM