During Thanksgiving in the U.S., two cyber attacks diverted ambulances across hospitals across different states and impacted the water supply system of a city 18 miles northwest of Pittsburgh, Pennsylvania.
The attack on the water supply system in Aliquippa, Pennsylvania, immediately drew the attention of the Department of Homeland Security as an Iran-aligned group — Cyber Av3ngers — linked to at least ten water system cyber incidents in Israel claimed responsibility.
According to CBS, IT equipment inside a water authority building nestled in woods outside Aliquippa suddenly shut down.
Stopped from its role of monitoring water pressure, a message appeared on one of the screens.
Matthew Mottes, chairman of the water authority, told CBS the message said: “…Our system had been hacked by legal authority by the ‘Cyber Av3ngers. Down with Israel”.
The message added: “Every equipment ‘Made in Israel’ is Cyber Av3ngers’ legal target”.
On the other hand, the attackers behind the ransomware that forced hospitals in New Jersey, New Mexico, and Oklahoma to reroute ambulances are still unknown. However, with just a couple of days in difference and hitting key systems during the holidays, it is clear that both attackers sought to cause the greatest damage.
CNN reported that a 263-bed hospital in Albuquerque, New Mexico, could not accept ambulances, along with a 365-bed hospital in Montclair, New Jersey, and several hospitals in East Texas that treat thousands of patients a year.
A nurse told CNN that staff needed to “print out as much patient information as we could” as networks began shutting down.
While cybersecurity reports reveal that cybercriminal groups are increasingly targeting both the health sector and critical infrastructure sectors, often state-supported, these two attacks are a scary indication of how easily widespread attacks on civilians can occur.
They reveal an escalation into U.S. digital systems with a dangerous potential to significantly impact the population.
Techopedia spoke to Nicole Sundin, CPO of Axio, to gain insights on the water security industry and to Richard Caralli, Senior Cybersecurity Advisor, Axio, to unravel the deep international connections of the Pittsburgh water attack. Additionally, we received several comments from leading experts while putting this report together.
What follows is the insight we learned about the recent attacks and why experts say the focus should be on OT-IT (Operational Technology) security.
The American Health Sector in the Cross-Fire
In its recent Global Threat Intelligence Report 2023, BlackBerry reported over 179,000 incidents against the healthcare industry globally. Blackberry adds that millions of patients in 20 states in the U.S. have been affected due to health interruptions in 2023, with sensitive patient data becoming a lucrative price for ransomware gangs.
“The issue is with the complexity of these environments,” Sundin told Techopedia.
Sundin explained that the distributed nature of hospital systems is one of the main challenges.
“We see customers conducting risk assessments for over 150 hospital systems, all with different levels of risk. Building a complete plan to address risk in a distributed environment is very complicated and takes a lot of collaboration from numerous stakeholders.”
Additionally, the complexity of healthcare systems, which combines IT, OT, and the Internet of Things (IoT), presents numerous attack vectors that are hard to lock down.
Elevating the Standards of Healthcare Security
Sundin warned that the healthcare industry needs to prioritize not just compliance but cybersecurity, too.
“HIPPA or HITRUST compliance does not automatically mean you are addressing risks. The classic saying that compliance does not equal security is true here. Hospital systems not only need to comply with regulations but take a risk resilience approach to protect their hospital systems.”
Sundin highlighted the need to build a risk-based program, understanding what risks are running holistically throughout operations and then addressing each one. Once risks are exhaustively evaluated, controls such as network segmentation, privileged access management (PAM), and other least privileged mechanisms can be deployed to create layers of security.
“However, identifying standard security practices must start with understanding your risks and building a strategy around addressing those,” Sundin added.
The blurred lines between virtual-IT and real-OT worlds
Experts agree that the key to securing the sophisticated and decentralized operations of critical operations like those provided by healthcare organizations lies in the modernization of Hospital Incident Command Systems (HICS), which exists under the Incident Command Systems (ICS) umbrella.
Traditionally, an HICS is designed for hospitals to deal with events such as energy blackouts, floods, fires, and natural disasters. They outline guidelines, for example, to provide a backup power source, continual water supply, and continual communications even in the face of unexpected emergencies. However, many providers have yet to update their HICS to meet the modern-era threat of cyberattacks, including aligning operational technology (OT) with information technology (IT) systems.
In a statement sent to Techopedia, Bryson Bort, Faculty at IANS Research and CEO and Founder of SCYTHE, said that the integration and increasing convergence of OT and IT will be a crucial trend for cybersecurity in 2024.
“This convergence extends beyond industrial and business operations and into our daily lives. We often don’t realize that we interact with OT components in the workplace, from electricity and water to elevators and security cameras.”
In the case of healthcare providers, OT encompasses hardware and software such as medical imaging systems, laboratory equipment, infusion pumps and ventilators, building management systems (BMS), and networks and data security, among others. The problem is that these vital technologies are so integrated into IT internet-connected systems that when IT is breached, OT is compromised. Hospitals often need to shut down operations.
Therefore, a simple human error, such as a hospital worker clicking on a phishing link on his phone, can potentially disrupt an entire multi-state healthcare system.
“The boundary between IT and OT is becoming less distinct as the invisible aspects of the Internet of Things (IoT) blend into our environments. What’s clear is that the surface area for potential cybersecurity threats is increasing. As these domains continue to merge, collaborative efforts to secure this growing attack surface are critical,” Bort said.
The Aliquippa Water Attack: Security for International Cyberwarfare
Similarly, at the heart of the attack on the water system of Aliquippa, Pennsylvania, OT and IT security can be found.
Mark Toussaint, Sr. Product Manager and operational technology (OT) expert at OPSWAT, told Techopedia via email that mitigating cybersecurity risks in ICS systems can present a challenge for some organizations.
“Particularly in water and wastewater systems since they are often smaller municipalities with limited resources. This industry is also not regulated by enforceable cybersecurity requirements, making it more vulnerable.”
How Unidirectional Security Gateways (USG) Can Strengthen Water
While the first step for any industry is to align IT environments with good practices and identify threat vectors to implement solutions to reduce the likelihood of impactful attacks, many fail to recognize the right technologies to deploy.
Toussaint assured that unidirectional security gateways (USGs) could strengthen the water sector and provide continuity of critical services like water, even during a security incident.
“This preventative measure (USG) hinders threats from spreading to critical network segments, allowing operations to continue without compromise.”
USGs are commonly used in industrial control systems (ICS), healthcare networks, and government networks. These technologies create a physical barrier between a low-security network (LSN) and a high-security network (HSN), preventing data from flowing back from the HSN to the LSN.
“Organisations can enhance their security tech stack by incorporating unidirectional security gateways,” Toussaint said.
“While traditionally used in government agencies, these gateways and data diodes are increasingly adopted in industries like oil and gas and manufacturing. They ensure one-way communication and data sharing, not only preventing potential insider threats and minimizing data leakage but also ensuring no routable information passes between networks with varying security levels.”
Toussaint added that given that critical infrastructure sectors like Water and Wastewater are increasingly targeted by nation-state threat actors seeking to cause disruption, organizations must stay ahead of the curve.
The Israel-Hamas Conflict Spreading Through Cyberspace
While not the first Israel-Hamas conflict-linked international cyberattack, the Aliquippa water attack is undoubtedly one of the most apparent red flags since the conflict in the Middle East intensified
Experts agree that as the Israel-Hamas conflict continues to unfold, similar international cyber incidents will break news. Richard Caralli, Senior Cybersecurity Advisor at Axio, spoke to Techopedia about this issue.
“It is unlikely that the city of Aliquippa (or any small municipality) is specifically targeted for its location or service area. However, it has been reported that the Aliquippa utility uses an industrial control system (ICS) supplied by Israel-based Unitronics, which has been targeted by an allegedly Iran-based hacktivist group known as Cyber Av3ngers.”
Caralli explained that many of the components of an ICS are connected directly to the internet, making them more vulnerable to attack. Caralli added that vulnerabilities in Unitronics ICS components have been identified and published, which may further encourage exploitation attempts.
“Users of such technologies — supplied by Unitronics or other vendors — should be alert for signs of intrusion as hacktivists often take advantage when attention is drawn to high-profile events (such as physical conflicts) to run cyber-attack campaigns,” Caralli warned.
Caralli described the Iranian-linked group that attacked the Aliquippa group as dangerous.
“Any activist group that has sufficient access to technical knowledge and means to execute a cyber-attack is dangerous, given opportunity. Clearly, services that are critical to life, safety, and health — such as water systems, hospital services, or power grids — are prime targets of cyber-attackers because of the potential for widespread damage and societal impact.”
According to Caralli, while linked cyber gangs are likely no more dangerous than other nation-state-sponsored groups, the recent Middle East conflicts are likely encouraging these groups to run campaigns simultaneously. At the same time, attention is focused on ground-level battles.
OT-IT in the Water Sector
The problem with sectors like small water providers is that many still operate legacy systems that do not support modern cybersecurity standards, such as preventing the use of default administrative credentials or multi-factor authentication. These operations also often depend on third-party vendors that use online IT systems to operate and maintain operational technologies, making systems that should be air-gapped if connected to the internet.
OT systems that are operated in a “closed” network environment (i.e., not exposed to the internet) are, by design, potentially more secure because they can only be accessed from within the organization’s network, Caralli explained.
“Operational technologies control the processes that bring us electricity, natural gas, water, and manufactured goods. Increasing automation and digitization have revolutionized these processes, as has the use of the Internet. Unfortunately, technological advancement makes these systems more vulnerable to attack and requires more sophisticated cybersecurity programs and controls to improve their resilience.”
The Ukraine-Russia war proved that on-ground war will transcend many borders in cyberspace. Naturally, governments worldwide and in the U.S. are already preparing for an escalation of cyber incidents triggered by the rising tensions in the Middle East.
Caralli said there is already evidence of how this new conflict affects cybersecurity despite continual cyber warfare.
“A recent uptick in hospital system attacks, attacks on education systems, and recent water system attacks indicate that nation states and activists are interested in creating societal impact and chaos that can have downstream collateral effects.”
As U.S. federal and state law enforcement agencies and branches of government become involved, critical infrastructure and services, such as water and healthcare, are expected to be among the primary targets.
Experts agree that cybersecurity 2024 priorities must include exhaustive and practical risk assessments, proactive assessments of exposures and actions through ICS strategies, and scrutiny of internet use when it enables operational technology. OT-IT operations security and integrity seem to be the most significant challenges at hand.