Energy

Florida Water Treatment Plant Hack

Summary
Earlier this month, hackers successfully carried out an attack against an Oldsmar, Florida water treatment facility, coming awfully close to poisoning the water supply. Attackers were able to access the water treatment plant’s Supervisory Control and Data Acquisition (SCADA) systems remotely and increase the levels of sodium hydroxide that is added to the water from 100 parts per million to 11,100 parts per million. In small doses this chemical is safe to consume. Fortunately, the change was discovered immediately by an employee and they were able to reverse the change, prior to any modifications in the levels of sodium hydroxide.

How did they do it?
The water treatment plant is running Windows 7 operating system on its computers. This is an outdated, unsupported operating system which had not received any updates in over a year. Attackers were able to compromise the computers due to the outdated systems which are affected by multiple known vulnerabilities. This resulted in unauthorized access to the systems. The computers had also been utilizing TeamViewer, a remote access software, to administer the machines as needed and respond to alerts. All the computers on the network that used TeamViewer utilized the same password and allowed anyone from the internet to access these systems. A recent data breach database that was leaked in 2017 contained passwords that matched the domain of ci.oldsmar.fl.us. It is believed the attackers used these passwords to gain access via TeamViewer. Once attackers had gained access via the outdated operating system, they used this software to remotely access the desktop and modify the sodium hydroxide levels.

What to do?
If your organization is hosting critical infrastructure, like SCADA or Cardholder Data Environments (CDE) for PCI, it’s crucial to:

Properly segment these systems from non-critical networks.
Ensure all operating systems in use, across all networks, are supported by the vendor and receiving and applying regular security patches.
Regular testing to check for proper segmentation should be done to validate the security access controls in place are sufficient to limit access to critical infrastructure.
Limit the types of software allowed on your systems.
Eliminate all local administrator accounts to enforce the principle of least privilege.
Have a strong password policy that is strictly enforced for all types of accounts.

nGuard has broad experience helping to secure all types of critical infrastructure organizations, including energy. By leveraging penetration testing, managed security solutions and Cyber Security Incident Response, we can help your organization become secure and meet your compliance goals.

February SolarWinds Update

As security researchers continue to delve into the issues surrounding the SolarWinds breach, additional implications and vulnerabilities are coming to light.

Last week researchers discovered 3 additional SolarWinds vulnerabilities that at worst, allow an attacker to achieve remote code execution with elevated privileges.

CVE-2021-25274 affects the SolarWinds Orion platform through the Microsoft Message Queue. The Collector Service doesn’t set permissions on private queues which may allow an attacker to send specially crafted packets to the service to gain remote code execution.
CVE-2021-25275 also affects the Orion platform and may allow an attacker to gain unauthorized access to the back-end database. This vulnerability would likely allow an attacker to gain administrator privileges for the application which can cause a world of trouble.
CVE-2021-25276 affects the SolarWinds Serv-U FTP server. A directory that contains user’s password hashes is accessible to any Windows User that has access to the server’s filesystem. A malicious user could quickly add a user profile that would give them persistent access to the FTP server.

SolarWinds has since addressed these issues that were responsibly disclosed to them. While these vulnerabilities have not been found to be exploited in the wild and appear to be missing from the supply chain attack that we have been so closely following, it is highly recommended that users of the platform install the latest versions. Users of the SolarWinds Orion platform can find information related to the recent update here. Additionally, organizations utilizing the Serv-U FTP functionality can find a hotfix here (ServU-FTP 15.2.2 Hotfix 1). This is a direct .zip download. nGuard has been responding to many requests for services related to this massive SolarWinds breach. From incident response to preventative penetration testing assessments, nGuard is helping our clients to secure their data and protect their customers.

GDPR Fines On The Rise

Since the introduction of the European Union’s General Data Protection Regulation (GDPR) in May of 2018, they have handed out $330.5 million in fines with $192 million in the past year alone. As the GDPR regulation grows in maturity, regulators are growing tougher with their fines. Breach notifications are on the rise, as they have increased 19 percent over the past 12 months. Germany leads the way with 66,527 breach notifications and Italy has had the least with 3,460. Germany, France, and Italy are the top 3 countries that have imposed fines, with a combined $234 million since GDPR was enacted.

With the impact of COVID-19, organizations have been fortunate to have their fines drop significantly with the promise to improve their security posture. Marriott saw their fine reduced to $25 million from the original $123 million during a breach that lasted over 4 years and resulted in the compromise of 339 million guest’s information. British Airways saw their fine reduced to $27 million from the original $230 million as a result of personal data of over 400 thousand customers being stolen when their website redirected to a fraudulent one which collected personal details of customers. This went undetected for over 2 months. The pandemic has provided temporary relief on some fines, but this isn’t permanent. Organizations need to ensure they are following GDPR regulations or it is going to cost them in large-scale fines.

The 4 potential sources of privacy protection are markets, technology, self or co-regulation, and law. GDPR has taken the traditional approach of law to enforce privacy and data protection. With GDPR fines only increasing and being strictly enforced, it does show that laws do not necessarily mean the result will be increased privacy and security. The best piece of advice for organizations having to follow GDPR guidelines is to err on the side of caution, as fines and cumulative damage claims are only going to rise. As GDPR matures and evolves, there may be new, stricter regulations released in the future.

5 Ways to Ensure a Passing PCI QSA Audit

It’s no secret that most organizations that endeavor to achieve any level of PCI compliance find it more difficult than they first imagined. Even more so for merchants that require Level 1 PCI Compliance.

These companies require an external QSA audit and a successful passing Report of Compliance (ROC). No small feat. As a PCI QSA company, our QSAs have identified 5, key ways to better ensure your company’s chances of passing their PCI QSA Audit. Fortunately, all of these can be performed by internal resources in preparation for an upcoming PCI QSA audit.

1. Know all the places where CHD is transmitted, stored and processed.

A QSA audit begins with interviews to discover all the places where payment cards are accepted, processed, transmitted, stored, and more.

Nearly 100% of the time, in new environments where no prior consultation or audit was performed, we discover processes or systems that are in scope and were previously unknown to the client.

This is understandable, especially if the organization has never gone through a discovery process. Generally, employees are tasked with making things work. Often times, there are processes and products that are created that may not be formally documented or even approved.

Processes that can bring systems and people in scope

Recorded calls where CHD is stored in the recordings.
Physical paper with CHD that is being scanned into another system.
Emails where CHD is sent either internally or externally to customers.
CHD being shared with partners via undocumented and insecure methods.
Temporary “stores” or collections that only happen periodically like an annual conference where the organization accepts payment cards for registration fees.

In order to discover these processes, at least two people in each department should be interviewed. This would include the department manager as well as one of the employees in that department that is most knowledgeable about all the processes in the department. Hint: the department manager is often surprised to hear about some of the processes that collect or process CHD or at least the details about how it’s being processed. Because they don’t actually work with the process, they can unintentionally mislead or misinform about the processes. So, don’t rely only on department managers solely. Make sure you talk to the person with their boots on the ground. Most department managers understand this and are more than willing to sit down with the auditor and another employee in the department to discuss their interaction with CHD.

2. Know what is in scope for PCI.

As stated previously, most organizations don’t fully understand all their processes at a high level. There are small details about processes that may not get documented and therefore make it up to the managerial level. However, once these processes are fully understood, the next step should be to determine how those processes effect the scope of the audit. In general, the scope should include all people, processes and systems that either process, transmit or store CHD. In detail, the organization should fully understand the flow of CHD through the organization and include every system, person or process that the CHD touches. This would include places often overlooked such as:

Phone systems for collecting CHD over the phone.
Workstation of Customer Service Reps (CSR) that collect data over the phone and enter it into some payment application or website.
Systems that not segmented from systems that directly interact with CHD. For example, if the CSR workstation is not segmented from the rest of the organization’s network, then all the systems in the network are in scope.
Web applications that start the payment process, but then hand-off the payment to a third-party payment provider. These web applications typically are in scope for at least some controls.

3. Reduce the scope.

One of the best ways to secure data and achieve compliance is to simply reduce the scope of processes, people and systems for PCI DSS. I often help customers walk through this process and help them understand from a business and technical perspective the positives and negatives of reducing or eliminating processes that can help with reducing scope, therefore reducing the risks to CHD. The most common areas for reducing scope are:

Eliminate CHD where possible.

P2PE is the process for encrypting CHD at the point of interaction, either at a card-present point-of-sale system or a special keypad used to enter the payment card information. Both of these devices have the ability to encrypt the CHD at entry and submit it directly to the processor. Although the information is transmitted through the organizations network, it is not considered CHD since the data is encrypted with a key that the organization does not own or have access to. The decryption key is held by the processor or service provider providing the P2PE solution. This eliminates the CHD from the environment for those processes and requires the organization to only have to meet a few controls to secure the devices and process.
Tokenization is the process of the service provider or processor returning a token to the organization that is not CHD, but represents CHD. This is uses in situations where an organization needs to have recurring charging and needs to retain the payment card information. Instead of retaining the payment card information, they retain only the token and then submit the token to the service provider or payment processor. If the tokens are compromised, then there is very little risk of an attacker being able to turn the token back into CHD.

Outsourcing processes to 3rd party service providers.

Although this may not be possible for all processes, there are some processes that are easier than others. For example, often times, payments over Web or Mobile can easily be outsourced and leave the organization with minimal scope.

Eliminate processes that have little value but heavily increase scope of audit.

Often times organization can review their processes and determine that some processes, although they may have some value, don’t bring enough value to justify the cost of compliance for that process. The most common process for this is payments over the phone. Because payment cards are considered a modern form of payment, most people using payment cards also have the ability to use the Internet to make payments via web applications. This leaves many organizations with a very small percentage of customers who call in to make payments via a payment card. However, the cost of compliance for bringing the entire phone system, call recording system and Customer Service Reps’ work stations in scope can be substantial. For this reason, many organizations are choosing to eliminate that form of accepting payment cards and instead assist customers in making their payment via the available web application.

Consolidating processes to as few people, processes and systems as possible.

Many organizations have, over many years, added several processes that collect CHD. However, those processes are often not centrally managed and leaves the organization with many systems and areas of the network that are in scope. This could include multiple databases or files systems that store CHD, as well as different types of technology collecting CHD. Consolidating all these processes to as few systems and devices as possible can heavily reduce scope for compliance. This would include:

Taking all web payments at same payment application, even if the payments are for various services in various departments.
Ensuring all card-present transactions are conducted with the same Point-of-Sale devices and processors.

4. Understand Which Controls are Applicable.

Not all controls are applicable to every environment and understanding which controls are applicable and which are not can save an organization a lot of time in effort. For example, if you’re able to segment and reduce scope enough so that there are not wireless networks in your environment, then you wouldn’t be required to implement the controls for your organizations wireless network that is not in scope. Also, if you eliminate the storage of CHD, then an entire section of controls becomes N/A since it deals with securing stored CHD.

5. Perform Pre-Audit or Gap Analysis.

This is the audit before the audit that should be performed with every organization that is attempting to become compliant for the first time. A QSA or IQSA should be used to review current scope, processes and controls and determine which controls are sufficient and which need improvement. This may be a multi-step process for many organizations where each round brings the organization closer to compliance. However, performing a gap analysis and failures have been discovered almost always leads to a successful QSA audit that results in a passing Report on Compliance.