On March 20, 2024, Ars Technica reported that "disabling cyberattacks" are hitting critical US water systems, according to warnings from the White House. The Biden administration is rallying the nation's governors to secure their water and wastewater facilities against these cyberattacks from hostile foreign countries. This article will help you plan and execute a cybersecurity fire drill exercise based on this real-world incident.
Who Is This For?
This cybersecurity fire drill exercise is relevant for:
- Water utilities and wastewater treatment plants
- Municipalities and local governments
- IT and OT security teams
- Incident response teams
- Executive leadership and boards overseeing critical infrastructure
Simulation Start Points
Choosing an interesting starting point is crucial for an engaging cybersecurity fire drill exercise. Here are some ideas:
- Unusual network traffic: Your IT team notices strange network activity between the SCADA system and external IP addresses. Logs show connections to unfamiliar domains.
- Anomalous valve behavior: A plant operator sees that valves are opening and closing erratically without human input. Chemical levels are fluctuating outside normal ranges.
- Locked-out HMI: Engineers can no longer log into the human machine interface (HMI) to make changes. The password has been changed and remote access is disabled.
- Ransom note: You receive an email from a strange address claiming they have full control of your industrial control systems. They demand a large bitcoin payment to avoid shutdowns.
Cybersecurity Fire Drill Simulation Phases
Walk through each phase of your incident response process during the exercise:
Detection and Analysis
- Identify initial signs of compromise
- Investigate anomalous activity to determine scope of incident
- Analyze malware and exploited vulnerabilities
Containment
- Isolate impacted systems to prevent further spread
- Implement firewall rules to block malicious IPs and domains
- Change passwords and disable compromised accounts
Eradication
- Remove malware and backdoors from infected systems
- Patch critical vulnerabilities enabling the attack
- Harden weak security configurations
Recovery
- Carefully bring water treatment processes back online
- Monitor closely for signs of re-infection
- Communicate status to public and stakeholders
Post-Incident Activity
- Conduct a formal lessons learned review
- Identify areas for improvement in detection and response
- Implement fixes and new mitigations to improve security posture
Inject Ideas
Use injects to make your cybersecurity fire drill exercise more interesting and challenging:
- News breaks that neighboring water utilities were also hacked, implying a coordinated campaign
- The attacker contacts local media, claiming they still have access and threatening public safety
- A zero-day vulnerability is found in your PLCs with no patch available
- A key incident responder becomes unavailable due to a family emergency
MITRE ATT&CK Techniques
Consider how the following ATT&CK techniques may have been used in this attack:
- Valid Accounts (T1078): Attackers likely compromised legitimate credentials to gain initial access, such as stolen passwords or session tokens.
- Remote Services (T1021): Malware often abuses remote services like RDP and SSH to login and navigate the victim's environment.
- Modify Control Logic (T0833): Adversaries altered PLC code to sabotage the water treatment process and implement dangerous states.
- Denial of Control (T0813): Changing passwords and disabling operator access to the HMI constitutes denial of control over physical processes.
About ChaosTrack
The ChaosTrack platform enables you to run cyber crisis simulation exercises in 85% less time and for 90% less money. These simulations are critical for building readiness and resilience against real-world incidents like what happened to US water utilities. ChaosTrack streamlines exercise planning, execution, and reporting so you can stress test your team more frequently and effectively. Visit chaostrack.com/book-a-demo/ to see how it can help you.
Get a FREE Trial
ChaosTrack is a platform that combines the best of tabletops and trainings to run ripped-from-the-headlines cybersecurity fire drills against your whole company.