In another attack on critical national infrastructure (CNI), a third party was able to access South Staffordshire Water’s corporate IT network without authorisation.
South Staffordshire Water confirmed that it had fallen victim to a cyberattack in a statement on 15 August, claiming that hackers had accessed its IT network. Fortunately, the attack only resulted in internal disruption rather than posing a risk to the supply of safe drinking water to its 1.3 million customers across South Staffordshire and Cambridge.
It was soon revealed that Cl0p, a malicious group known for targeting industrial businesses, was responsible for this attack. However, the group suffered initial confusion over who the target of its cyberattack was, first reporting that it had targeted Thames Water with a messaging claiming that it had accessed 5TB of the company’s data, including passport scans, drivers’ licences and photos of its SCADA systems.
It began publishing a sample of the stolen data to its leak website after it said that negotiations broke down, which isn’t surprising considering it was negotiating with the wrong business. Researchers were later able to identify the true victim as South Staffordshire Water by analysing a list of leaked usernames and passwords.
Unusually, while some data was published on the dark web, the criminal gang confirmed that it decided not to encrypt it, as it typically doesn’t target critical infrastructure or healthcare companies. Instead, it used this attack as a lesson or warning to show the water company that its data was accessible to malicious actors. This was fortunate for South Staffordshire Water as with access to its SCADA systems, which is the software that controls and monitors the water management process at treatment plants, Cl0p could have altered the water’s chemical makeup making it unsafe to drink.
If Cl0p was not as lenient, or if the company is targeted by a more malicious group in the future that does decide to encrypt its data and impact its ability to supply safe water, the effects of a cyberattack would be far more damaging. In this sector, failing to have a robust cybersecurity strategy could be fatal.
The Critical Threat
This cyberattack drives home the fact that CNI remains a popular target for malicious actors. While all industry sectors are at threat, the situation for CNI operators is exacerbated given the devastating impacts downtime and delays can have.
While some groups, like Cl0p, choose not to target industries such as healthcare this isn’t the case for all of them. In fact, at the beginning of August, a software outage impacting the NHS 111 service was confirmed to be a cyberattack, and one that will likely take a month to fully recover from. Although the NHS said that there was very little disruption, cybercriminals had access to appointment booking, emergency prescription and referral booking systems, and the ambulance dispatch service.
The South Staffordshire Water attack is the latest in a succession of similar breaches targeting CNI operators such as Colonial Pipeline in the US, as well as Mabanaft and Oiltanking Deutschland in Europe. The fact that this attack is clearly not a one-off proves that businesses operating in the energy, communications, engineering, transport, healthcare and utilities sectors need to remain vigilant.
Putting Protections in Place
CNI companies like South Staffordshire Water and the NHS are not only targets for cyberattackers because of the potential disruption that can be caused by an outage or encrypted data, but because they often don’t have the correct cybersecurity measures in place.
Therefore, South Staffordshire Water and other organisations responsible for the security of our CNI need to ensure they have a defence-in-depth approach to cybersecurity that harnesses end-to-end security tools to address their specific challenges. This includes adopting processes to ensure they can maintain operational resilience and ‘business as usual’ in the face of an attack, as South Staffordshire Water was fortunate to be able to do in this instance.
Importantly, while defence-in-depth harnesses the power of security technology across all IT systems, it must be supplemented by investment in both people and process to enable round-the-clock threat cyber-resilience. It isn’t clear how Cl0p was able to access the water company’s systems in this case, but employees are often the door cybercriminals use to bypass security defences, due to the part that human error and lack of education has to play in people’s susceptibility to phishing attacks.
As the threats facing them evolve and multiply, and malicious actors become less forgiving and more targeted, CNI businesses need to do more to defend against them. While the attack suffered by South Staffordshire Water could potentially have had far more devastating consequences, it seems to have got away lightly this time. However, there’s no saying that it won’t be targeted again. It is critical that the industry responds to the cyberthreat it faces as the actions of cyber gangs don’t appear to be slowing down any time soon.
By Chris Deverill, UK Director, Orange Cyberdefense.
