Detect Water Utility Cyberattacks with LogRhythm SIEM

The need for water critical infrastructure (CI) cybersecurity has become a growing concern as a recent cyberattack has made national headlines. On February 8, 2021, a hacker modified chemicals in a water treatment plant in Oldsmar, Florida.

During a press conference covering the incident, Pinellas County Sheriff, Bob Gualtieri, explained the cyberattack in more detail:

 “The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million. This is obviously a significant and potentially dangerous increase. Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners. It’s also used to control water acidity and remove metals from drinking water in the water treatment plants.”

After the hacker increased the chemical levels, a plant operator noticed immediately and mitigated the risk before serious damage could occur to the public’s health and safety. We have witnessed similar cyberattacks on water systems for decades now.

In 2001, a cyberattack on a waste-management system in Australia caused untreated sewage to leak into rivers, parks, and surrounding neighborhoods. As a result, rivers were contaminated, marine life died, and residents had to deal with unsanitary living conditions.

The incident in Florida and Australia are just two examples of how cybersecurity attacks on public water systems have been used in warfare and cyberterrorism throughout history.

Water Treatment Plant and Critical Infrastructure Cybersecurity

Security risks with water utilities are a growing concern. Our dependency on safe water makes water a critical infrastructure — an asset that is essential to the nation’s livelihood and crucial to protect. Our health, energy, agriculture, and emergency services are just some examples of infrastructures that rely on safe water.

In this blog, we will show you how an operational technology (OT) security operations center (SOC) team uses real-time monitoring for cyberthreat detection to quickly detect, locate, and shut down contaminated water pipes during a security or operational incident at a water treatment plant.

Potential Threats to Water Critical Infrastructure

Threat actors can attack water at its source, treatment plant, storage facility, or distribution center. In this example, the potential target is a treatment plant that administers chemicals like chlorine into the water to kill bacteria to make the water safe to drink.

The treatment plant uses supervisory control and data acquisition (SCADA) systems to monitor and control all of its processes from a central location. If an attacker gained access to the plant’s SCADA network, they could shut down its systems or degrade the quality of the water running through the pipes.

Cyberthreat Detection: How to Detect SCADA Network Security Threats

Analyzers are placed in the treatment plant’s water distribution pipes to measure the quality of its water and chlorine levels. This data is delivered back to the security team and recorded in a software program called Data Historian.

Data Historian records the treatment plant’s production and process data over time and stores analog and digital readings on water flow rate, valve position, temperature, pressure, etc. for analog and digital readings.

To effectively observe, collect, and analyze the data from Data Historian in one interface, the team uses LogRhythm SIEM. By using SIEM software for threat detection and response, the team can monitor its entire SCADA network in real time to quickly detect and respond to any changes in the quality of water running in the pipes — signs of a potential attack.

Real-Time Monitoring of SCADA Network

The LogRhythm SIEM dashboard gives operators visibility to the entire water treatment plant’s SCADA network. Several dashboard widgets help the team quickly detect any changes in the system’s normal traffic and allow for immediate drill-down.

Trend Range Widgets

Trend range widgets identify any deviations from the acceptable ranges for drinking water during a specific period. The normal range for chlorine administered in drinking water should be between 0.1 to 0.4 parts per million (PPM), and the pH levels should be between seven to nine. Anything outside the normal ranges could be a sign of an operational problem or security attack.

The below visualization of a chlorine indication trend range widget shows a significant drop in traffic between 7:25 to 7:30. During this time, controllers didn’t receive any traffic data from analyzers. An intrusion and obstruction of the analyzers could have caused the dip; therefore, this indication warrants further investigation.

Below a chlorine indication level trend range widget shows a spike in chlorine levels outside the acceptable drinking range of 0.01­–0.4ppm. This requires immediate attention. The pipes with the affected water should be located and shut down.

Range Drill-Down

A range drill-down provides a more in-depth look into the abnormalities found in the normal trend range. The below drill-down identifies the affected pipes and their exact location so the team can shut them down.

In this case, the security team used real-time monitoring to quickly detect and locate pipes carrying unsafe drinking water.

Remote Terminal Units and Programmable Logical Controls

A water treatment plant has multiple field locations in addition to a central station. By using a supervisory control and data acquisition (SCADA) system, the plant’s security team monitors and controls processes at any of its remote locations from the master station.

Devices interfaced with equipment in the field to give the security team visibility and control over operational processes for any location are called a remote terminal unit (RTU) or programmable logical controller (PLC).

RTUs and PLCs can control some of the equipment’s physical processes, send data on the status of physical processes back to the treatment plant’s master server, and alarm the security team of any operational or security issues.

Below is an example of what a typical SCADA system looks like and how RTUs and PLCs fit in.

Vulnerability of Remote Terminal Units and Programmable Logical Controllers

The connection of an RTU and PLC to a network makes the water critical infrastructure plant’s remote locations vulnerable targets for a cyberattack. If an attacker gained access to an RTU or PLC, they could reprogram the unit and change the data going back to the master server or disguise any abnormal changes in the water or system. An attacker could also alter the process operations controlled by remote controllers without alerting the security team.

Any of these scenarios could have dangerous implications on the treatment plant’s water. In addition to creating alarms that help the team protect access and control of the SCADA systems, automated analysis and correlation of activity in the network can help detect threats at remote locations.

Using LogRhythm SIEM’s AI Engine to Trigger Alarms

Correlating a security event with a physical process change is critical for advanced threat detection. A security event in the industrial control network could be reconnaissance, network behavior changes, changes in operator or engineering user behavior, detected or failed malwares, web-based attacks targeting human machine interfaces (HMI), or a man-in-the-middle attack, etc.

In this scenario, the team received an alert of an RTU intrusion followed by an abnormal increase in the plant’s chlorine levels. Together, the security event and change in chlorine levels are possible signs of an attack at one of the treatment plant’s remote locations.

To correlate these two events, the team uses our AI engine that’s integrated with LogRhythm SIEM. Our AI engine delivers real-time visibility to risks and operational issues that can help the plant’s team correlate activities at all the plant’s locations.

Below the team uses the drag-and-drop rule wizard to create a correlation rule that will trigger an alarm if the above scenario were to occur.

1. Create a rule block that looks at RTU intrusion detection:

2. Create a rule block that looks at chlorine indication level changes:

Figure 8: A rule block looks at chlorine indication level changes

3. When both conditions are met, an alarm triggers:

4. Alarm drill-down

The team drills down to investigate the alarm further and can quickly find the exact location of the affected RTU and the root cause of the issue.

With the AI Engine rule, OT SOC teams can develop an advanced correlation without any programming or scripting language, facilitating cybersecurity threat detection at any location and protecting water critical infrastructure.

Protecting the Nation’s Water Critical Infrastructure With Exabeam’s Advanced Threat Detection

Cyberattacks on water systems are terrifying scenarios that can have significant impacts on public and economic health.

With LogRhythm SIEM, the treatment plant’s security team has the visibility and security analytics it needs to monitor the entire network and detect dangerous drinking water before it reaches the public.

If you’re ready to see what Exabeam’s LogRhythm SIEM platform can do to facilitate your own threat detection and response, contact our team and let’s talk about your security needs and how we can help.

We’re proud to aid organizations, including those managing water critical infrastructure, around the globe to reduce cyber and operational risk by rapidly detecting, responding to, and neutralizing damaging cyberthreats.