Cyber Security Threats: Watch Out for Watering Holes

Process engineer learns the right way to guard against vulnerability.

By Stephen Santee, Exitech

1 of 2 < 1 | 2 View on one page

One recent Saturday, I took my four-year-old son to his soccer game. I sat in the stands with Kevin, the father of some of the other children. Kevin is a lead process engineer for a large chemical plant in Texas City, Texas. He stays extremely busy at the plant, and on this particular day he looked more exhausted than usual. Kevin explained that his family had been up since dawn volunteering at a charity event his company had sponsored. He mentioned that it was good exposure for his company, which is recognized for sponsoring events for this well-known charity.

As with most friends, Kevin and I always ask how work is going and what’s new. He proceeded to tell me about his company’s push for better cyber security. His firm already had installed firewalls to segment its production process networks and now was taking steps to establish an electronic perimeter around its production process assets, such as the distributed control system. At the moment the company was alerting its staff about the dangers of e-mail “phishing” attacks. I told Kevin that was “a good start” to driving all employees’ cyber security awareness. My comment piqued his curiosity. He asked what else a malicious person could do to gain access to the plant’s process networks and assets?

Phishing or “spear phishing” attacks have received a lot of attention over the past several years. Spear phishing is especially effective because these e-mails are directed to individuals about whom the attacker has some knowledge, such as the intended victim’s line of work, company or personal interests. Companies have started informing employees of the tactics used by attackers and, as a result, predators are beginning to use different methods, such as a watering hole attack.

“Watering hole” describes the method to deliver an attack. The attack might be an infected webpage intended to deliver malware, a link on the webpage designed to redirect the user to a compromised website, or free software that contains malicious code. The common goal is to obtain access to and compromise the victim’s workstation. Attackers prefer a workplace workstation but a compromised company laptop or home personal computer that is used to connect to a company network through a VPN [virtual private network] tunnel is just as good. After all, chances are the targeted user visits the same websites both at home and at work.

Watering hole attackers rely on the intended target to come to them rather than phish for their victims. Predators stake out the watering hole, waiting for their prey to visit. Attackers can use a company’s newsletter or associations to identify potential watering holes. For example, Kevin’s company is known for sponsoring certain charities and proudly mentions this on its website and in newsletters and press releases. Charitable groups or non-profit organizations might not have the same stringent cyber-security controls in place as a chemical company. Even a company’s credit union could be a good watering hole stake-out; an online banking portal may boast “secure online banking” because of some security controls — but all it takes is a single security vulnerability on a webpage, so these types of websites are prime watering holes.

For example, in January 2013, the U.S. Department of Homeland Security’s Industrial Controls Systems Cyber Emergency Response Team (ICS-CERT) learned of watering hole attacks against the Council of Foreign Relations and Capstone Turbine Corporation where attackers compromised websites with malware directed at visitors to those sites. ICS-CERT was concerned that sophisticated attackers could leverage this technique to target owners of critical infrastructure assets.

Kevin was intrigued by the idea of a watering hole attack and said he was glad there was a firewall between the business local area network and the process network. Unfortunately, I explained to my friend, most companies fail to properly identify and protect all their assets that may rank high as targets. A plant training simulator is a good example. Whether in the chemical, energy or nuclear industry, regulations that place stringent cyber-security controls on critical assets exclude most simulators. That’s why a simulator can be a perfect way for an attacker to gain the necessary knowledge of the plant to exploit critical assets. Although plant training simulators don’t directly connect to critical assets, they do contain valuable information; regrettably, they sometimes are maintained by the training group, corporate IT, a designated engineering group or an outsourced entity, all of which might not place adequate emphasis on cyber security.

Additional assets, whether regulated or unregulated, that often go unprotected are support systems such as heating/ventilating/air conditioning, electrical and fire suppression. As plants modernize, they often put such support systems on a network. If compromised, these systems could lead to safety risks or result in system shutdowns.

Now that I had explained to Kevin a particular attack method and potential targets, it was time to describe the solution — a holistic approach to cyber security. Understanding new ideas or concepts can be difficult for companies and their employees. The problem is compounded when the concepts are introduced with little or no guidance.

A site cyber-security assessment is a great starting point for any company to begin taking a holistic approach to cyber security. The scope of the evaluation can range from a particular process network with limited assets to an entire site with multiple process networks. A thorough site assessment will focus on all aspects of the company’s security posture and emphasize security best practices. The following are some high-level areas that a site assessment should examine:

• Security policies and procedures. These are the documents that govern the corporate and industrial environment. They need review for thoroughness and possible gaps.

1 of 2 < 1 | 2 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments