CISA this week issued a Fact Sheet “8 Top Cyber Actions for Securing Water Systems” giving a set of “do it now” practical actions for securing water and wastewater systems. Let’s unpack the first one, “Reduce Exposure to the Public-Facing Internet”.
8 Top Cyber Actions for Securing Water Systems
Spoiler, the list is below. You should still read the Fact Sheet “Top Cyber Actions for Securing Water Systems”
- Reduce Exposure to the Public-Facing Internet
- Conduct Regular Cybersecurity Assessments
- Change Default Passwords Immediately
- Conduct an Inventory of Operational Technology/Information Technology Assets
- Develop and Exercise Cybersecurity Incident Response and Recovery Plans
- Backup Operational Technology AND Information Technology Systems
- Reduce Exposure to Vulnerabilities
- Conduct Cybersecurity Awareness Training
OK, after reading, not a lot of controversy there, nothing I would argue to not do. The nuance I wanted to discuss in this post is the word Exposure in the first one (Reduce Exposure to the Public-Facing Internet). That could mean many things:
- Inbound open ports (DMZ etc)
- Inbound VPN access
- Outbound proxy-enabled access
- Singular services (e.g. DNS, NTP)
- Operational monitoring such as alarms, SMS gateways
- Software updates, even if a network diode is present or an air gap
- Outbound access for e.g. posting stats, license managers
- Cross-over, e.g. user laptop on corporate network has web access, laptop is moved to operational technology network periodically
Upcoming Webinar!
See the webinar “Securing Wastewater Remote Connectivity with Segmentation and Zero Trust” for a practioner’s view on the challenges and solutions.
For the first one, this is where I recommend heading to everyone’s favourite tool, shodan.io. A couple of queries to get started, your public IP, part of your company name. What do you see? If you see Remote Desktop, VNC, stop, contact me now! High risk, simple solution. Do you see a bunch of items thate are more of a grey area like certificates on someone else’s IP ranges? Hmm. Do you see inbound IP+Port access to anything? Contact me, we can make that go away without operational impact.
On the topics of certificates, now that you’ve come up from the rabbit hole of Shodan, lets try crt.sh. Enter part of your company name. This will now show you all the the Certificates that have been issued. Look for a couple of key weakness:
- wildcard. Has someone made a *.yourdomain? Stop! contact me. This is fixable easily. If *anyone* gets control of the key associated with this, they can spearphish you, spoof your email, raid your fridge, you name it, its an open key. You want to limit the blast radius, one certiicate, one resource
- long duration. Certificates should be less than 90 days of lifetime.
- Similar names. This could be spearphishing. To do this, mispell your name a bit, see if there are certificates issued. (e.g. use a 1 instead of an I, or look for .co instead of .com).
The CISA Fact Sheet “8 Top Cyber Actions for Securing Water Systems” gives some great, simple, guidance for todo-now tasks. If you are struggling with understanding ‘Exposure’ and want to discuss Zero Trust, and specifically, how the Agilicus Connector can remove this requirement without altering your operations, contact me.