Critical national infrastructure entity criticized for poor cybersecurity practices by CISA
In a recent report, the United States Cybersecurity and Infrastructure Security Agency (CISA) has highlighted several common cybersecurity mistakes in critical infrastructure organizations. The report, which does not disclose the specific industry of the organization under investigation, reveals that it collaborated with the US Coast Guard (USCG) and its findings overlap with USCG Cyber Command's 2024 trends.
The probe uncovered a range of security weaknesses, including the insecure storage of local administrator credentials in plaintext scripts with identical, non-expiring passwords shared across many workstations. This practice increases the risk of widespread unauthorized access and facilitates lateral movement by attackers.
Improper network segmentation, particularly between IT and operational technology (OT) environments, allowed standard user accounts to access sensitive SCADA (Supervisory Control and Data Acquisition) systems. SCADA systems monitor critical infrastructure equipment, and unauthorized access to these systems poses real-world safety risks due to their control over vital physical processes such as sensors, valves, and communication technologies.
One of the most serious offenses was the sharing of local admin accounts, which were protected by non-unique passwords stored in plaintext. If an attacker were to gain remote local admin access, they could create new accounts, install persistent malware, disable security features, or inject malicious code, potentially disrupting critical operations.
The report also highlighted the risks of insufficient logging, as it can prevent the detection of malicious activity, hinder investigations, and make detection of threat actors more challenging. CISA's inability to carry out as comprehensive a hunt for threats as it would like is partly due to the organization's lack of workstation logs.
CISA's recommendations emphasize not storing credentials in plaintext and instead using secure password vaults or managed service accounts, enforcing strict access controls, improving network segmentation between IT and OT environments, enhancing logging practices, and regularly auditing credential and device configurations. These mitigations align with NIST’s Cross-Sector Cybersecurity Performance Goals and aim to prevent compromises that could disrupt national critical infrastructure.
It's important to note that CISA is known to break into federal agencies unannounced as part of red team exercises, or SILENTSHIELD assessments. In a previous exercise, CISA gained initial access to an unspecified federal agency's network using an unpatched critical vulnerability affecting its Oracle Solaris enclave. This led to a full compromise and the flaw was added to CISA's Known Exploited Vulnerability catalog, but this occurred a week after CISA used it to gain access.
The report also identified issues concerning the facility's HVAC systems, including improperly configured and insufficiently secured bastion hosts. When set properly, these bastion hosts prevent unauthorized access and lateral movement.
In summary, poor credential management, weak network segmentation, and insufficient security controls are key vulnerabilities in critical infrastructure cybersecurity, as identified by CISA. These vulnerabilities threaten operational continuity and public safety.
- The report issued by CISA reveals that the collaborative investigation with the USCG uncovered the common cybersecurity mistake of insecure storage of local administrator credentials in plaintext scripts, a practice that increases the risk of widespread unauthorized access.
- One of the security weaknesses discovered in the critical infrastructure organization was the sharing of local admin accounts, which were protected by non-unique passwords stored in plaintext, creating a severe risk if an attacker were to gain remote local admin access.
- The report underscores the importance of improving network segmentation, particularly between IT and operational technology (OT) environments, as improper segmentation allowed standard user accounts to access sensitive SCADA systems, posing real-world safety risks.
- CISA recommends the use of secure password vaults or managed service accounts, strict access controls, enhancing logging practices, and regularly auditing credential and device configurations to mitigate vulnerabilities in critical infrastructure cybersecurity.
- The report also emphasizes the significance of addressing issues concerning the facility's HVAC systems, including improperly configured and insufficiently secured bastion hosts, as these are crucial in preventing unauthorized access and lateral movement.
