Here's How To Fend Off DDoS Attacks – An Insidious Form Of Cyber-Vandalism

Water and wastewater facilities are increasingly threatened by an insidious form of cyber attack. Here’s some advice on how to prepare for and fight off the threat.
Here's How To Fend Off DDoS Attacks – An Insidious Form Of Cyber-Vandalism
Michael Bennett

Interested in Instrumentation?

Get Instrumentation articles, news and videos right in your inbox! Sign up now.

Instrumentation + Get Alerts

Malicious computer hackers are everywhere and any entity with a network exposed to the Internet can be vulnerable. That includes water and wastewater facilities.

Recent years have seen growth in distributed denial of service (DDoS) attacks on networks. In the simplest terms, a DDoS attack floods an organization’s network with extraneous data so that it can no longer perform its functions. As a result, essential services can be shut down.

Should you consider DDoS attacks a serious threat? Well, the U.S. EPA includes such attacks in its list of cyberattacks to which water and wastewater systems can be susceptible. And data from the Repository for Industrial Security Incidents shows that such systems face a growing number of cyberattacks: the industry has seen a 60 percent increase in cyber incidents in recent years. These can include attacks on SCADA systems that control water and wastewater treatment and other utility functions.

Michael Bennett of the Security Compass information security firm believes DDoS attacks are a significant threat for which water and wastewater facilities must prepare. Bennett is lead developer for the company’s DDoS Strike, a simulation service that tests network and Web application vulnerability to DDoS attacks. He talked about the threat in an interview with Treatment Plant Operator.

TPO: What exactly is a DDoS attack?

Bennett: A DDoS attack occurs when a malicious user employs botnets of virus-infected computers or other means to generate huge volumes of traffic to a targeted computer network. The goal is to exhaust the resources of the network, overwhelming it with so much data that it can’t process legitimate data.

TPO: Is there a simple analogy that helps explain how these attacks work?

Bennett: You could think in terms of a water filtration system. Water comes in, the filter removes particles and chemicals, and out comes clean water at the end. If you suddenly flood that filter with an excess of clean water, it won’t be able to process the flow. The filter becomes overwhelmed and can’t process the water it should be processing. In this case the excess clean water represents the bogus network traffic sent by a malicious user in a DDoS attack.

TPO: What is the effect of such an attack?

Bennett: The main goal of a DDoS attack is to force an infrastructure to shut down. It would cause a disruption in the internal network so that devices can’t communicate as they should. It could disrupt control systems like SCADA and PLCs. This could render a water or wastewater treatment facility unable to perform its essential functions.

TPO: Why is this threat a timely concern for water and wastewater facilities?

Bennett: Treatment facilities used to have closed systems and there was no access to their networks from the outside. In recent years, more such facilities have been connecting their internal networks to external networks, such as the Internet. They typically require authentication for access, so some security is in place. But if a malicious user can send traffic to the network, that network still needs to process it in some way.

TPO: Are there examples of DDoS attacks happening to facilities in the water sector?

Bennett: A utility in the southeastern U.S. has an online payment system. A DDoS attack basically brought that system down, so customers were not able to pay their bills. That would cause a lot of panic for customers who may need to pay their bills to keep their service going. The entire networking staff was overwhelmed trying to mitigate the attack. [The utility suspended shut-offs for nonpayment during the attack.]

TPO: Who actually launches these kinds of attacks?

Bennett: They range from lone hackers who operate out of malice or to prove a point, to organized crime figures who may participate for some personal gain, to activist groups who may institute attacks as a sort of patriotic act. Activist groups from foreign countries who want to disrupt U.S. services might target treatment facilities just because they know that’s part of our country’s core infrastructure. Recently we’ve seen cases of extortion, where a malicious group tries to extract money by threatening to take down or disrupt an organization’s service.

One issue with DDoS attacks is that the barrier to entry is very low. There are toolkits people can purchase on the black market that give them access to botnets that can contain millions of zombie servers, all infected with a virus. Those servers connect back to a command and control server that can issue commands to them to launch an attack. Hackers have created toolkits that can interface with command and control servers, allowing people with very little knowledge of computers to perform a DDoS attack. They can basically enter a target, click a button and launch an attack. This is all done for $50 to $100.

TPO: What are the remedies for DDoS attacks? What should water and wastewater agencies be doing to protect themselves?

Bennett: One of the main things they should do is plan. Water and wastewater facilities are being targeted more and more in recent years. It’s easier for hackers to launch a successful attack against an organization that has never experienced it before and has not planned for it. If you’ve never experienced a DDoS attack and you’re worried that you might be a target, setting up defenses beforehand will definitely help reduce the time it takes to mitigate an attack.

TPO: What exactly is involved in planning against an attack?

Bennett: It depends on what kind of network operations the organization currently has. A good strategy is always to be prepared — to know who to contact when an attack happens, who should be alerted and what actions they should take during the attack to mitigate it.

TPO: What remedies are available to smaller organizations, like water and wastewater utilities, that may not have substantial IT resources and staff?

Bennett: An organization that lacks the resources to mitigate an attack on its own can reach out to a cloud-based service. Several companies specialize in mitigating DDoS attacks and provide emergency DDoS services. The service provider will help the facility’s employees reroute network traffic to its servers, which will scrub all the data so that only legitimate traffic is sent to the client’s systems.

TPO: How can a utility tell if it is under a DDoS attack?

Bennett: An organization should have some type of network monitoring in place and should record baselines of what normal network traffic looks like. If an organization is used to seeing 100 to 1,000 connections per day and suddenly gets 100,000 per second, that’s a huge sign. We see network throughput in some attacks averaging one to 50 gigabytes per second, which is more data than many organizations’ networks can handle.

TPO: What is the role of DDoS attack simulation testing?

Bennett: Organizations will contact a company like ours and say they want to verify whether their network configuration can withstand a DDoS attack. We do a “black box” reconnaissance of their network. That means we don’t use any inside knowledge of their network — we approach it with the same tools and knowledge any attacker would have. It really gives us and the client a complete view of what is public facing on their network and what could potentially be attacked.

We identify the more susceptible targets and then arrange a test, on a weekend or overnight to avoid disrupting normal traffic. We actually perform a controlled DDoS attack on their system. We can vary the strength of the attack and the frequency, and we can stop it at any time.

TPO: What is done with the information collected through testing?

Bennett: We gather statistics on the attack and our observations of the network — whether things were taken down or slowed down and how effective our attack actually was. We generate a report and walk the client through it in detail. Usually, we set up a meeting with their network engineers, go over what they saw on their side and compare it with our data to see if things match up. From there we come up with an action plan with remediations based on weaknesses we discovered and suggestions for how to improve network security and strength. We’ll also help the network engineers implement the remediation steps.

TPO: What can a utility do to protect itself, short of relying on outside services?

Bennett: An important step we see many organizations taking is to establish policies and processes for their people to follow. That includes making people aware of the threat, showing them what to look for so they can identify an attack when it’s happening, and having a clear process for responding.

It’s also important to know the parts of their systems that are exposed to the Internet and to have a good, transparent overview of how the entire network is connected. This helps avoid undesirable side effects of a DDoS attack. For example, a system that isn’t directly connected to the Internet may be affected when another system that is Internet-connected is taken down.

TPO: What priority should a water or wastewater utility assign to building defenses against these attacks?

Bennett: It’s not to be taken lightly. It’s something a company needs to allocate a budget to for training staff, preparing for an attack, for making sure that there are policies and defenses in place, and for testing, because it’s important to verify that defenses deployed will work as designed. Cybersecurity needs to be made a priority, especially in terms of DDoS attacks.



Discussion

Comments on this site are submitted by users and are not endorsed by nor do they reflect the views or opinions of COLE Publishing, Inc. Comments are moderated before being posted.