Overview
South Staffordshire PLC – A UK water company with around 1.6 million customers
have been the target of a cyber attack.
The ransomware group, known as Cl0p, have claimed responsibility for the attack,
however, rather embarrassingly, the group mistakenly announced it had successfully
attacked Thames Water – the UK’s largest water supplier instead.
Thames Water has officially disputed these claims via a statement today, saying that
reports of Cl0p having breached its network are “cyber-hoax” and that its operations
are at full capacity.
“We are aware of reports in the media that Thames Water is facing a cyberattack. We want to reassure you that this is not the case, and we are sorry if the reports have caused distress,”
Thames Water
Cl0p published a trove of stolen documents on its leak blog on Monday, including passport scans, spreadsheets, drivers’ licences, screenshots of wastewater treatment software user interfaces, and more.
The group claims to have access to more than 5TB worth of data belonging to South Staffordshire PLC.
Cl0p said it had access to “every system” including supervisory control and data acquisition (SCADA) software used for managing industrial processes. In this case, Cl0p claimed it had access to the tools that controlled the chemical composition of water supplies.
This attack comes during dire drought times for UK consumers, with eight areas in the country imposing water ration policies and hosepipe bans. Little information on the attack was offered by South Staffordshire PLC, the parent company of water supplier South Staffs Water, in a disclosure notice. (see below).
Technical Overview
As mentioned above, there has been little information provided by South Staffordshire PLC in the last 24 hours. The notice adds that they are working closely with the relevant government and regulatory authorities, meaning it may be some time before official technical details are released.
However, by looking at the Cl0p groups press site (accessible by Tor) we come across some very disturbing images. As you can see, the group have published several photos of passports and drivers licences in clear view, as well as screenshots of SCADA systems and lists of server names and passwords, showing that they not only breached the corporate network, but also the SCADA (OT) network too.
Whilst it’s not clear yet how the group gained an initial foothold inside the network, similar attacks in the past have been achieved through techniques such as phishing, removable media (insider threat) or exploitation of remote services such as corporate VPNs.
Although South Staffordshire PLC state that “This incident has not affected our ability to supply safe water.” the screenshots Cl0p posted showing they had view of a SCADA workstation is extremely worrying. The group also state;
“It would be easy to change chemical composition for their water but it is important to note we are not interested in causing harm to people.”
Cl0p Group
South Staffordshire PLC may have been lucky this time, however, other groups, including state sponsored hackers may not be so forgiving and cause widespread damage to the UK water supply and even pose a significant threat to life.
How the Blueskytec technology would prevent such an attack
It is likely that the SCADA (OT) network was connected to the corporate network (IT) in some way, and subsequently connected to the internet either directly or indirectly.
The Blueskytec Key Space technology provides a communication group within a circle of trust. It works by isolating devices, such as SCADA workstations and PLCs from the internet using encryption and authentication.
The Key Space Technology provides a unified view of a network of embedded computing devices. This can be a mixed network of devices including Ethernet and non-ethernet. At the centre of the system is an encrypted space – called the Key Space. This enables connections between the computing points. At the entrance point to the Key Space (Ingress) is a Key Space Gateway device and at the exit point (Egress) is an ICS Protect device.
Any communication within the Key Space is encrypted, and can only be decoded by a Key Space recipient. (e.g. ICS Protect).
Above is an example network diagram showing a typical IT / OT network with the Blueskytec technology in place. As you can see from the network diagram, the SCADA workstation (Windows, Linux, MacOS etc.) is isolated and protected from the rest of the network via a Key Space Gateway (KSG). This takes the IP connection from the SCADA workstation, which is unencrypted, and converts this into an encrypted connection for mapping onto the Key Space Technology.
The KSG and ICS Protects are within the same Key Space, isolated from the internet via a cryptographic method that only allows communication between known trusted items. Any communications outside the trusted group will not be understood by any other computer (including Quantum Computers).
To conclude, Cl0p would not be able to access any SCADA workstations or PLCs within the circle of trust (Encrypted Key Space). Only devices within the Encrypted Key Space can communicate with one another as any packets within this Key Space would have been encrypted by the Blueskytec devices and can only be decrypted the other end by a Blueskytec device.
Written by James Mockford – James.Mockford@blueskytec.com