India’s gas, water and critical infra vulnerable to cyber attacks: Report

India had the most number of easily hackable water-treatment systems in the world

India’s critical infrastructure, involving gas and water supply, and security installations, may be more open to cyber attacks than what has been previously evaluated, according to a report.

Often, what stands between the facilities and an attack is only a weak username and password--such as guest and guest@123, or admin and admin!

A report by cyber-security firm CloudSEK exposed vulnerabilities that can compromise critical infrastructure, enable dangerous misinformation campaigns, endanger water-treatment systems and weaponise gas distribution systems. The report titled “Abysmal State of Global Critical Infra Security” analysed the risk of cyber attacks on gas, water and government services across the world, and found them at high risk.

In fact, India had the most number of easily hackable water-treatment systems in the world. Through a weakness in the use of its software, a hacker can jeropardise the systems that can affect a large population. 

“We had alerted all the private and government agencies two months before and they have fixed the vulnerabilities,” said Sparsh Kulshrestha, Senior Security Analyst, CloudSEK and author of the report.

CloudSEK, founded in 2015, creates AI-powered solutions to detect, analyse and alert entities about threats from surface web, deep web and dark web. Their mission is to produce machines that can enable digital security through learning and evolving. In 2020, it was given the Cybersecurity Award at Nasscom Emerge 50 2020. 

Hidden IT

“The biggest problem is with shadow IT,” said Kulshrestha. Shadow IT is created when a company or an entity fails to track its IT assets efficiently. 

It is an umbrella term and covers the common mistake made by people of thinking that by not linking the IP address (which is a bunch of numbers) to a DNS (an easily identifiable URL such as company.com), they can ensure that the webpage can be hidden from the general public. 

“There are websites that index IP addresses and they can be easily found,” said Kulshrestha. If anyone wants to find the webpage, they just have to run a search on the index and get the IP address against it. 

It is how the CloudSEK team found the login page to a central government’s dashboard that gave the user access to surveillance videos of critical facilities. To make matters worse, the login credentials (username and password) were easily identifiable and even saved on the page. All the user had to go was click on login and the visuals would show up on the screen. 

“Since the dashboard monitors in real-time, the CCTV footage of critical services, across all the Indian states, attackers can exploit it to surveil their targets,” the report said.

Also, the weakness could have been used as an entry point to “provide initial access to the network and enable further lateral movement”.

CloudSEK’s report has given other chilling examples of vulnerable systems across the country.

Dashboard entry-points

Another one cited was of a GitHub repository that had the credentials to access the Indian government’s mail server.

With the credentials, a hacker could have gained access to the government server and sent out emails impersonating government entities. This could have been used for malicious social-engineering campaigns, to spread misinformation or even to send out a phishing email.

The report also cited vulnerabilities in the infrastructure of private entities, such as the water-supply infrastructure of an Indian FMCG company. The weak link was the way in which a water-quality management software was being used.

“The tool was configured using default manufacturer credentials, enabling attackers to easily access the critical infrastructure of the water treatment plant,” said the report. 

Exploiting that, anyone could have stopped multiple operations in the treatment of water and even manipulated the chemical composition of the water. Particularly worrisome since it is an FMCG company.

The cyber security firm then ran a check to see how many such installations of this software are there across the world and India had the highest number with 14 installations. 

Even a gas-transport company’s truck tracking and management panel was found to have a weak link. “Since these are not the regular trucks but the Gas Trucks, weaponizing this information could have disastrous consequences on public safety,” said the report.

Solution

Apart from raising awareness among government and private entities, the report suggested real-time monitoring of Internet exposed OT applications, leaked credentials across GitHub and other repositories, underground forums for threat actors targeting OT systems, patches and work-arounds for vulnerabilities and unsecured cloud storage.