october 2021
By Michael Arcenaux, Contributing Writer
In developed countries, we give little daily thought to where our drinking water comes from or what happens to water after we flush it down the toilet. Nor do we fully appreciate how other modern necessities — from electricity to food supply to refined gasoline — depend on a reliable supply of water delivered by our local utility. But when water supply and wastewater treatment are interrupted, not only does it cause inconvenience, it can impact public health and the environment, undermine the economy, and put our national security at risk.
For decades, utilities have implemented best practices to contend with forces of nature that imperil water systems — from droughts to floods to hurricanes. But as they digitally transform by integrating information technology (IT) and operational technology (OT) into their management and operations, cybersecurity risks take on greater importance.
Increased automation and the adoption of new technologies to assist with meter reading, leak detection and other operational goals open up a host of new attack surfaces for malicious actors to prey upon. And the COVID-19 pandemic added further risks to the equation as more employees began working remotely and using personal devices for official business.
Recent industrial control system (ICS) events have reinforced these concerns. Control systems, which are part of a utility’s OT environment, manage chemical feeds, pumps and other aspects of water treatment and movement. In February of this year, Oldsmar, Fla., made national headlines when a hacker leveraged a city TeamViewer account to access and change caustic soda levels at the water treatment plant. Around the same time, another hacker used TeamViewer to access the control system and delete files at a large California water facility. And in 2019, a former Post Rock Rural Water District employee who had retained login credentials after leaving the utility’s employment allegedly shut down the treatment process.
In all three cases, the utilities prevented public health impacts through a combination of awareness and technology. But will the next victim of an attack be so prepared — or so fortunate? Such incidents can lead to deaths and illnesses, not to mention reputational damage, lawsuits, employee downtime and the cost of recovery.
The cybersecurity firm Dragos reports hundreds of ICS incidents over the last decade across multiple sectors. While ICS incidents in the water and wastewater sector are relatively rare — or at least rarely reported — ransomware events and other compromises that affect IT occur more frequently. These types of attacks are common, highly disruptive, and can be expensive to recover from. They also offer hackers the opportunity to move laterally from the enterprise network to the operational network.
To the victim, it matters little whether the attacker is a coder living in his parent’s basement, a disgruntled former employee, or a nation-state using cyber hacks as an act of war. But from the standpoint of implementing security measures to prevent future attacks, realizing that bad actors are more sophisticated than ever is key to ensuring effective and secure operations.
The recent ICS incidents in the water and wastewater sector likely could have been prevented by limiting access to sensitive systems, not sharing passwords, and removing access for former employees. Similarly, other recent ransomware incidents could have been avoided if employees had spotted malicious emails or had been more suspicious of website links.
Besides implementing best practices published by sector organizations and federal agencies, water utilities must invest in cybersecurity and build a culture of cybersecurity awareness. This requires updated equipment, modern business applications, the hiring of cybersecurity professionals, and regular staff training on best practices.
Many utilities, however, are behind the curve when it comes to making these necessary investments. According to a June survey report by the Water Sector Coordinating Council, 40% of utility managers do not address cybersecurity in their risk management plans. Similar numbers of respondents have not conducted IT or OT asset inventories, which are foundational to improving cybersecurity.
In 2018, recognizing the importance of assessing risk and developing risk-informed response plans, Congress enacted America’s Water Infrastructure Act, requiring risk and resilience assessments and emergency plans every five years. The act applies to nearly 10,000 drinking water systems and is intended to help those organizations better understand, manage and reduce security gaps. However, the sector still lacks adequate technical assistance programs as well as grants and loans for cybersecurity improvements.
The sector and its government partners clearly have more work to do, particularly in helping small and medium-sized utilities who lack some of the resources larger systems enjoy. A number of tools by the sector and federal agencies already exist (see SIDEBAR), but the challenge will be to reach the thousands of utilities that need special assistance and may not be plugged into networks or industry associations, or do not have access to funding or cybersecurity professionals.
If your car has never been stolen, you might think car theft is not a risk and therefore leave your doors unlocked. But if your neighbors are reporting break-ins, then you are likely to take steps to ensure the same thing won’t happen to you.
The same lesson can be applied to adopting measures to prevent utility cyberattacks. WaterISAC, for example, disseminates threat advisories informed by Cybersecurity and Infrastructure Security Agency, FBI, EPA and fusion centers, as well as private sector sources, such as cybersecurity firms. More importantly, the center solicits incident reports from water and wastewater utilities and, with the originator’s permission, anonymizes the reports and shares them with member utilities.
This model, fundamental to information sharing and analysis centers (ISACs) across multiple sectors, increases awareness of sector threats. At its heart is the willingness of victims to share their experiences. Water utilities that report incidents are good Samaritans providing a service to the community, but reporting incidents also benefit the victims, who can request recovery support and guidance.
The city of Oldsmar set an example by reporting its attack at a news conference hosted by the local sheriff. Other utilities may prefer to report incidents confidentially. Last year, WaterISAC reported a ransomware attack at a large public water utility that approached the center to share their experience. The center’s analysts gathered information from the attack and shared it with the community without divulging the victim’s identity. The victim received recovery assistance, and the sector at large was put on alert to take action to better protect their networks.
Consequence-driven Cyber-informed Engineering (CCE) is a new, four-step methodology for preventing sabotage. Not a replacement for the best practices already mentioned, CCE begins with the assumption that if a critical infrastructure — a water system or power plant, for instance — is being targeted by highly skilled adversaries, then the target will be sabotaged.
Created by Idaho National Laboratory (INL), the methodology first examines where failures could occur and then looks at adversaries’ capabilities. This is followed by a discussion of how an attack might take place. The final phase has the target evaluating changes to mitigate at the time of the attack. The methodology was published earlier this year in the book “Countering Cyber Sabotage” by INL’s Andy Bochman and Sarah Freeman.
Risks to today’s water and wastewater systems are increasing — due to more effective threat actors, expansion of remote working, and increased automation and smart water technology. Hurricanes, flooding and wildfires are challenging to predict and can wreak havoc on water and wastewater infrastructure and operations. And given that many utilities are government entities, anti-government extremists, al-Qaeda and the Islamic State who call for U.S. domestic extremists to attack targets at home, are cause for concern.
Given this ever-evolving and multi-faceted threat picture, sharing and collaboration are essential to water and wastewater security and resilience. The value of participating in information-sharing networks and industry groups, as well as law enforcement and homeland security agency-sponsored groups, cannot be understated.
Attending and contributing to events and offering practical knowledge can strengthen individual utilities and the sector as a whole.
WaterISAC hosts numerous webinars featuring subject matter experts throughout the year. In addition, the center will be a co-host of the Water Utility Resilience Forum in Miami in December 2021. Addressing resilience at large, the forum will have panels on cybersecurity, climate adaptation, financial and workforce resilience, and emergency planning. The American Water Works Association’s (AAWA’s) Water Infrastructure Conference, InfraGard events and many state and regional association forums hosted every year also offer other opportunities to learn about threats in this sector and focus on building resiliency.
We believe that participation engenders awareness, and being aware of threats and implementing best practices produces long-term resilience. With public health and the environment at stake — not to mention utility finances, the integrity of customer data, and reputation — remaining unaware of threats and best practices is no longer an option.
Utilities can undertake these 15 courses of action to reduce cyber risks to both information and operational technology:
To help water and wastewater utilities bolster their cybersecurity and resilience, the sector and the federal government have developed other free resources:
Special Report
Critical Infrastructure
A Resilience Framework for the Future
By Daniel Kaniewski
Special Report
Critical Infrastructure
Cyber-Physical Security in an Interconnected World
By Dr. David Mussington
Special Report
Critical Infrastructure
Protecting the Energy Grid Is a Team Sport
By Scott Aaronson
Special Report
Critical Infrastructure
GridEx: How Exercising Response and Recovery Supports Grid Reliability
By Kate Ledesma
Special Report
Critical Infrastructure
Combatting Security Threats to Our Nation’s Critical Water Infrastructure
By Michael Arcenaux
october 2021 | securitymagazine.com