Important Water Sector Cybersecurity Tips To Protect From Cyber Risks
Updated on: 20/05/2022
249 Views | 0 Comments
Similar to several critical infrastructure verticals, the water industry also faces a rise in the increased cybersecurity risks. Water is managed privately or locally based on the place where you live. This makes it very challenging to regulate and manage. As far as the utilities are concerned, the water sector typically possesses the least financial resources that has been allocated towards it, making the water sector cybersecurity a non-priority. In addition to this, the operational technology or OT has been reconstructed for remote access creating innate cybersecurity risk.
As the threat actors look forward to disrupting supply chains the water companies must aim to ensure the continuous security and access of the water. Like the other verticals, the water companies are required to be concerned regarding the regular threats that all the businesses face. With the increasing risk of various cyber attacks including the lethal ransomware,the water sector needs to be vigilant regarding the attacks targeting their infrastructure.
Usually, when a business loses all the access to its system owing to a major ransomware attack, it never affects the people's ability to survive. However, the problem arises as the decentralized regulatory control and the limited finances often refer to the companies lacking resources for continuous hygiene. In the meantime, the cyber-physical systems (CPS) technologies link the enterprise IT networks to the OT networks raising the chances of successful attacks of the threat actors.
This article is completely focussed on the cyber threats that have been recently attacking the water companies in all parts of the world and also disclose the various water sector cybersecurity tips and strategies to keep your company protected from the malicious cyber attacks.
Table of Contents
- Cyber Threats & Visibility
- Anatomy Of A Cyber Attack In Water Sector
- How Do Cyber Attacks In The Water Sector Work?
- Examples Of The Water Sector Cyber Attacks
- Why Are The Attacks Conducted Becoming Successful?
- Water Sector Cybersecurity Budget Allocation: A Brief Report
- 6 Important Water Sector Cybersecurity Tips To Improve Cyber Confidence
- How To Enhance Security By Locking Down The Application-to-Network and Application-to-Application Communication
Cyber Threats & Visibility
While the malicious actors continue to target the critical infrastructure, a couple of statistics exist as compared to enterprise IT. A 2021 published article named “A Systematic Review of the State of Cyber-Security in Water Systems” explained that the attacks are pretty rarely made public and also stated that the attribution is also challenging often.
The article has also noted that the number of the cyber attacks on the CPSes has also shot up in the recent years listing several important attacks such as BlackEnergy, DuQu, Havex and Stuxnet. Additionally, the report had also noted that the cyber attackers targeting the water systems or the water utility security also include the nation-state political actors, former employees and the cybercriminal financial actors.
Anatomy Of A Cyber Attack In Water Sector
The primitive method of defending the OT systems from IT and vice versa is by implementing the air-gapping technique. It is an interface between two systems at which:
- They are not physically connected, and
- Any logical connection is not automated. This means that the data is transferred via the interface only and that too manually under human control.
Often the OT systems run the legacy operating systems and not only impose an increased risk of being exploited themselves owing to a security vulnerability, but simultaneously permits the attackers to access the IT systems by running the undetected code on the OT systems. Nevertheless, the water companies are increasingly making use of the CPS technologies that connect their OT systems to the enterprise IT network. This permits for more efficient monitoring as well as integration into the billing services.
How Do Cyber Attacks In The Water Sector Work?
This connectivity, whatsoever, undermines the air gapping as the malicious threat actors might use a vulnerability in the enterprise IT network for gaining access to the OT. Often, the attackers start by utilizing a common vulnerability, Remote Access Tools (RATs) or malicious software in order to access the enterprise network.
As soon as they gain access, they increase the attack either by using the direct controls over the OT systems or exploiting the poor or weak code in the CPS. Often they will exploit the privileges within that network or even operate silently from the OT operating systems permitting them to acquire information on the IT networks. From that point, the administrative privileges are obtained for operating in the IT network with the admin permissions.
For instance, when the cyber attackers last year had attacked a water treatment plant in Oldsmar, Fla., they had started to exploit TeamViewer (a legit piece of software) at first. This ultimately offered them the access to the OT systems enabling them to raise the sodium hydroxide levels to potentially lethal amounts. In this case, the attacker had attempted to kill people through poisoning the water systems. However, in many of the cases, there are probably backdoors planted that could enable further access.
Examples Of The Water Sector Cyber Attacks
A lot of examples on the water sector have been confirmed. Below are the some of the most prominent ones in the list of a review of cybersecurity incidents in the water sector:
City Of Atlanta Ransomware Attack
In this attack, the City of Atlanta had been crippled by a ransomware attack back in March 2018. It disrupted the city utilities, courts and various other operations. For approximately a week, the employees with the Atlanta Department of Watershed Management had been unable to turn on their work computers or gain access to the wireless internet. Two weeks following the attack, Atlanta had to completely take down its water department website. On the website they had mentioned, “for server maintenance and updates until further notice.”
This attack had taken Atlanta months to recover the estimated cost of $5 million in the bid to address the hack. While the Atlanta attack focused basically on the public-facing operations, the Colorado Department of Transportation had been hit with a sequence of the ransomware attacks on its back-office systems that cost approximately $1 to $1.5 million to address.
Ransomware Attack On A Water Utility Effected Through Spear-Phishing
An employee had clicked on a malicious link that had been sent through the email causing the malware to download. The cybercriminals had gained access via an Internet-facing commercial network and had completely locked the utility out of its own systems. The hacker had demanded an equivalent of $25,000 in Bitcoin to recover access. What’s more? Replacing the infected software and computers cost $10 million and the complete remediation costs included paying the ransomware in this instance were somewhere around $2.4 million. $500,000 could not be covered by the insurance.
This attack, however, underscores the significance of redundancy in the systems and resilience, malware detection and prevention, employee training as well as the importance of possessing cyber-insurance in place.
Attack On Industrial Control System (ICS) Of A Water And Sewage Authority
The cybercriminals had exploited a vulnerability in a remote wireless Internet connection for the operations for nearly two months and had also exploited a hard-coded factory password. This attack had underscored the importance of staying up-to-date with the vendor patches and the firmware updates and regularly scanning the networks for the trace of intruders. It has also simultaneously highlighted a common developer flaw of the hard-coded passwords. Generally, this flaw must be avoided if possible. If the password is meant for the initial default account, then that account must be deleted after the successful set up.
Bowman Dam Hack
This is a well-publicized hack. The Iranian activists had exploited a vulnerability for identifying an unprotected computer that controlled the sluice gates and the other functions of the dam. The hacktivists had detected the vulnerability via the “Google Dorking” procedure that performs the advanced Google searches in the bid to detect the vulnerabilities. During the time of the attack, manually the gate was disconnected owing to maintenance that helped to avoid more lethal harm. The remediation costs for the dam had exceeded $30,000, and the hackers had been charged in a criminal indictment.
The simplest method the hackers unearthed the significant vulnerability states the importance of regular security assessments and penetration testing of the systems, applications and networks.
Colonial Pipes Attack
Another most common example of the last year had been the 2021 Colonial Pipes cyber attack. On the 7th of May, 2021, the Colonial Pipeline company had proactively shut down its pipeline system while responding to a ransomware attack. However, on the 13th of May, 2021, the company had announced that they had restarted their entire pipeline system as well as the product delivery commenced to al, of the markets. The company also stated that they had engaged in the best cyber investigation firm to understand the nature and scope of the ransomware attack.
A senior authority had stated that the hackers gained entry into the networks of the Colonial Pipeline Co. via a Virtual Private Network (VPN) account that had permitted the employees to remotely access the computer network of the company. The account was unavailable at the time of the attack. However, it could still be used for accessing the company's network. This incident underscores that the threat to the organizations posed by the ransomware is irrespective of the size or sector.
Why Are The Attacks Conducted Becoming Successful?
Many of the OT systems had been built and designed way before the internet came into being. This means that these companies incorporate the legacy technologies. Between the age and design, these companies effectively lack the contemporary security controls. In addition to this, the security tools such as the scanners are often unable to offer adequate visibility into the assets on the network.
These systems are often fragile. An abnormal activity or a petty change in the network architecture might result in expensive downtime. Considering the water sector, frequent downtimes or downtimes occurring for longer time periods has greater social implications. It is a fact that water is fundamental to people’s health and hygiene. Thus, the critical system outages might negatively impact the physical safety of the population.
The municipalities are known to have the worst IT hygiene. Users often run as the local administrators having outdated operating systems as well as meager training. They also fail to implement the basic controls that area listed in the NIST and CIS frameworks. This is what causes them to be the attractive targets for the cybercriminals leading to major societal implications.
Water Sector Cybersecurity Budget Allocation: A Brief Report
Irrespective of the rise in the attacks against the CPS technologies, the water companies continue to struggle with the limited IT as well as OT financial resources. The “Cybersecurity 2021 State of the Industry '' has noted the below-mentioned OT and IT cybersecurity budget allocations:
- 1% of systems allocate 1 to 5% of their budget to IT cybersecurity.
- 1% of systems allocate greater than 10% of budget to IT cybersecurity.
- 3% of systems allocate 6 to 10% of their budget to IT cybersecurity.
- 38% of systems allocate less than 1% of budget to IT cybersecurity.
- 7% of systems allocate greater than 10% of budget to OT cybersecurity
- 8% of systems allocate less than 1% of budget to OT cybersecurity.
- 9% of systems allocate 6 to 10% of their budget to OT cybersecurity.
- 95% of systems allocate 1 to 5% of their budget to OT cybersecurity.
These limited budgets are finally making the security of water more challenging, driving the companies to seek more cost-effective solutions for cybersecurity risk mitigation.
Another issue with the water sector cybersecurity is the lack of the clear decentralized regulatory guidelines or to be precise water sector cybersecurity risk management guidance that further complicates the matter. Irrespective of falling under the Environmental Protection Agency’s control, the water companies also locates themselves regulated by the environmental agencies, state and the state public utility commissions.
6 Important Water Sector Cybersecurity Tips To Improve Cyber Confidence
In this segment we are going to discuss the six crucial steps that will help improve the cyber confidence of the OT space and perform towards cyber sustainability and resiliency. So, let us get going.
1. Building a Holistic Approach Towards Cybersecurity
It is pivotal that all your cybersecurity efforts are completely holistic and vendor-agnostic. You need to understand that cybersecurity is not any game of picking and selecting the protection levels for the various systems. As many OT systems interact as well as depend on each other for functioning properly, the entire environment is required to be shielded in such a way that it can be managed centrally.
2. Using The Available Standards
Regulatory requirements and standards like the AWWA, IEC 62443, NERC-CIP, and NIST 800-82 are the major drivers for the customers for starting their cybersecurity journeys. All the security standards consist of rigid reference models for the secured development of the control systems and the industrial automation.
The cyber risk tool from AWWA (AWWA cybersecurity tool) offers high-level water sector cybersecurity risk management guidance to what the procedures and cyber policies require in place for running the facilities safely. In the meantime, the Purdue model for industrial control systems is ready for the ‘defense in depth’ network segmentation. Both the tools offer great starting points. However, they require further assistance for understanding how they are actually applied to a particular facility or industry.
3. Training & Enforcing A Cybersecure Culture
All the team members are required to be adequately trained on the cyber policies for enforcing a culture of cybersecurity. Proper training must focus on the role of the employees and their impact on the organizational cyber risks. It must also go beyond the mandatory minimum requirements for implementing a role-based cyber security workshop for the employees. In the training and enforcing a culture of cybersecurity, it is crucial for everyone in the organization to be aware of how they in their specific roles fit into being cybersecure.
It just takes just a single person clicking on a phishing link, intentionally or unintentionally to infect the entire network. Thus it is important that everyone receives the necessary training for their individual roles and is provided the most accurate and updated information related to security.
4. Monitoring The Daily Operations
Monitoring for the anomalous behavior like the incorrect logins or the unapproved changes to the networks is crucial in identifying the potential intrusions. Without the logs and monitoring, the capability of remediating issues, leading to the root cause analysis and preventing them from occurring again is extremely limited.
5. Utilizing the Next-Gen Tools & Strategies For fighting Complicated Threats
Utilizing the advanced and the net-generation tools as well as strategies can help fight the net-gen complex cyber threats. You must not be afraid of utilizing Artificial Intelligence (AI) or the cloud. A brand new perspective of the cybersecurity environment is the emergence of the AI tools that can be implemented for learning the network as well as identifying the threats in real-time. It can then enable the employees to focus on solving the problems with the insights that have been furnished by the tools.
6. Gaining Insight From The Outside Cybersecurity Experts
It is definitely okay to ask the external cybersecurity experts for help. At the end of the day, both the large and the small organizations face the same issues and cyber threats. The struggles for combating all those threats might be more similar than you think.
If you are striving with selecting the appropriate cyber tools for your environment, do not completely understand how you can adhere to the industry cyber protection standards or if you feel you might require understanding the weaknesses and strengths, you must in no time contact the best cybersecurity solution provider. Additionally, you can balance the skill level of your staff with the external resources and your budget to create a program that exceptionally works for you will make you an unattractive target and thus minimizes your risk.
How To Enhance Security By Locking Down The Application-to-Network and Application-to-Application Communication
With the rising ransomware attacks on water infrastructure breaching the water sector cybersecurity, the companies need to discover the cyber threat mitigation strategies that permits them to protect their OT environments. It is the same connectivity that helps the threat actors to relocate from the enterprise IT networks to the OT systems simultaneously acts as a means of transmitting the malware to the IOT devices.
By installing the security updates to the endpoint IT devices are crucial for protecting the interconnected systems. Nevertheless, even a single unpatched endpoint might pose a risk to the OT systems. As the OT systems are pretty fragile, updating the endpoints definitely increases the online risks.
By going ahead and setting the deny-all policies for all of the application communications to the networks and other applications, the organizations usually limit the access as much as possible. Here are some of the most influential benefits of this approach:
- Blocking application and device access for restricting the malware from executing on a device or application.
- Limiting what applications can access the internet for minimizing the threat actors’ risk exploiting the vulnerability of a software.
- Limiting what applications can be used at the same time for minimizing the risk that the malware can be transferred to the applications that need privileged access.
- Restricting the data sharing between the applications for minimizing the risk that the malware might be transferred from one application to the other.
- Limiting the access to the resources of the devices and applications for minimizing the risks that the information might be posted or processed on the publicly accessible information systems.
- Ensuring the principles of the least functionality for minimizing the risks that are associated with what applications might run in an environment, what applications might be connected to the internet and what devices might be used to access the resources.
The cybersecurity landscape is constantly changing faster than any other things, as the technology and the threats continue to evolve. Offering the risk severity and the potential harm, water sector cybersecurity is a top threat that is mandatory to make the highest priority for the water as well as the wastewater sector. Additionally, it is critically important to adopt a comprehensive and proactive approach to water infrastructure security enhancement. This involves the active participation of the senior leaders of the organization for ensuring adequate governance and technological procedures are in place as a segment of an enterprise-wide cybersecurity program and strategy.