Water utilities as critical infrastructure have a history of being targeted by malicious actors looking to threaten, ransom or disrupt water supplies. The essential nature of public water systems make them attractive to attackers as they have the potential to harm the environment, economies and citizens.
In response to the global pandemic, IT teams rapidly implemented new solutions to enable remote access within the utilities sector. As a result, Water Utilities are now vulnerable to attacks both on and through those remote access technologies.
According to a survey conducted by American Water Works Association, more than 20,000 utility employees stated that cyber threats were considered to have the biggest impact on operations even before the pandemic, with a lack of resources and conflicting priorities as the greatest challenges.
In common with other industries, Operational technology (OT) security teams working in facilities may have limited cyber security resources which can make the task of securing the environment even more difficult. For example, if no centralised log collection and analysis is available, analysts are faced with piecing together disparate log formats from many systems in order to assess what is happening, making it difficult to determine if an attack is actually occurring before damage is done.
Despite the unique challenges in securing systems in this industry, it is critically important to bolster cybersecurity innovation. As more hackers seek to exploit new gaps in the convergence of IT and OT across Europe, utility security teams need to protect their networks to ensure critical infrastructure resilience and performance.
Protecting essential infrastructure
Earlier this year, a cyber-attacker targeted a water treatment plant in Florida, US in an attempt to raise the levels of sodium hydroxide, used to clean water, by a factor of over 100. Even though the attack was detected before any damage was caused, it acted as a reminder of the real risk to critical infrastructure posed by cyberattacks, and not least the impact beyond the digital world.
Threat actors can attack water at its source, treatment plant, storage facility, or distribution centre. Our health, energy, agriculture, and emergency services are just some examples of other infrastructure that rely on safe water. There are however, scalable and effective measures that water utilities security teams can take to improve the cybersecurity of their organisations.
Security teams need a proactive strategy to rapidly detect and respond to threats in the industry. The strategy needs to encompass both OT and IT, with several recent incidents having leveraged commercial off the shelf remote access tooling to gain access to devices with control over OT.
In the case of the Florida incident, the attacker leveraged a remote access tool to gain access to the environment. That tool was not securely configured, and it may be that it was not even authorised software. This is a clear example of the convergence of IT and OT resulting in threat vectors that we didn’t have to consider in the past.
Harnessing the right data intelligence fabric gives water utilities security teams the confidence to create an accurate and complete picture of their cyber security operations to make better decisions.
Collecting telemetry from OT systems to record process and device data over time and then correlating changes in those physical processes with a security event is critical to detecting an attack. A security event in the industrial control network could be reconnaissance, network behaviour changes, changes in operator or engineering user behaviour, detected or failed malware, web-based attacks targeting human machine interfaces (HMI), etc.
On top of this, real time visibility into OT can help security teams to identify and mitigate new threats, as well as building a picture of what normal activity looks like for their environment. This allows security teams to understand their cybersecurity risk profile and prioritise and respond to emerging threats.
Security dashboards can be used to provide centralised visibility both for members of the security operations centre (SOC) and for IT teams. Capturing data in a timeline of activity to allow teams to understand how an attack has evolved allows appropriate responses to be initiated. Innovative technologies can be utilised to simplify the analyst workflow to create a sequential timeline of events to visualise the logically connected host and users.
Managing the growing risk
Securing critical infrastructure is essential to the public’s health and safety. With the right cyber security solutions in place, utility security teams can swiftly analyse and mitigate an attack to efficiently reduce the mean time to detect and respond to a threat. Security teams gain access to data visibility and security analytics needed to monitor the entire network and prevent dangerous drinking water reaching the public. The goal is to effectively safeguard critical water infrastructure by adopting a ‘security-first’ approach aimed at limiting the damage caused by cyber-attacks.