Cyber attackers know all too well that they can put critical infrastructure in difficult positions. Segments like water and wastewater have users that heavily rely on their utilities, meaning that a cyber-attack can have wide implications. Users can also include companies utilizing water for processes like cooling or manufacturing a product, so a breach would also impact their operational costs. Recent cyber-attacks on the water industry have even led to the creation of new US legislation.
Take, for instance, the Oldsmar Water Treatment attack in February 2021. Using old credentials, hackers were able to remotely access and survey the facility network. Within a few hours, they were able to alter controls, drastically raising sodium hydroxide levels from 100 parts per million to 11,100 ppm. The attack on Oldsmar Water Treatment elicited several responses from the US government. For one, the Biden-Harris administration worked with the Environmental Protection Agency to expand its public-private cybersecurity partnership to the water sector to bolster cyber-related threat visibility and protect federal networks.
The reason is that connected devices through digitalization are here to stay. It helps with efficiencies, data-driven insights, and, ultimately, sustainability. Equipment being made today has a greater level of connectivity to help companies remain competitive and increase profits. However, unlike other industries, water and wastewater is a crucial utility, and the organizations operating within that industry must strive for the highest cybersecurity levels under the global standards of IEC 62443.
How prepared is the water industry?
In the latter half of 2021, Claroty, a leading provider of cybersecurity platforms, conducted a survey across the water and wastewater segment with surprising results. It revealed that 34% of companies experienced a ransomware attack that affected IT only. Meanwhile, 22% of ransomware attacks affected OT only.
What’s more, 52% of respondents experienced a partial impact on one site, while 30% said they experienced a substantial impact on multiple sites for one week. Some even faced a similar impact on several sites for more than a week. For 37% of all respondents, those impacts resulted in a downtime cost between $100,000 to $500,000 per hour, and for 12% percent of respondents, it cost $1M to $5M per hour. Ultimately, 60% percent of the survey respondents paid the ransom.
Many companies face challenges when analyzing the root causes of an attack – where they are unable to definitively rule out what may or may not have occurred that allowed the attack to take place. Having the ability to detect a breach in your security perimeter empowers your organization with knowledge and control. It also permits further analyses should another attack occur. Without anything in place to detect a breach, attackers could be in a system already gathering information and sustaining access over time.
Through implementing network segmentation within a company’s digitalized architecture, operations could continue in some capacity if a cyber-attack can be isolated to one area. With that in mind, water and wastewater industries should strive to reach Security Level 4 protection within their organization. Here’s a breakdown of what each level entails:
- Security Level 1 – Protects against unintentional breaches or coincidental violations.
- Security Level 2 – Delves into areas with more serious implications by protecting against intentional violations permeated by those with generic skills and little resources.
- Security Level 3 – A company protects itself against professional hackers – people or entities with system-specific skills using sophisticated means, gain access to infrastructures.
- Security Level 4 – Organizations are protecting themselves from highly motivated hackers using sophisticated means, who also have extended resources to gain access to nation-state-level attacks. While it may be difficult to withstand level 4 attacks, companies can better defend themselves and analyze internal weaknesses.
4 security practices for IT-OT convergence
When reassessing your cybersecurity perimeter, it’s important to commit to certain goals and practices. Yes, there is no silver bullet when it comes to cybersecurity. But laying down a pathway towards cyber confidence can lead to more efficient operations and reduce the chance of a cyber-attack.
Conduct regular cybersecurity assessments. Tools like edge data collectors focus on asset inventory to keep track of devices used across operations. Knowing all access points is important, but tracking firmware updates, especially as companies grow and modernize over time, becomes a critical defense practice.
Implement network segmentation into your organization’s architecture to separate the IT network from the OT network. Doing so can provide a stop gap during an attack. Network segmentation like this is known as a “demilitarized zone” (DMZ), and it isolates areas of the network or devices that have been compromised. Firewalls and containment help in regaining control.
Back your data up. Set this up to recur automatically to protect your IP and core system, and do so regularly. Should a cyber-attack occur, an organization can get up and running faster. Frequent data backups can make your company less attractive to potential hackers seeking to do significant damage. Store any supercritical configurations and source codes in multiple places as well.
Recovering from an attack is done best through practice. Cyberattack “fire drills” prepare companies to mitigate breaches as they occur and can help them recover faster. Training for various scenarios in role-based cybersecurity workshops will instill confidence and cultural buy-in with employees.
Cyber confidence in water industries
Given the survey results, there is an obvious need for confidence in cybersecurity. The cost of a cyber-attack can be life-threatening and detrimental to an organization’s reputation in addition to its financial impact. However, by following certain fundamentals, water and wastewater organizations can increase cyber defense parameters – and it’s not a journey you undertake alone. Here, Schneider Electric has the expertise to help assess where you are on the pathway toward cyber confidence.
We work with an ecosystem of world-class partners to provide the right technology and services that customers need for their specific environments. We leverage a network of partners to integrate leading cybersecurity technologies to provide the right vendor-agnostic protection from an OT perspective to meet customer needs for all business types and industries, including the water and wastewater segment.
Performing regular cybersecurity assessments, implementing network segmentation, ensuring regular backups, and providing consistent cybersecurity training are some of the first steps your organization can take to improve its cybersecurity posture. Cyber confidence is obtainable; and Schneider Electric can help you pave the pathway toward your cybersecurity goals with industry-leading OT cybersecurity standards, services, and solutions.