In late 2023, the Municipal Water Authority of Aliquippa, Pennsylvania, reported it had been cyberattacked by Iranian “hacktivists” (the CyberAv3ngers), resulting in lost control of a booster station. Previously the CyberAv3ngers claimed to have hacked into 10 Israeli water facilities.
This has placed cybersecurity higher up the critical process agenda. While hackers have previously concentrated efforts on infiltrating IT networks, they are now turning attention to OT networks, making OT risk a real and present danger in the water industry.
Whilst improved process technology such as internet enablement has delivered “bolt-on” functionality to ageing legacy OT systems, increased digitalization and automation have created increased cyber risk exposure. It is a double-edged sword that organizations need to be ready and able to defend against and recover from should an attack take place.
Key steps to improving cyber resilience
When developing a resilient Cybersecurity Asset Management Plan – there are four key steps to address: (i) securing what you know; (ii) assessing criticality; (iii) committing to the process; (iv) evaluating manual v automated operations.
A critical success factor lies in OT and IT operations working together to ensure any gaps between the two are identified and mitigated. All too often, OT and IT are siloed; hardware on one side, software on the other. For any robust cybersecurity asset management plan, harmony should exist between these two critical areas. This requires a level of communication between two parties that often speak differently.
Getting data-driven decisions should become part of the organizational culture when it comes to cyber security asset management
Step 1 – Visibility and control - securing what you know: It’s impossible to secure what you don’t know. So it’s critical to know your assets, the risks associated with them, the work you put into defining them and the criticality associated with losing them.
A full audit of your IT and OT networks and how they interact is fundamental, identifying all hardware and software, and by doing so having greater awareness of possible attack points. Assets updated via a supplier USB port or easily accessed during third party vendor maintenance could serve as an attack point.
Step 2 – Criticality: Criticality identifies assets you really need to focus on – the fundamental operations and how both systems and components work together to support them. When both have high criticality, they become a priority you should focus on.
Step 3 – The process: The process step needs to be considered a living, continual process, with criticality at its heart.
This is a Management of Change (MOC) process. Success lies in ensuring risks and critical processes have been carefully evaluated, identified, and managed prior to implementing any significant changes. This baseline enables continuity of the MOC process, identifying any potential hazards that could result from these changes. This step is designed to help ensure any identified updates or modifications are properly documented, tested, and implemented without operational disruption.
Step 4 - Manual v automated monitoring: Whether you decide on manual or automated methods, opt for the best approach for your organization. It’s not OT v IT – it’s both working together for the most effective cyber resilience outcomes. Getting data-driven decisions should become part of the organizational culture when it comes to cyber security asset management - a living, evolving process.
Conclusion
OT systems often serve as the backbone of many processes in the water industry. While enhanced technology enables increased data and connectivity, it usually doesn’t consider legacy system security. OT cybersecurity should find a balance between identifying ongoing threats, whilst maintaining tools and practices capable of communicating with legacy systems to maintain security.