Water infrastructure security in the age of cyberwarfare
War Games, a 1983 American film by John Badham starring Mathew Broderick, tells the story of a teenager who, from his computer and out of pure curiosity, enters into the systems of the North American Aerospace Defense Command (NORAD) at the height of the Cold War. Believing it to be a game, the main character accesses a military supercomputer programmed to predict the possible results of a hypothetical nuclear war and activates a simulation that causes the NORAD computer, which cannot tell the difference between simulation and reality, to try to start a Third World War.
Acknowledgements and cinematic success aside, the fiction reached far beyond the screen by presenting the threat of hackers as a hazard to the national security of any country, opening a debate in the United States on the technologies and communications of the future. Together with the attack that same year by the so-called 414s – seven teenagers who hacked into several government computers, including an unclassified computer at the Los Alamos National Laboratory in New Mexico – it would lead to the enactment of the first hacking laws in the United States.
Governments and organizations are looking for ways to ensure that the digital technologies that are today's allies do not also become our enemies in the future
Almost forty years later, that same concern has expanded at the same pace as new technologies and digitalisation processes have transformed the way we do things. The cyber attack suffered by Estonia in 2007 – which led to the creation of the NATO Cooperative Cyber Defense Center of Excellence (CCDCOE) – or that of an Iranian nuclear plant in 2010, demonstrated the need for national strategies to protect critical infrastructures and citizen services from cyber attacks.
In a context, moreover, where espionage, attacks and their influence are the order of the day in conflicts between countries to seek political, economic and military advantages, governments and organizations are looking for ways to ensure that the digital technologies that are today's allies do not become our enemies in the future. This new strategy is followed, according to the U.S. Intelligence Community, by China and Russia, the main threats in terms of espionage and cyber attacks worldwide; in recent years, they have been gathering information on the most sensitive critical infrastructures in order to keep them on target.
Water infrastructure, targeted by cyber-attackers
2020 was not only a turning point because of the global health crisis; it will also be remembered as a disruptive year in which digital transformation made us more hyper-connected than ever before. According to the report Cyber Threats and Trends 2021 by the Computer Emergency Response Team of the National Cryptologic Centre (CNN-CERT) under Spain's National Intelligence Centre (CNI), 2020 was also the year with more security incidents than ever and more forced digitalisation of services and businesses. Teleworking, the lack of mobility, the increase in video calls and the need to be connected to the world from four walls during the lockdown, made it more necessary than ever to take precautions against any type of communication received on devices and to invest even more in cybersecurity, in order to ensure the continuity of business and services to citizens, including water services.
2020 was a year with more security incidents than ever before and more forced digitalisation of services and businesses
According to the European Directive 2008/114/EC of December 8, 2008, critical infrastructure means “an asset, system or part thereof located in the Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions”. Within this definition, water-related services are one of the strategic areas targeted by cyber-attacks and, considering that water is also a strategic factor in military conflicts, the sector's concern is more than justified. Although these infrastructures are not as frequently attacked as other utilities, a failed attack against Israel's water supply in 2020 and the attack against a water treatment plant in Florida in 2021, have raised the concern of a vulnerable sector precisely because of its importance for the economic and social development of a region.
The case of Maroochy Water Services
The first recorded cyber-attack on a water infrastructure occurred in 2000. The event was an intentional and targeted attack by a former employee with industrial control system expertise, who took control of the water company where he worked and caused a major sewage spill into parks and rivers in Maroochy County, Queensland, Australia.
"The major incidents that have occurred in recent years show that a weak link in the supply chain has proved to be a path to reach the core of critical infrastructure," explains Manuel Carpio, a member of the Spanish National Cybersecurity Forum. In fact, in Europe and the United States, most water infrastructure is managed by small organizations as part of a larger operator: "Instead of trying to directly attack the defences of a large operator, criminals are now trying to take control of the systems of one of their small contractors, but who have full access rights to their client's systems, critical infrastructure," he explains.
In 2020, there were 31 cyber incidents in the water sector, corresponding to 0.1% of the total number of incidents in strategic sectors
However, the Cyber Coordination Office (OCC) of the Spanish Ministry of the Interior point out that, in 2020, there were 31 cyber incidents in the water sector, corresponding to 0.1 % of the total number of incidents in strategic sectors. This is due, they explain, to the fact that this particular sector has little exposure to the Internet compared to other sectors: "Most of its systems are industrial operation systems, which are mostly isolated in facilities; this reduces the exposure to attacks in comparison with other sectors". But the water sector is not risk-free.
The management of critical infrastructure is becoming increasingly digital. In the water sector, in particular, processes such as water supply, water treatment or quality control, are unthinkable today without the use of IT (Information Technologies) and OT (Operational Technology) technologies, as these processes are monitored by collecting information from the physical environment through various sensors, in order to measure certain parameters and act on that environment to respond to certain events. "The pandemic has sharply increased our dependence on digital systems and, at the same time, has led many organizations to be more open and exposed and, in some cases, has shown the vulnerability of their systems," says Mar Sánchez, Cybersecurity Key Account Manager at SIA, an Indra company.
Among the main cyber threats facing water and wastewater companies are ransomware –hacking of information – and phishing – theft of user login data –, software vulnerability, supply chain attacks – virus or malware via a vendor – or remote connectivity vulnerability.
The impact of a cyber-attack and its subsequent consequences for water infrastructure will depend on several factors, being especially relevant the downtime, which can have great repercussions for the citizenry, or the domino effect due to the interdependencies between critical infrastructure. "In water treatment facilities, unlike the IT environment, cyber security breaches are intertwined with safety-related issues that may affect the personnel, the environment, and the people who are meant to use those services," says Sergio Vidal, Process Automation Sales Director at Schneider Electric.
Cybersecurity, a priority for the water sector
"I think the next Pearl Harbor or the next 9/11 will be cyber, and we are facing vulnerability in all systems, but water is one of the most critical and I think one of the most vulnerable," said Senator Angus King during a July 2021 U.S. Senate hearing to address cybersecurity vulnerabilities facing the nation's infrastructure.
Since the onset of the pandemic, water managers have had to adapt to a new scenario full of uncertainty which has made us much more aware of the importance of water management and the role that innovation and digitalisation play in it. The global water crisis and the impact of climate change demand an intelligent use of water resources and, to this end, companies must adopt technologies capable of meeting the challenges and reducing not only their water footprint, but also their energy and carbon footprint.
Cybersecurity and the water supply: managing a growing risk in Europe
By Andrew Hollister, Vice President of LogRhythm Labs and Deputy Chief Security Officer (CSO) for EMEA, IMETA, and APJ.
This process of digitalisation and process transformation has put all businesses in the crosshairs of cybercriminals. Crisis scenarios such as the ones mentioned above, or the one now raised by the conflict between Russia and Ukraine, bring with them an increase in the risks of cybersecurity attacks and incidents in a war aimed at both direct participants and those who support one of the sides, and which takes place both on the ground and in cyberspace.
According to the WEF, cyber risk is the most immediate and financially material sustainability risk
According to the World Economic Forum (WEF), cyber attacks are a huge risk to the value of companies and, ultimately, to the stability of society. Thus, cybersecurity in the water sector has become paramount and companies must manage cybersecurity as part of their corporate, social and environmental strategy. In fact, the WEF warns that cyber risk is the most immediate and financially material sustainability risk that organizations face today.
At SIA, an Indra company, they are aware of the conundrum that organizations face today, with great challenges to deal with, and at the same time, limited budgets to do it. That is why their solid experience in critical infrastructure protection and their knowledge of both the business and current trends in cybercrime allow them to advise water managers to help them prioritize what is really important.
"In addition to advice at the most strategic levels, we have the capacity to assume the management, operation and monitoring of IT and OT security," explains Mar Sánchez. "We also ensure the availability of critical processes through business continuity and crisis management plans", in addition to identity management in OT environments, public key infrastructure (PKI) management in industrial environments and digital signature of invoices and electronic sealing, which are some of the solutions most in demand by its clients in the water management sector.
In the era of digital transformation, as operational assets become more connected, more resilient components and control systems are needed to withstand cyber attacks. In this regard, Schneider Electric is a benchmark in cybersecurity for automation and control systems. It offers a complete cybersecurity cycle for OT plants (assessment, design, implementation, maintenance and monitoring) that ensures a set of skills and expertise rarely seen in traditional IT security companies: "Schneider Electric's DNA, rooted in the operational and automation industry, has the necessary resources to help OT clients," says Sergio Vidal.
A shared responsibility
The complex environment in which we find ourselves, brought about by the need to deploy new technologies to respond to political, social and economic trends and challenges, means that security will play a fundamental role in all digital transformation initiatives and investment plans in the coming years, according to the report Analysis and Diagnosis of Cybersecurity Talent in Spain 2022, by the Spanish National Observatory of Technology and Society (ObservaCiber). Sergio Vidal warns that "networks or traffic sources considered secure can no longer be trusted. Critical infrastructure plants must take additional security measures, as they not only deal with data loss, but could cause potential loss of life on a large scale." "Cybersecurity risk analysis and management processes must consider, in a comprehensive and integrated manner and in a broad sense, all assets involved in the supply or value chain, and not only those that are part of the internal perimeter of organizations," says Mar Sanchez.
The current context demands that critical infrastructure management be carried out within an increasingly demanding cybersecurity framework, where responsibility falls on all levels: "A truly two-way public-private partnership is needed, in which the government takes into account the investment effort made by operators of essential services to maintain a level of security beyond that required by market circumstances," says Manuel Carpio.
We can say that maturity in terms of cybersecurity culture and awareness is high.
And so, two years after the onset of the pandemic – almost the starting point of this new scenario – and almost used to this new normal where digitalisation has become a tool to be used, we can say that maturity in terms of cybersecurity culture and awareness is high: "The culture of cybersecurity in critical infrastructure is deeply rooted. Those responsible for the security of infrastructure information are, in general, very committed to cybersecurity," the OCC (Spanish Ministry of the Interior) points out. "In addition, there is a very high level of maturity in the public-private collaboration between those responsible at the State Secretariat for Security and those responsible for the cybersecurity of critical infrastructure".
Finally, from the Spanish National Cybersecurity Forum, Manuel Carpio points out that "cybersecurity is part of the agenda of the boards of directors of the companies that own critical infrastructure, and on the other hand there are cybersecurity awareness and education programmes at all organizational levels". However, he warns, "We must not become complacent. There is still a lot to be done”.