A system breach in Oldsmar, Florida, in 2021 served as a powerful warning of the stakes involved in cyber security around water utilities.
Hackers accessed the water treatment plant and enabled a system change that pumped dangerous amounts of sodium hydroxide into the water – essentially poisoning the city’s water supply.
The COVID-19 pandemic has only increased risk profiles for utilities. With working from home now normal, remote access points into operational systems have multiplied, leading the surface area for cyber attacks to dramatically increase.
“There are a couple of reasons why the threat landscape is changing for water utilities,” said Angela Pak, National Lead for Cyber Security in Operational Technology at KPMG.
“One is the need for greater automation and the use of IoT devices for the purpose of efficiency in water management. The use of these smart devices has increased because organisations want realtime data and have remote control over their operating environments.”
The greater need for efficiency and access to real-time data means utilities have had to open what is traditionally an “air-gapped environment”, Pak said.
“In the past, IT and OT were separated. But with the use of automation and IoT devices, that barrier is breaking down, thus increasing the threat landscape.”
But the pandemic has also played a role in increasing risk.
“Remote management increases the operational footprint and therefore increases the threat landscape,” Pak said.
As water utilities continue to digitise, the benefits of data connectivity and online operations management are countered with the very real risk of cyber attack, said Dominic Hatfield, CIO and General Manager Digital at Sydney Water.
“As technology changes and people and businesses become more innovative, systems to solve business, customer, community and industry problems are becoming more innovative and accessible,” Hatfield said.
“We’re also becoming more reliant on them.”
This reliance means the potential impact of malicious activity becomes greater. At the same time, those who seek to do damage are also becoming more innovative.
As a result, water utilities must constantly transform and improve their cyber threat protections.
“If I ask somebody when their cyber program will be completed and they give me a date, I know they’re in trouble,” Hatfield said.
“It can never finish. Success is about constant awareness, alert and iterative development of maturity.”
Long-term management of the cyber challenge doesn’t just change the conversation from security compliance to risk management. It also demands a skillset many water utilities simply don’t have, said Laith Shahin, founder and CEO of OTfocused cyber security firm Secolve.
Traditionally, engineers have managed the operational technology for water utilities, he said. Cyber security has not been a focus, key performance indicator, or area of speciality for engineers.
Where CIO roles exist, the focus should be on hiring people with the right skillsets to look after cyber security across IT and OT.
“A major threat for water utilities is remote access to the OT environment,” Shahin said.
In the Oldsmar attack, for example, third-party software was used to breach the network.
“Third-party software creates a new attack vector. If not configured properly, these systems might not have the same level of security control, and they can open a major can of worms.”
As the ever-present threat of cyber attack grows, water utilities must be proactive in protecting themselves.
A good starting point is meeting basic security controls, Shahin said.
“Ensure you have multi-factor authentication enabled everywhere possible, along with regular user training, system backups and good password management,” he said.
“It’s good to go back to your most basic security controls and check they’re enabled within the utility.”
Regular and rigorous auditing of third-party contractors is also crucial.
“That’s no silver bullet, but it will eliminate a lot of the risk,” Shahin added.
According to Hatfield, utilities shouldn’t attempt to predict or plan for everything, which will only lead to failure. Instead, he suggests figuring out the major areas of risk and concentrating on those first.
“It might be phishing attacks,” Hatfield said. “That’s a nuisance area that comes into the organisation via employees.”
To combat this threat, he recommends conducting an analysis on employee education and awareness to ensure people know what to look out for.
“Then there’s network exposure,” Hatfield said. “Ensure core access points into your internal networks are constantly monitored, understood and kept up to date.”
A third area of focus – when a malicious organisation slowly settles into the utility’s system over a long period of time – is also the most difficult to detect or defend against, Hatfield said.
“Because it’s not a one-off event, there’s not a big change,” he said. “It happens over time – it might take months or even years.”
Once again, it is vital that the organisation’s layers of defence are sophisticated, up to date, and constantly monitored, developed and adapted to new types of threats.
Shahin added that every organisation, large and small, needs a “security champion” who is responsible for the wider cyber security of the industrial control systems network.
“Put someone in charge who’s going to lead this practice, so you don’t have to rely on two or three people managing separate areas in the organisation to come up with a security strategy,” Shahin said.
Finally, share as much cyber security information as possible between utilities.
“This is critical, so you understand the common risks the sector is facing, as well as the potential solutions,” he said.
Once these mechanisms are in place, Shahin advises obtaining full network visibility as quickly as possible. With visibility comes the capacity to see who is connected to the network and what they are doing.
“From the get-go, aim to take a risk-based approach,” Shahin said.
“Identify your biggest risks and, to avoid being overwhelmed, focus on the four or five biggest ones in the first year or two. That will help improve your security posture as quickly as possible.”
First published as ‘Building Cyber Resilience’ in Current, May 2022.