Australian-first research shows many utilities fear an imminent cyber attack on critical industrial operating systems, and Secolve CEO Laith Shahin says it’s never been more important for water utilities to ensure third-party risk management procedures are in place.
The Secolve survey of more than 2000 Australian risk, compliance and security specialists found 78% of those responsible for their organisation’s industrial control systems were concerned there would be an attack in the next 12 months, with 45% “extremely concerned”.
Cyber attacks on utilities’ operational technology (OT) control systems have been on the rise around the globe, and have the potential to cause huge financial losses, workers’ safety and significant interruptions to essential services such as power, food and water.
Secolve CEO Laith Shahin said that while all organisations with digital capabilities are at risk of a cyber attack, the consequences for organisations in charge of critical infrastructure, such as water utilities, face huge public health consequences.
“Just last year, an attack involving a Florida water utility paralysed the systems operating its pumping stations and water quality testing.
“So, the dangers are very real and the public safety consequences have the potential to be very serious.” Shahin said that as the world becomes more digitised and connected, the risk of cyber security increases, too.
“IIOT devices, which is the Industrial Internet of Things, pose a huge risk. These digital environments are more connected, there’s connectivity between various devices, IOT devices in the water sector, which are connected to the internet. Risk of cyber attack here is huge,” Shahin said.
So how do water utilities and asset managers strike the right balance between adopting new technologies while also protecting their critical infrastructure from cyber attacks?
“First of all, utilities need to ensure they’ve got an updated asset inventory. There needs to be full visibility of assets with an updated asset inventory database. With more and more devices connected every day, there is a strong need to keep an eye on what devices get connected to the network,” he said.
“Step two is making sure there is efficient segmentation between the IT network and the OT network. If a device is connected to the corporate network, for data retrieval and automation, for instance, there’s the risk of breaching the OT environment via the IT network.
“Making sure there's efficient segmentation between IT and OT is an important step towards protecting from cyber attacks.”
Shahin said another element of cyber security, the importance of which is growing quickly, is third-party risk management.
“Most of these connected devices are being manufactured by third parties, and then they're getting plugged into the existing OT environments. It’s important to ensure there’s third-party risk management process in place, which will in turn allow for risks to be mitigated,” he said.
“How often utilities have their technology reviewed depends what type of technology is being implemented. If it's an IIOT device, if it's a sensor, or if it's a robot that is there to be able to gather specific data, it's good to ensure that you have full visibility on the architecture surrounding it.
“Furthermore, whenever there is a major change into the environment, it's good to audit that device to ensure the environment is actually up to date.”
Shahin said third-party reviews are crucial considering that many recent cyber attacks have been executed via breaching third-party operations.
“Taking a look at recent attacks globally, third party breaches are a huge cause. Most OT cyber attacks are state sponsored, they’re sophisticated attacks. And, an easy way to get into an environment is by breaching a third party,” he said.
“If all trust is given to a third party, by utilising a specific software connected to the OT environment or a specific device, it's way easier for the attackers to breach that third party and then get into your environment, rather than penetrating your OT environment directly.”
And while water utilities all provide similar services, utilising similar technologies, Shahin said it’s crucial that each individual utility has its own customised cyber security reviews in place, as each digital environment is different.
“The water sector has a limit on resources and there are many conflicting priorities. We need to come together, as a nation, as organisations, including public, private and government, to protect the nation's critical infrastructure,” he said.
“The most important part of achieving this effectively is to acknowledge that every digital environment is different. The cyber security journey any water utility could take may be similar to another water utility given their environments, but it’s also completely different.
“We need to raise awareness around cyber security risks right across the organisation, because OT hasn't been a big focus for many reasons. It's an emerging risk, the communication and the messaging has to be tailored to ensure that OT is looked at separately.”