Simple Steps For Mitigating Cybersecurity Risk
Regardless of the industry, cybersecurity is at the top of priority lists for company leaders around the globe. After 50 years of innovation in technology, it will take a collaborative approach by government officials, industry leaders, and individuals to safely navigate the volatile cybersecurity landscape.
For utilities, repercussions of a cyber-attack can cost millions of dollars, a tarnished reputation, and even lives in the case of water resources. The good news is that there are simple yet essential steps that every utility can start taking right now to improve their safeguards against these threats.
According to Black & Veatch’s 2021 Strategic Directions: Water Report, utilities’ resilience concerns surrounding cyberattacks have increased from 34% in 2020 to 56.2% in 2021.
The report theorizes that with the increase in remote work brought on by the pandemic, utilities are more vulnerable than ever to cyberattacks including ransomware, internal sabotage, and cyber terrorism. Underfunding is another contributing issue, as many utilities lack the funds to invest in cutting edge security systems or to regularly audit their processes.
Cybersecurity Attacks Increasing in Frequency
On January 15, 2021, a hacker tried to poison a water treatment plant that served parts of the San Francisco Bay Area. Utilizing popular remote work platform TeamViewer, the hacker used a former employee’s username and password to gain access to the plant’s computers. While no harm was caused by the incident, the hacker was successful in deleting programs that the plant used to treat drinking water.
A few weeks later, a hacker infiltrated the water treatment plant in Oldsmar Florida through the same remote work software in attempt to add dangerous levels of sodium hydroxide to the water. According to the FBI investigation, all the plant’s computers used the same password, and they were utilizing Windows 7, an operating system that Windows no longer supports. Each of these factors contributed to Oldsmar’s vulnerability and status as a potential target.
Published in 2020 in the Journal of Environmental Engineering, A Review of Cybersecurity Incidents in the Water Sector finds that there has been “an increase in the frequency, diversity, and complexity of cyberthreats to the water sector.”.
Reported in the review was an attack that took place in 2016. An undisclosed water utility in the US (presented under the pseudonym of Kemuri Water Company) hired Verizon Security Solutions to perform an assessment of its water supply and metering system. The assessment revealed numerous high-risk vulnerabilities, including a reliance on outdated operating systems and computers. Digging deeper, Verizon found that the utility’s internet payment application and outdated AS400 computer system were linked, granting hackers access to any information stored in the AS400.
The forensic investigation unveiled an exfiltration of 2.5 million unique records and the hackers’ manipulation of chemicals and flow rates.
Again, outdated software and processing systems was the culprit behind the utility’s vulnerability. A Review of Cybersecurity Incidents in the Water Sector, which explores 15 recent malicious cyberattacks, emphasizes “the need for an adaptive, cooperative, and comprehensive approach to water cyberdefense.”
Understand that cybersecurity is a continuous process. Actively monitor and stay vigilant.
How Can the Water Sector Strengthen Security Resilience
By looking at past cyber-attacks on water and wastewater plants, we can learn a lot about how to better steel our defenses against both internal and external infiltration.
Below are the FBI’s and the 2020 water cybersecurity review’s recommendations for increasing one’s security resilience:
• Use strong and diverse passwords and securely protect them;
• Always use multi-factor authentication
• Updating passwords
• Immediately change access permissions and passwords after terminating an employee
• Ensure anti-virus, spam filters, and firewalls are configured and secure
• Audit network configurations and isolate end-of-life computer systems
• Apply two-factor authentication whenever possible
• Train users to identify and report attempts or unusual activity
• Keep all software updated
• Separate SCADA systems from administrative networks
• Perform routine checks of systems such as email that contain confidential information
• Implement a monitoring mechanism to oversee data transfer for early detection and response
The Main Takeaway
Protecting our source water and valuable data associated with our critical infrastructure requires active participation from everyone in the industry.
Have you assessed your company’s software or operating systems recently? How many are outdated, not in use, or no longer supported?
While not every everyone has access to the same advanced security software, we can improve the sector’s resilience by always upgrading and updating software, staying on top of administrative access, and practicing secure password processes.