Water may be a renewable resource, but many people don’t realize how vulnerable our water systems are. Few of us know the details of how municipal utilities handle water supplies or how easily utility systems can be hacked. Likewise, not many of us understand how severe the ramifications of an attack would be for the cost to water supply systems, or ultimately for public safety.
Recent Events Make the Need for Vigilance Clear:
In April 2021, Mandiant, the incident response unit of FireEye, revealed that it had quickly and successfully gained access to the industrial automation and control systems (IACS) of a North American utility and then exploited this opening to turn off the endpoint meter control infrastructure of the utility’s state-wide smart grid. The attack had no real-life consequences, as it was part of a red-team security exercise. But as Mandiant pointed out, it showed just how easily malicious actors could use IT networks to disrupt the operations of a critical infrastructure provider.
In February 2021, an outside party using remote access tools gained access to the control systems of a municipal water supplier in Oldsmar, Florida. The malicious actor attempted to raise the amount of sodium hydroxide (also known as lye) in public water supplies to toxic levels. Luckily, an attentive employee at the utility’s water treatment plant noticed that his operator console was being used for unauthorized purposes and was able to avert disaster.
In January 2021, a water department in the state of California was compromised by an attacker that stole an employee’s login information for Teamviewer. Upon obtaining the compromised credentials, the malicious actor attempted to delete treatment programs. Fortunately, the facility changed its passwords and reinstalled the treatment programs the following day, thereby eliminating the threat to public safety.
Water Operators Must be Better Prepared
These are only a few examples of the impact that unauthorized and malicious activity can have on municipal water operators, and they all show that cities and public utilities need to be better prepared in the case of a catastrophe.
And it isn’t an exaggeration to talk about catastrophe. Cyberattacks on industrial and Operational Technology (OT) environments are on the rise, with more OT-related vulnerabilities reported in 2020 than in any prior year. Security breaches have become so common that there are two types of companies out there nowadays: those that have been hacked, and those that don’t yet know they’ve been hacked. It’s no longer a question of “if,” but a question of “when.”
That poses serious concerns about public safety. The attacks on water infrastructure in California and Florida may have failed, but what if other malicious actors succeed in contaminating public water supplies, thereby putting thousands of customers at risk? And even if there are alert systems in place for situations like this, what if they are compromised as well?
Meanwhile, there are also financial considerations. Serious cyberattacks have the potential to inflict massive financial losses on municipal water suppliers. Can you really afford to overlook these risks to your organization?
Preventing Cyberattacks on Municipal Water Utilities
In light of these concerns, we’d like to highlight a few of the most important questions that municipal water operators can ask themselves:
1. Asset management: Do you know what you have?
This includes software, hardware, and networks. If it’s part of or provides support to your OT environment, document it. How can you protect network communication without knowing what’s on your network and where it’s connecting? How can you protect software and hardware without knowing they exist?
2. Access Management: Do you know who’s there?
As with asset management, it is important to identify and manage the people who are using hardware, software, and networks throughout your environment – and their credentials, too. Since weak and compromised credentials pose major risks, it’s vital to implement access controls and password management to all accounts that access or support OT systems. If an account is no longer used or needed, why keep it? If software, systems, or networks have no need for valid users, should they be decommissioned as well?
3. Lifecycle Management: Do you know what comes next?
Having a process for commissioning and decommissioning software and hardware is important. Following that process and knowing when to decommission is just as important. This doesn’t necessarily mean retiring hardware and software that is out of date, especially in the case of OT environments. Rather, it means managing the necessary and unnecessary hardware and software that support the OT environment. Do you know what to discard and what to keep – and when to make that decision?
4. Network Segmentation and Separation: Do you know where to put it all?
Since ransomware and remote access software are prevalent attack methods for water municipalities, segmentation and separation of corporate and OT networks is not just important, but imperative. By separation, we mean separation of networks both logically and physically. What are you doing to enforce this separation? If attackers compromise a single system, will they be able to access everything else in the environment?
5. Backup and Recovery: Do you know how to get it back?
No security solution is perfect. If you can’t prevent an attack, having the ability to recover using backups that you can trust is vital. To ensure a successful recovery following a security compromise, it’s essential to develop backup procedures and test those procedures. Additionally, making sure that you have both online and offline and/or local and remote access to the latest backups should be part of your standard procedures. So do you have backups in place? Are they current? Have you tested them?
These five questions highlight key security measures that must be in place from the beginning to mitigate or reduce the impact of security threats. Keep in mind, though, that these recommendations are only a start, since the threat landscape is ever-changing. Accordingly, Red Trident recommends that you conduct a security assessment to understand the assets, processes, and controls you have today and determine steps you need to take to reduce the risk to your OT environment.
About Red Trident Inc.
Red Trident is focused on protecting OT, ICS, SCADA, DCS, and other embedded systems. We support local, state and federal agencies, as well as enterprises that require our expertise. If you’ve got questions, we are offering a free 30-minute consultation for municipalities and their water management operators. We’re ready to help you increase security and lessen the chances of being hacked.
Please use this calendar link to book your free consultation.