Cyberattacks On Utilities. Here are the top two things Water Utilities need to do right now to secure our drinking water supply from cyberattacks.
Nothing seems to be safe from cyberattacks anymore. In 2021 so far, the Colonial Pipeline gas line was hacked resulting in gas shortages across the southeast. Brenntag, a chemical distribution company was compromised, resulting in hackers demanding $7.5 million.
Major beef and pork producer JBS USA suffered a cyberattack recently, prompting reported shutdowns at company plants in North America and Australia, but luckily did not result in any food shortages.
The U.S. Department of Energy is working to implement a national cybersecurity strategy and has so far focused its efforts on the nation’s transmission and generation assets, but utility distribution systems are “increasingly at risk” from intrusion and disruption, according to a report from the Government Accountability Office.
Cyberattacks On Utilities: What about our Water Supply?
On April 1, 2021, federal prosecutors announced that they had indicted Wyatt A. Travnichek for hacking into the computer systems of the Post Rock Rural Water District, where he was once employed, and shutting down the cleaning and disinfection processes. And in February of the same year, a yet-to-be-identified intruder hacked into the water treatment plant at Oldsmar, Florida, and briefly increased the amount of lye, a chemical used to regulate acidity in drinking water, from the normal 100 parts per million to a toxic 11,100 ppm.
These and other types of cyberattacks on utilities are likely to become more and more common in the future. So, what are the top two things water utility companies can do to secure their operations?
Make It Clear That Cybersecurity Everyone’s Responsibility
In many water utility firms, there is a tendency to assume that cybersecurity is the sole responsibility of the IT department. However, modern computer hacks are not always technical; malicious actors sometimes use a range of social and psychological techniques to trick employees into making security mistakes. For this reason, cybersecurity should be an integral part of the overall workplace culture at all levels. Utilities should make it clear that cybersecurity is everyone’s responsibility, from the cleaner to the chief executive. They should take a ‘verify then trust’ approach: every email, file, and approach by a third party should be viewed as a potential threat until proven otherwise.
Reconfigure Remote Access
It is instructive to note that the attacks described in the previous section were possible, in the main part, because the water utilities in question had enabled remote access to their information technology (IT) and operational technology (OT) systems. To prevent such attacks, utilities need to seriously re-look their remote access policies.
Remote access should be disabled as a matter of routine, advises Jake Brodsky, an industrial control systems (ICS) security engineer with over 30 years of experience in the water industry. Where such access is necessary, as is occasionally the case, the feature should be configured in such a way that it has to be manually enabled by someone who is physically present at the facility. For added security, utilities should set access to time out after a brief duration, utilize multi-factor authentication for remote users, and avoid using one account for multiple employees.
These are the two top things most water utility companies need to do to keep their operations – and our water supply – safe from hackers. What else can these companies do to improve security? Tackle the basics, such as performing asset inventories and assessing risk, as well as the more advanced stuff, such as planning in advance for contingencies. Finally, utilities need to share information with each other and industry stakeholders; there is strength in numbers.
We have found that many organizations don’t consider themselves a target for hackers. What we have learned is that it’s not IF but WHEN you will be attacked. CybriantXDR was created with you in mind. This service covers all the basics for a complete cybersecurity strategy including the right people, processes, and technology.