Hundreds of millions of Americans rely on community water systems for their daily supply of water. But these public services aren’t guaranteed. On the one hand, the United States’ water infrastructure is in desperate need of an overhaul.
In 2012, the American Water Works Association (AWWA) said it would cost over one trillion dollars over the next 25 years to restore and expand these public water systems. Yet limited funding options, scant availability of replacement parts, and workplace turnover hamper these and other smaller repairs and updates on an ongoing basis, obstacles which pose a public safety risk.
On the other hand, the AWWA recognized on its website there’s something even more threatening to Americans’ water than aging, overburdened delivery and treatment systems:
“Cybersecurity is the top threat facing business and critical infrastructure in the United States, according to reports and testimony from the Director of National Intelligence, the Federal Bureau of Investigation and the Department of Homeland Security.”
It’s been a long time since the world learned of Stuxnet. The number of vulnerability disclosures specific to industrial control system (ICS) has increased sevenfold from 50 in 2010 to over 350 in 2015. Not only that, but organizations serving critical water infrastructure have suffered digital security incidents in the last few years.
For instance, the Lansing Board of Light and Water (BWL) paid out $25,000 in November 2016 after suffering a ransomware infection.
Given attacks like the WannaCry outbreak on May 12, other companies with water-specific ICS systems may suffer BWL’s fate in the coming years. If ransomware strikes, a ransom payment would be just one of their worries. They would also need to pay the forensics costs, invest in additional security measures to try to block malicious actors along each phase of a digital security attack, and suck up the lost productivity costs.
Organizations with water industrial control systems have much to lose from a digital security incident. This reality begs the question: what can they do to strengthen their security posture?
The answer rests with ICS security best practices. For instance, organizations need to inventory all their industrial vulnerable endpoints, achieve secure configurations of those assets and monitor for malicious or unapproved changes.
Using their network needs as guidance, they should then design a network with separate zones and segmentations so that they can adequately contain a threat when it arises. All the while, organizations need to secure their industrial controllers via visibility into threats and changes to ICS, protection of vulnerable controllers, and assurance of authorized changes.
These best practices offer a broad overview of how companies with water-specific ICS systems can strengthen their digital security. For tips on where to start and guidance on industry standards, check out Belden’s webinar “The Elephant in the Control Room: Water-Wastewater Treatment Plants” here.