Digital attacks targeting water facilities are on the rise.
In its 2016 Data Breach Investigations Report, for instance, Verizon Enterprise disclosed an incident in which bad actors breached a water treatment plant and altered the levels of chemicals used to treat tap water at that facility.
News of this incident came approximately two years after the ONWASA water facility revealed it had suffered a ransomware attack that had disrupted its internal computer system in the wake of Hurricane Florence.
Less than a year after that, the Coloradoan reported how INTERPOL had found and released a decryption key that in turn helped the Fort Collins Loveland Water District and South Fort Collins Sanitation District recover from a ransomware attack.
Acknowledging these attacks, it’s no wonder that industry leaders are coming up with new guidelines designed to help water facilities better defend themselves against digital attacks.
Most recently, WaterISAC published 15 guidelines which water and wastewater utilities can use to protect against digital threats. These security fundamentals include the following:
Asset Inventory Database
You can’t protect what you don’t know you have. It’s therefore imperative that water facilities create an inventory of assets that are on their networks and the types of information those assets provide.
This effort should consist not only of network scanning but also of physical inspection, as the former can uncover only so much. In the process, these utilities will reveal blind spots by identifying what shouldn’t belong on the network.
Water facilities need to identify security gaps and vulnerabilities in their environments. The best way they can accomplish both of these tasks is with the help of risk assessments.
In order to effectively prioritize risks on key assets, these utilities should conduct such evaluations on a regular basis. This isn’t always easy to do, but organizations can use several free and voluntary networks such as the NIST Cybersecurity Framework for help.
Ultimately, conducting a risk assessment is important; if done well, it will provide organizations with their current risk profile and thereby help them prioritize initiatives which they can use to improve their security posture.
Minimize Control System Exposure
It’s imperative that water facilities understand the communication channels that exist between the industrial control systems (ICS) network and their internal networks. In that effort, they might very discover that there’s a lack of appropriate boundary protection controls separating these networks. Should they come across this weakness, they should use a combination of physical and logical network segmentation to place different resources into different network zones. They should also endeavor to eliminate all non-essential communication between devices.
Enforce User Access Controls
Water utilities should generally provide control system access to only those who are authorized to have it. With that said, these facilities can use role-based access controls so as to restrict access based on employees’ job functions and responsibilities. They might also want to consider enforcing controls based on the principle of least privilege in tandem with other authorization measures such as passwords and multi-factor authentication.
Safeguard from Unauthorized Physical Access
It’s important that water facilities limit the physical access to IT and ICS environments. Towards that end, they should limit physical access to only those who need it, and they should use non-technical, physical barriers to prevent unauthorized individuals from accessing those environments. They should also use physical penetration testing to help harden their hardware and other assets against physical attacks.
Install Cyber-Physical Safety Systems
Non-digital engineering solutions serve a vital function in water facilities, as they can help protect critical assets from physical damage. Specifically, these tools can effectively limit service disruption to the time that’s needed to temporarily transition critical assets to manual operation in the event of a security incident.
Embrace Vulnerability Management
Vulnerability management should be at the core of every organization’s digital security strategy. Water utilities are no exception. As a result, these facilities should perform authorized scans and assessments to help identify vulnerabilities within their environments before the bad guys do. Using threat intelligence on known flaws, these companies can then remediate, mitigate and effectively respond to those security weaknesses.
Create a Digital Security Culture
At its best, digital security is a shared responsibility among all staff members. Effective security starts with ample engagement and encouragement from the top. This culture then leverages security awareness training among the entire workforce to manage human digital risk.
Develop and Enforce Digital Security Policies and Procedures
This particular measure is one of the most difficult to implement. Even so, it’s crucial to formulate, as security policies and procedures help plainly define an organization’s digital security requirements. Once created and formalized, it’s then up to the organization to not only operationalize them via dissemination, communication, education and enforcement but to also maintain these resources as part of a continuous endeavor.
Implement Threat Detection and Monitoring
Water facilities need to detect as well as prevent digital threats. Towards that end, these utilities should employ logging, passive or active monitoring systems and independent process monitoring. They should also make sure to create a security operations center (SOC) that focuses specifically on ICS security threats.
Plans for Incidents, Emergencies and Disasters
It’s crucial that water utilities have the ability to respond to security incidents quickly. Consequently, both IT and OT need disaster recovery and digital security incident response plans. These strategies should reflect the input of several different departments. Doing so will ensure a collaborative and unified response that leverages organizational resources to the greatest extent in the event of a security event.
Tackle Insider Threats
Insider threats are so dangerous to water utilities and other organizations because they can quickly defeat strong protective digital security controls and system architecture using physical or privileged access. In response, water facilities should educate their employees about digital threats, including those that are internally based, as doing so will help discourage them from causing harm to critical assets or systems.
Secure the Supply Chain
Vendors, contractors, consultants and integrators all represent possible insider threats. It’s therefore up to water facilities to manage and assess those relationships for the risks they pose to the overall organization. Towards that end, they need to establish policies and procedures that can help verify communication with vendors. They should also review their infrastructure to see how digital attackers might pivot from a supplier’s network onto theirs and/or how they might use corrupted software installations from a third party to cause harm to their systems.
Address All Smart Devices
Water facilities need to securely configure and carefully manage all smart devices, particularly those Industrial Internet of Things (IIoT) products. As such, these utilities should include IIoT devices in their risk management strategies. They should also incorporate instructions on how to use those devices safely and securely into their employee training programs.
Participate in Information Sharing and Collaboration Communities
The more participation there is among water facilities on defeating digital threats, the greater and more numerous the shared benefits. Indeed, such involvement means that the community can share and learn from one another in the interest of staying safe against digital threats. That’s why organizations should be willing to share threat intelligence with and learn from one another.