On February 8, the world learned about a digital attack at the water treatment plant serving the 15,000-person City of Oldsmar, Florida.
An operator at the water treatment plant observed someone remotely take control of his mouse and use it to change the setting of sodium hydroxide within the water from 100 parts per million (ppm) to 11,100 ppm.
This change could have endangered public health if the operator had not immediately undone the attacker’s work and if the water treatment plant didn’t already have safety measures in place.
Those who perpetrated the attack did so after compromising the water treatment plant’s TeamViewer software, according to local media reports.
Security Best Practices for Water Utilities
Attacks such as the one at Oldsmar highlight the need for water facilities to continue honing their ability to defend themselves against digital attacks. Towards that aim, they can use WaterISAC’s guidelines for water and wastewater utilities.
The security fundamentals covered in those guidelines include the following:
Asset Inventory Database
You can’t protect what you don’t know you have. It’s therefore imperative that water facilities create an inventory of network assets. This effort should consist not only of network scanning but also of physical inspection, as the former can uncover only so much. In the process, these utilities can help to reveal blind spots by identifying what shouldn’t belong on the network.
Assess Risks
Water facilities need to identify security gaps and vulnerabilities in their environments. The best way they can do both is by undergoing a risk assessment. In order to effectively prioritize risks on business-critical assets, water utilities should conduct a risk assessment on a regular basis. This isn’t always easy to do, but organizations can use several free and voluntary networks such as the NIST Cybersecurity Framework for help.
Minimize Control System Exposure
It’s important that water facilities understand the communication channels that exist between the industrial control systems (ICS) network and their enterprise networks. In that effort, they might discover that there’s a lack of network segmentation. If that’s the case, they can implement both physical and logical network segmentation to place different resources into different network zones. They should also endeavor to eliminate all non-essential communication between devices.
Enforce User Access Controls
Water utilities should generally provide control system access to only those who are authorized to have it. To do so, these facilities can use role-based access controls to restrict access based on employees’ job functions and responsibilities. They might also consider enforcing controls based on the principle of least privilege in tandem with other authorization measures such as MFA.
Safeguard from Unauthorized Physical Access
It’s important that water facilities limit physical access to IT and ICS environments. This right should be based explicitly on need; water utilities can use non-technical, physical barriers to prevent unauthorized individuals from accessing those environments. They can also use physical penetration testing to help harden the security of their hardware and other assets.
Install Cyber-Physical Safety Systems
Non-digital engineering solutions serve a vital function in water facilities, as they can help to protect critical assets from physical damage. These tools can limit disruption to the time that’s needed to temporarily transition critical assets to manual operation in the event of an incident.
Embrace Vulnerability Management
Vulnerability management should be at the core of a water utility’s digital security strategy. These facilities should perform authorized scans and assessments to help identify vulnerabilities within their environments before the bad guys do. Using threat intelligence, these companies can then remediate, mitigate and effectively respond to those security weaknesses.
Create a Digital Security Culture
At its best, digital security is a shared responsibility among all staff members. Effective security starts with engagement and encouragement from the top. From there, organizations can leverage security awareness training among the entire workforce to manage human digital risk.
Develop and Enforce Digital Security Policies and Procedures
This measure is one of the most difficult to implement. But it’s nonetheless important; security policies and procedures help to plainly define an organization’s digital security requirements. Once created and formalized, it’s up to the organization to not only operationalize them via dissemination, communication, education and enforcement but to also maintain these resources as part of a continuous endeavor.
Implement Threat Detection and Monitoring
Water facilities need to detect as well as prevent digital threats. Towards that end, these utilities should employ logging, passive or active monitoring systems and independent process monitoring. They should also create a SOC that focuses on ICS security threats.
Plans for Incidents, Emergencies and Disasters
It’s crucial that water utilities have the ability to respond to security incidents quickly. Consequently, both IT and OT need disaster recovery and digital security incident response plans. These strategies should reflect the input of several different departments. Doing so will ensure a collaborative and unified response that leverages organizational resources to the greatest extent in the event of a security incident.
Tackle Insider Threats
Insider threats are dangerous to water utilities and other organizations because they can defeat digital security controls and system architecture using physical or privileged access. In response, water facilities should educate their employees about digital threats, including those that are might arise from within the organization.
Secure the Supply Chain
Vendors, contractors, consultants and integrators all represent possible insider threats. It’s therefore up to water facilities to manage and assess those relationships for the risks they pose to the overall organization. Towards that end, they need to establish policies and procedures that verify communication with vendors. They should also review their infrastructure to see how digital attackers might pivot from a supplier’s network onto theirs and/or how they might use corrupted software installations from a third party to cause harm to their systems.
Address All Smart Devices
Water facilities need to securely configure and carefully manage all smart devices, particularly those that fall under the Industrial Internet of Things (IIoT). These utilities should include IIoT devices in their risk management strategies. They should also incorporate instructions on how to use those devices safely and securely into their employee training programs.
Participate in Information Sharing and Collaboration Communities
The more participation there is among water facilities on defeating digital threats, the greater and more numerous the shared benefits. Indeed, such involvement means that the community can share and learn from one another in the interest of staying safe against digital threats. That’s why organizations should be willing to share threat intelligence with and learn from one another. To learn more about Tripwire’s ICS solutions, click here.
