2023 saw two concerning attacks on public water systems, highlighting the fragility and risk to utility systems. In Pennsylvania, malicious hackers breached the Municipal Water Authority of Aliquippa system the night after Thanksgiving. The criminals were making a political statement: the technology used to manage water pressure was developed by Israel, and the criminals used this opportunity to choose a side in the ongoing conflict.
The Pennsylvania attack occurred only days after the North Texas Municipal Water District suffered a breach, potentially affecting over 2 million people in 13 cities statewide. Thankfully, the effects were operational and largely rectified, but only after the responsible group claimed to have stolen over 33,000 pieces of unspecified data.
These incidents are stark reminders of the vulnerabilities inherent in our water utility systems. As threats evolve in sophistication and frequency, the need for robust security fundamentals in the water utility sector becomes more critical than ever. It's no longer just about reactive measures but proactively safeguarding our essential services.
The following sections delve into the best practices for security fundamentals that water utilities must adopt to fortify their defenses against cyber threats.
Ongoing attacks on our precious utilities highlight the need for water facilities to continue honing their ability to defend themselves against digital attacks. To that end, they can use WaterISAC's water and wastewater utilities guidelines.
The security fundamentals covered in those guidelines include the following:
Creating a robust asset inventory is one of the fundamental security measures that water facilities must prioritize. You can't protect what you don't know you have. It's, therefore, imperative that water facilities create an inventory of network assets. This effort should consist of network scanning and physical inspection, as the former can uncover only so much. In the process, these utilities can help to reveal blind spots by identifying what shouldn't belong on the network.
Water facilities must identify security gaps and vulnerabilities in their environments, which is at the heart of security fundamentals. The best way they can do both is by undergoing a risk assessment. Water utilities should conduct a risk assessment regularly to prioritize risks on business-critical assets. This isn't always easy, but organizations can use several free and voluntary networks, such as the NIST Cybersecurity Framework, for help.
Minimizing control system exposure is an advanced aspect of security fundamentals and is essential for safeguarding water utilities. Water facilities must understand the communication channels between the industrial control systems (ICS) and their enterprise networks. In that effort, they might discover a lack of network segmentation. They can implement physical and logical network segmentation to place resources into different network zones. They should also endeavor to eliminate all non-essential communication between devices.
Water utilities should generally provide control system access to only those authorized to have it. These facilities can use role-based access controls, a critical component of security fundamentals, to restrict access based on employees' job functions and responsibilities. They might also consider enforcing controls based on the principle of least privilege in tandem with other authorization measures such as MFA.
Limiting physical access to IT and ICS environments is a crucial part of security fundamentals. Water facilities must restrict physical access to IT and ICS environments. This right should be based explicitly on need; water utilities can use non-technical, physical barriers to prevent unauthorized individuals from accessing those environments. They can also use physical penetration testing to help harden the security of their hardware and other assets.
Non-digital engineering solutions serve a vital function in water facilities, as they can help to protect critical assets from physical damage. These tools can limit disruption to the time needed to temporarily transition critical assets to manual operation in the event of an incident.
Vulnerability management is a significant element of security fundamentals, helping utilities avoid potential threats. Water utilities should conduct authorized scans and assessments to identify vulnerabilities within their environments before they can be exploited. By prioritizing this security aspect and using threat intelligence, these companies can remediate, mitigate, and effectively respond to security weaknesses, enhancing their defense against digital threats.
At its best, digital security is a shared responsibility among all staff members. Effective security starts with engagement and encouragement from the top. From there, organizations can leverage security awareness training among the workforce to manage human digital risk.
This measure is one of the most difficult to implement. Nonetheless, it's important that security policies and procedures help define an organization's digital security requirements plainly. Once created and formalized, it's up to the organization to operationalize them via dissemination, communication, education, and enforcement and maintain these resources as part of a continuous endeavor.
To uphold the security fundamentals in water facilities, it's vital to have robust threat detection and monitoring systems in place. Water utilities should employ logging, passive or active monitoring systems, and independent process monitoring. Creating a Security Operations Center (SOC) that focuses on ICS security threats is essential in maintaining vigilant and responsive security measures.
It's crucial that water utilities can respond to security incidents quickly. Consequently, IT and OT need disaster recovery and digital security incident response plans. These strategies should reflect the input of several different departments. Doing so will ensure a collaborative and unified response that leverages organizational resources to the greatest extent in the event of a security incident.
Insider threats are dangerous to water utilities and other organizations because they can defeat digital security controls and system architecture using physical or privileged access. In response, water facilities should educate employees about digital threats, including those that might arise within the organization.
The supply chain represents a critical area in the framework of security fundamentals for water facilities. Vendors, contractors, consultants, and integrators all pose potential risks. Water facilities must manage and assess these relationships to understand the risks they pose to the organization. Establishing policies and procedures for verifying vendor communication, reviewing infrastructure for potential vulnerabilities, and monitoring corrupted software installations are essential strategies for securing the supply chain against digital threats.
Water facilities must securely configure and carefully manage all smart devices, particularly those under the Industrial Internet of Things (IIoT). These utilities should include IIoT devices in their risk management strategies. They should also incorporate instructions on using those devices safely and securely into their employee training programs.
The more participation among water facilities in defeating digital threats, the greater and more numerous the shared benefits. Indeed, such involvement means the community can share and learn from one another to stay safe against digital threats. That's why organizations should be willing to share threat intelligence with and learn from one another.
Secure Industrial Environments and Bridge the IT/OT Gap
Discover Advanced Cybersecurity for Industrial Control Systems with Tripwire: Enhance Your Network's Resilience and Compliance Today!