Additional Technology To Help Thwart Cyberattacks
Water infrastructure is critical to national security, economic stability, and public health and safety. While necessary for operations, the increasing automation of the water sector has opened it up to malicious cyber activity that could disrupt or manipulate services. Dating back to 2009, President Obama declared cyber security threats to be among “the most serious economic and national security challenges we face as a nation.”1 In January 2012, in testimony before the House of Representatives, the US Director of National Intelligence stated that cyber threats pose a critical national and economic security concern.2
Over the past two decades, federal investment in water systems has equaled only four percent of the amount that state and local governments invested, and most of the federal funding was in the form of low-interest loans, not grants. Fortunately, the White House has earmarked $2 billion from the bipartisan infrastructure bill that was signed into law last year to go toward strengthening U.S. infrastructure against cyberattacks. This couldn’t come at a more critical time as cities such as Los Angeles, San Francisco, Portland, Ore., and Oldsmar, Fla., have experienced hacks and the ongoing threats that the volatile geopolitical climate poses.
Water and Wastewater Infrastructure Security
After September 11, 2001, the federal government directed efforts to secure the nation’s critical infrastructure and initiated programs such as the National Strategy to Secure Cyberspace (Bush, 2003). This program addresses the vulnerabilities of Supervisory Control and Data Acquisition (SCADA) systems/industrial control systems (ICSs) and called for the public and private sectors to work together to foster trusted control systems. SCADA/ICS systems are an essential component for the effective operation of most water utilities in the U.S. The Homeland Security Presidential Directive and its successor, the Presidential Policy Directive issued in 2013, reaffirmed the water sector as one of the 16 critical infrastructure sectors that must be protected.3
There are close to 200,00 drinking water systems in the U.S. that provide tap water to nearly 300 million people. This critical infrastructure spans tens of thousands of miles, involves many remote sites, and requires multiple networks with complex software and hardware needs. The sheer size and scope of these systems offers hackers many exploitable entry points. As utilities transition to the cloud, remote access, smart devices, and the Internet of Things - IT and OT are no longer separate. Over the past decade, the technology behind water infrastructures and utilities has become more interconnected with OT & IoT devices. The different connected devices such as controllers, sensors, and smart meters are being used by water utilities to remotely monitor and manage processes. In a recent West Monroe survey, 67 percent of utility leaders cited cybersecurity as their top concern of the converged IT and OT network.
A cyberattack causing an interruption to drinking water and wastewater services could erode public confidence, or worse, produce significant public health and economic consequences. The diverse nature of the water and wastewater sector, with organizations of varying size and ownership, the sector’s splintered regulatory regime, and a lack of cybersecurity governance protocols, present significant [cybersecurity] challenges. Moreover, entities within the sector often face insufficient financial, human, and technological resources. Many organizations have limited budgets, aging computer systems, and personnel who may lack the knowledge and experience for building robust cybersecurity defenses and responding effectively to cyberattacks.4
Remote Alarm Notification Software Offers Additional Security
A report by the American Water and Works Association, Cybersecurity Risk & Responsibility in the Water Sector, states that “…Failing to address cybersecurity risk in a proactive way can have devastating results. Failing to take reasonable measures and employ best practices to prevent, detect, and swiftly respond to cyber-attacks means that organizations and the people who run them will face greater damage—including technical, operational, financial and reputational harm—when the cyber-attacks do occur.”
Utilities face myriad challenges to managing cyber risk due to varying water and wastewater infrastructure and entities of vastly different sizes, capabilities, resources, and types of ownership. However, turning to additional technology is one answer.
Although replacing legacy systems and networks can be extremely costly, it is essential to work with vendors and cybersecurity experts to implement updates and, if necessary, overhauls of outdated systems. Invoke the help of internal or external advisors to prioritize risk and develop a realistic approach and plan for enhancing cybersecurity. At a minimum, comply with basic standards including restricted physical and technical access, firewalls, logging, and encryption.5
Additionally, many SCADA systems are simply over-exposed to the internet by remote desktop applications (e.g. RDP and TeamViewer). In an attempt to provide process and asset information to operators, organizations have provided much more, ignoring the principle of least privilege and opening their entire control systems and their hosts to remote desktop access by unnecessary parties. Such broad remote access techniques present an increased security risk for organizations, a risk that Oldsmar experienced firsthand last year when an improperly secured TeamViewer application allowed an unauthorized party to increase the amount of sodium hydroxide being added to their water treatment process.
Advanced remote alarm notification software allows remote operators access to only the information they need from SCADA and not access to the SCADA itself or its operating system host. Such notification software is compatible with more secure, layered networks in which a series of firewalls provide added protection from attacks. This is done by deploying notification solutions alongside the SCADA system at the network's control level and using notification modalities that are not internet facing or distributing internet-facing notification processes to higher levels. For example, internal email servers, SMS modems, and voice via PBX devices allow communication with the outside world without internet exposure. Likewise, distributing the processes that interface with SCADA from those that interface with external email servers, VoIP solutions, and cloud apps allows internet-based notifications without compromising security.
Of course, there are valid use cases for desktop sharing software that do not violate PoLP and go well beyond operator access to process information. For such systems it’s critical that the remote desktop solutions be implemented with sound security.
There are several steps that utilities should take to improve their cybersecurity:
- Update any software to the latest version;
- Deploy multifactor authentication;
- Use strong passwords to protect remote desktop protocol credentials;
- Ensure anti-virus systems, spam filters and firewalls are up to date, properly configured and secure.6
Utilities should also take steps to secure any remote access software. They should not use unattended access features, and IT leaders should configure the software such that the application and associated background services are stopped when not in use.7 Integrating the remote alarm notification software through the SCADA system is critical to further reducing cyberattacks.
The New Normal
According to McKinsey & Company’s report, Critical resilience: Adapting infrastructure to repel cyber threats, cyberattacks should be thought of as a certainty akin to the forces of nature. Just as engineers must consider the heaviest rains that a dam may need to contain in the next century… those digitizing infrastructure must plan for the worst in considering how an attacker might abuse or exploit systems that enable infrastructure monitoring and control. This shift in thinking will begin to lay the path to connected infrastructure that is resilient by design.8
References
1. Robert M. Clark, Srinivas Panguluri, Trent D. Nelson, Richard P. Wyman, “Protecting Drinking Water Utilities From Cyber Threats,” 2016.
2. Ibid
3. Robert M. Clark, Srinivas Panguluri, Trent D. Nelson, Richard P. Wyman, “Protecting Drinking Water Utilities From Cyber Threats,” 2016.
4. https://www.awwa.org/Portals/0/AWWA/Government/AWWACybersecurityRiskandResponsibility.pdf (accessed March 1, 2022).
5. Ibid
6. https://biztechmagazine.com/article/2021/04/cybersecurity-lessons-utilities-can-learn-oldsmar-water-plant-hack (accessed March 1, 2022).
7. Ibid
8. https://solutions.mckinsey.com/msd/dnasummit/sites/default/files/Critical-resilience-Adapting-infrastructure-to-repel-cyber-threats.pdf (accessed March 1, 2022).
About the Author: Cody Bann is director of engineering at Austin, Texas-based WIN-911 and may be reached at [email protected]. The company helps protect over 18,000 facilities in 80 countries by delivering critical machine alarms via smartphone or tablet app, voice (VoIP and analog), text, email, and in-plant announcer, reducing operator response times, system downtime, and maintenance costs. For more information, visit www.win911.com/.