In February 2021, a water plant just outside Tampa Bay, Florida was hit with a cyberattack.
The anonymous cybercriminal managed to raise the levels of sodium hydroxide, commonly known as lye, from 100 parts per million to 11,100 parts per million. At the lower concentration, lye regulates the PH level of potable water. At 11,100 parts per million, it causes burns to the eyes and skin, and even death.
The attack took place two days before the Super Bowl at nearby Raymond James Stadium. If a water plant technician hadn’t noticed the anomaly, tens of thousands of people would have been at risk.
More significantly, the hacker gained access to the system and manipulated the industrial control systems (ICS) by way of third-party software, in this case TeamViewer. Managers at the facility used the program to monitor the water system remotely.
Today, it’s not only servers and personal computers that are vulnerable to attack from malicious actors, but also legacy infrastructure like water pipes. Though constructed from concrete and steel, in 2022 water pipelines are connected to fiber optic cables, along with cloud and data center infrastructure. A successful cyberattack on water infrastructure can compromise trade secrets and IT assets, and lead to production interruptions that can result in equipment damage, revenue loss, and even danger to life.
The cyberattack at the Oldsmar, FL water treatment facility in 2021 was just the most publicized of the numerous cyberattacks on US water and wastewater systems.
Which is why it shouldn’t come as a big surprise that the water and wastewater sector is part of the Biden administration’s Industrial Control Systems Cybersecurity Initiative for critical infrastructure.
But while the ICS Cybersecurity Initiative has already aided in the protection of 150 electricity utilities serving over 90 million residential customers and multiple critical natural gas pipelines, the water and wastewater industry has some unique characteristics that intensify the challenge of securing it against cyberattacks.
Unlike the energy sector, which tends toward large scale grids, pipelines and systems, the water sector consists of thousands of local agencies providing independent services. They can only be grouped together as “the water sector” insofar as they all offer the same general services.
Many of these local water and wastewater services providers are very small and have minimal budgets, leading to:
All of these factors greatly increase the average water utility’s susceptibility to cyberattack.
The one cybersecurity upside of the fragmented nature of the water sector is the reduced chance of cascading failures. The North American electrical grid, for example, is so connected that it wouldn’t be too hard for an attack on an electric facility in British Columbia to lead to power disruption in New Mexico. The connectedness of the energy sector is an asset under normal circumstances, through which utilities companies can automatically share peak load coverage and backup power. But during a malicious attack, that same connectedness can cause damage to spread farther, faster.
In contrast, the idea of an attack on a water treatment facility in British Columbia causing water safety issues in New Mexico is negligible. The hyper-localization of the water sector provides natural air-gapping that keeps damage localized.
Just because a burglar can’t get from your neighbor’s house to yours without crossing a street doesn’t mean your house won’t be independently burgled. You still need an appropriate security system to protect your property.
That’s exactly what the Water Sector Action Plan of the ICS Cybersecurity Initiative is aiming to do: equip local water suppliers with the ability to protect its systems and resources.
The Action Plan is a collaborative effort between the Environmental Protection Agency (EPA), the Cybersecurity and Infrastructure Security Agency (CISA), the Water Sector Coordinating Council (WSCC) and private sector organizations. Here’s what they’re planning to do.
The stated goal of the Initiative is “encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity.”
A primary part of the plan for the water sector is to assist owners and operators with deploying technology that will monitor their systems and detect threats with near real-time situational awareness.
How will small water utilities with no in-house cybersecurity resources know where they’re vulnerable and what they need to protect their facility? For one, CISA will offer free vulnerability scans and technical assessments to help bridge the gap. For another, EPA and CISA will work with private sector partners to develop protocols for educating water plant operators and raise awareness. The agency stresses it will also provide solution-agnostic strategies and will not recommend specific solution providers.
In the Oldsmar, FL water facility attack, the security vulnerability was easy to fix: outdated, unsupported software and poor password protection. This old, outdated vulnerability, however, exists in many industrial facilities, and more often at water plants, which often suffer from budget shortfalls and limited staff.
As water utilities go online to streamline operation and access the potential benefits of connectedness to other water facilities, they are no longer dealing exclusively with OT. Now IT has entered the picture. And if your staff doesn’t have IT security awareness, IT + OT spells double trouble.
It’s likely that EPA and CISA cybersecurity education and awareness protocols will cover basic IT security, although the US government has expressed its desire for an IT security approach called “Zero Trust” that insulates network users from common cyber scams and entry points. This Zero Trust standard doesn’t appear to be coming to the water sector any time soon, although it might be a more effective strategy for the sector’s IT security than any other option.
When it comes to defeating cyberattackers, information is power – and more information is more power. Joining together with allies to pool information makes everyone on your side more powerful – and more protected.
The collaborative nature of cybersecurity resources like MITRE ATT&CK and MAEC is testament to the logic of this approach.
Accordingly, an important part of the ICS Cybersecurity Initiative is setting up a system for rapidly sharing relevant cybersecurity information with the government and other stakeholders. As part of the plan implementation, EPA and CISA will work with water utilities and invite them to participate in a pilot program for ICS monitoring and information sharing. In addition to the direct improvement in the sector’s ability to detect malicious activity, program participation has the added benefit of increasing awareness among water plant operators to gauge the extent of threats and take appropriate action.
Given the challenges facing the water sector, we recommend two critical steps to secure water facilities and prepare for any security eventuality.
1) IT/OT education for employees
This is an involved subject, but in essence IT (information technology) manages information while OT (operational technology) manages machines. In other words, IT manages the flow of data while OT oversees the machinery that carries out tasks.
In the past, when networks operated in a localized system, there was a lesser chance for security breaches. But today, when OT machines are communicating across the globe, hackers take advantage of that distance (and the vulnerabilities it brings) to gain access to corporate networks.
Radiflow specializes in cybersecurity solutions for industrial networks. With an in-depth understanding of the differences between IT and OT security needs, and the impact of IT/OT convergence, Radiflow’s team can ensure you are aware of your entire network vulnerabilities and can suggest the best measures to increase security and maximize ROI.
2) Partner with an MSSP
An MSSP (managed security service provider) is an outsourced manager of security devices and systems that can implement a firewall, intrusion detection, and vulnerability scanning, among other services.
Radiflow partners with enterprise and local-level MSSPs to deliver holistic, managed detection and response services globally, and has experience meshing various vendor softwares and connected edge devices into a single network.
Radiflow’s program for OT MSSPs is based on the company’s iSID Industrial Threat Detection System that can run on the customer’s premises or in the Cloud environment of an MSSP partner. iSID can be utilized by an MSSP as the starting point for an ongoing network monitoring service that involves building a network topology map of all devices, connections, ports and data traffic flows on an OT network. As part of an ongoing networking monitoring service, an MSSP can also use iSID to detect any breach attempts and apply security upgrades to any newly detected devices.
Radiflow ensures that you have all the tools you need to fully protect your water and wastewater facility. A virtual digital map of your complete network highlights any weak points for you to SEE, and creates a base-line picture.
Radiflow’s CIARA industrial risk assessment and monitoring system enables you to KNOW what the problems are, and offers the opportunity to ACT to close any gaps and prevent breaches. Then, you can MONITOR on an ongoing basis, making it possible to update the security regularly in order to protect the water system and enable continuity of service.
To discover more about Radiflow’s innovative ICS solutions, contact us today and find out how Radiflow is working to protect water operations around the world,
We invite you to schedule a demo of Radiflow’s solutions, to learn how it could help you to better protect your IT-OT network while optimizing your cyber-security expenditure.
Harmonizing risk and consequence strategies across IT and OT environments for greater cyber resilience
Strengthening OT Resilience: Protecting Critical Systems in a Rapidly Evolving Threat Environment
Quarterly ICS Security Report 2024 Q3