In the past decade, disclosed cyberattacks experienced by water facilities and other utility companies have shown us the consequences of not being prepared. Operational Technology (OT) and Industrial Control Systems (ICS) comprehend fragile instruments that often are attractive targets for cybercriminals, being aware that often their cyber hygiene is incomplete and outdated mechanisms used in critical infrastructure.
Water facilities that are dedicated to treatment and supply cannot, for the sake of public health, fall victims of physical and cyber events that may put a halt on operations.
Therefore, it’s an absolute need to have efficient mechanisms to prevent infections and, in case they succeed, repair the damage as soon as possible to avoid any service interruptions.
But how to accomplish this? How can water facilities protect OT/ICS environments?
Water facilities have been the target of hackers in the last few years for good reasons. The Kemuri Water Company (unnamed water utility company referred to as such by Verizon in its data breach digest) in March 2016 and the Onslow Water and Sewer Authority from North Carolina in October 2018 are examples of this. These water facilities experienced cyberattacks that put critical operations at serious risk.
In the case of the Kemuri Water Company, Verizon shared that the water utility’s SCADA platform was running on an IBM AS/400 system, a solution offered by the vendor three decades ago. Such hardware was responsible for connecting OT and IT functions. As a result of this attack, it’s believed that hackers stole 2.5 million records containing customer and payment information.
On the other hand, ONWASA had more luck. The company detected the threat and followed its evolution. While some customers experienced technical issues while interacting with the utility’s interface, the company was effective in communicating that there were no risks related to supply. Operations at this time were more than critical, taking into consideration that only a few months before, Hurricane Florence struck the region, making ONWASA quintessential for the recovery process.
Besides these cases, it’s also worth mentioning the cyberattack carried by Syria against the Israeli water system back in 2013. This attack had the goal of causing damage to public infrastructure and disrupt essential services in Haifa.
Good Cyber Hygiene as a Standard
If we study these two cases, we find that there is a clear difference between both. Cyber hygiene is something that continues to be neglected in industrial environments, especially utility companies that rely on significantly-outdated infrastructures.
While OT/ICS environments do not get obsolete as quickly as IT systems do, their implications in infrastructures as a whole are determinant. The vulnerabilities created by outdated hardware and software are major opportunities for malicious parties to infect critical systems, steal sensitive data, and, in the worst cases, compromise operations such as water treatment and supply.
Preparing for Physical and Cyber Events
Protecting OT/ICS environments at a water facility isn’t only about keeping potential cyberattacks at bay but also preparing for a critical physical event such as a natural disaster. Relying on outdated, inefficient systems doesn’t create vulnerabilities exploitable by cybercriminals but also weaknesses that may lead to significant problems during disaster scenarios.
Good cyber hygiene must be considered mandatory for a water facility, taking into account how critical its operations are. While implementing the considered measures to protect OT/ICS environments, both physical and cyber events must be taken into full consideration. All systems provided by vendors must be analyzed to make sure they will not cause any liable vulnerability for the whole infrastructure.
Most modern elements in the infrastructure, such as smart irrigation systems, have also been targeted. While these solutions rely on newer tech, they also come with associated vulnerabilities that cybercriminals have been able to exploit.