Andrew Nix is an operational cybersecurity consultant for Schneider Electric. Nix can be reached at [email protected].
While the digital modernization and automation of utility systems is extremely important, these changes bring new security risks. Two recent cyberattacks on U.S. utilities made clear the rising threat to critical infrastructure, including water and wastewater treatment plants. With these attacks in mind and the U.S. Department of Justice estimating cybercrime will cost the global economy $6 trillion this year, water utilities must embrace cybersecurity controls and work towards a pathway to cyber confidence.
Advancements in cybersecurity threats have resulted in industries that never previously engaged in cybersecurity-related conversations, including the water sector, now having to focus on how best to achieve operational technology (OT) security.
A Shift in Cyberattack Tactics
Many modern OT cyberattacks have demonstrated a shift from targeting specific manufacturing companies to place ransomware directly onto a network, to hackers using more widespread, ‘agnostic’ attacks by searching for misconfigured devices, open ports, or even through manufacturers’ support systems of suppliers and vendors.
An attacker can now potentially access far more targets through those unsecure channels than by focusing on one company. It is harder for businesses to recognize attacks on their network when they are not the primary target, but the organizational risks remain the same.
The strain this new need for support and oversight causes on plants and their operators is widespread, because organizations now must monitor their full OT systems and all the equipment in it – old and new, multi-vendor, and at all patching levels – 365 days a year. An attacker only needs one slip-up to get in systems and cause havoc.
If that is not enough, the industry is also grappling with the ramifications from a shortage of qualified cybersecurity professionals who understand the unique needs of the operational side of the network. This includes more than emails or financial information for a few companies, so IT security teams need to know how to manage and monitor all OT equipment and their supply chain, which includes an environment that requires safety functions not normally found in IT.
Below are six steps to improve cyber confidence in the OT space and work towards cyber sustainability and resiliency.
Build a Holistic Approach to Cybersecurity
It is important that your cybersecurity efforts are holistic and vendor-agnostic. Cybersecurity is not a game of picking and choosing protection levels for different systems. Since many OT systems interact and depend on each other to function properly, the entire environment needs to be protected in a way that can be managed centrally.
Use Available Standards
Standards and regulatory requirements, such as IEC 62443, NERC-CIP, AWWA and NIST 800-82, are major drivers for customers to begin their cybersecurity journeys. All security standards contain strong reference models for the secure development of industrial automation and control systems.
The AWWA cyber risk tool gives high-level guidance to what cyber policies and procedures a utility needs in place to run facilities safely, while the Purdue model for industrial control systems is for ‘defense in depth’ network segmentation. Both tools provide great starting points but require further assistance to understand how they are applied to a particular industry or facility.
Train and Enforce a Cybersecure Culture
All team members must be adequately trained on cyber policies to enforce a culture of cybersecurity. Training should focus on the employee’s role and their impact on organizational cyber risk, and it should go beyond the mandated minimum requirements to implement a role-based cybersecurity workshop for employees. In training and enforcing a culture of cybersecurity, it’s important for everyone in the organization to know how they, in their specific roles, fit into being cybersecure.
All it takes is one person clicking on a phishing email to infect the network, so it is critical everyone receives the necessary training for their role and is provided the most accurate and up-to-date information related to security.
Monitoring for anomalous behavior, such as incorrect logins or unapproved changes, to the networks is critical in identifying potential intrusions. Without monitoring and logs, the ability to remediate issues, perform root cause analysis and prevent them from reoccurring is extremely limited.
Utilize Next-Gen Tools to Fight Next-Gen Threats
Utilize advanced and ‘next-gen’ tools to fight the new next-gen threats. Don’t be afraid of utilizing artificial intelligence (AI) or the Cloud. A new side of the cybersecurity environment is the emergence of AI tools that can do the heavy lifting by learning the network and identifying threats in real-time, then letting employees focus on solving the problems with the insights provided by the tools.
Gain Insight from Outside Cybersecurity Experts
It is okay to ask outside cybersecurity experts for help. At the end of the day, organizations both large and small face the same cyber threats, and your struggles to combat those threats may be more similar than you think!
If you struggle with selecting the right cyber tools for your environment, do not fully understand how to adhere to industry cyber protection standards or just need help understanding your cyber strengths and weaknesses, you should feel comfortable asking for outside help. You can balance your staff’s skill level with outside resources and your budget to create a program that works for you, makes you an unattractive target, and minimizes your risk.
Cybersecurity Preparedness for the Water Sector
The primary threat water and wastewater utilities face from cyberattacks is downtime to operational systems. The water industry has huge potential for life safety implications if there is a failure in a number of things, including delivery and purification. Water is the basis of human life and delivering it in a timely and safe manner is critical.
Water utilities must actively work towards cybersecurity preparedness to protect OT systems from potential intrusion threats and mitigate any potential life safety implications that could occur. Utilities should look to third-party experts for cybersecurity assistance to fully understand the level of protection needed to defend against the latest industry threats, allowing their priorities to remain on the products and services provided to the public.
The key to determining the right mix of elements for your cyber platform depends on the level of protection you need. By understanding your level of risk and potential gaps, your organization can properly assess your platform, improve security posture with internal solutions, training and third-party experts and set you on a path towards cyber confidence.