By Kamil Karmali
Until recently, water supply security was based largely on the principle of isolation. Process control systems were a series of disconnected systems and applications over decades, air-gapped by virtue of not being connected to other computers or to the internet and making infiltration by external cybercriminals unlikely.
In the last 20 years, critical infrastructure providers—including water and wastewater facilities—have modernized their plants and distribution networks, integrating IT assets with operational technology (OT) and industrial control systems (ICS). The converged domains have unified information and control networks, delivering advantages such as centralized management and visibility into OT production and performance.
On the downside, it didn’t take long for cybercriminals to discover they could access OT and ICS networks by gaining a foothold on internet-facing IT systems and moving laterally into adjacent connected OT assets. With that, a new era of cyber threats was born.
In the water and wastewater industries, bad actors have infiltrated IT assets to disrupt business systems. More alarmingly, attackers have damaged equipment, discharged wastewater into environmentally sensitive areas, and implanted ransomware that disrupted operations.
Then came COVID-19. When the pandemic forced nonessential businesses to close and employees began working from home, organizations had to quickly, and often haphazardly, deploy secure remote work environments. The new remote access setups often lacked basic protections such as multifactor authentication or identity and access management (IAM).
For many local water systems, even a basic cybersecurity plan was out of reach given the lack of funding and resources available to them. Cybercriminals quickly flooded unsuspecting remote workers with phishing and ransomware attacks, often using COVID-19 lures.
Increasingly Damaging Cyber Threats
Today, threat actors have shifted their focus to the OT systems of critical infrastructure providers. Legacy infrastructure, high impacts of downtime, and service interruption make potential ransomware payouts a greater likelihood. In a recent survey, 83% of critical infrastructure providers reported at least one OT security breach in the prior 36 months.[1]
What’s more, geopolitical tensions have risen dramatically. In recent months, conflicts have alarmed critical infrastructure operators and governments. Many cybersecurity experts believe Russia’s aggressive moves on Ukraine will lead to cyberattacks on critical infrastructure in other parts of the world.
As in other industries, the number one cyber threat facing water and wastewater utilities is ransomware. This technique enables threat actors to infiltrate IT systems and networks, often using stolen credentials, and implant malicious software that allows them to worm into connected OT systems and encrypt data. The results can be disastrous.
For example, the high-profile breach of Colonial Pipeline in May 2021 shut down the company’s business systems and prompted it to preemptively disconnect OT systems. The entire pipeline was disabled, causing gas shortages across the eastern U.S. This attack clearly demonstrated the ability of threat actors to breach OT systems and underscored the potentially catastrophic impact of attacks on OT systems of critical infrastructure providers.
For water utilities, risks hit closer to home in February 2021. A hacker gained access to a local water treatment plant in Oldsmar, FL, and hijacked operational controls.[2] The intruder spiked the system, adding sodium hydroxide or lye, into the facility’s water system, contaminating it to dangerous levels. Had a plant operator not noticed and returned the lye to normal levels, thousands of people could have potentially been sickened or worse.
Following the Oldsmar attack, the FBI and other federal agencies issued a joint advisory warning of escalating attacks on IT and OT networks, systems, and devices in the water and wastewater sector.[3] The advisory warned operators to watch out for spearphishing, ransomware, and exploitation of outdated operating systems and firmware. It also offered federal resources and services to help smaller facilities identify and reduce their exposure to cyber threats.
Solutions Are Available
Though cyberattacks continuously evolve into more sophisticated threats, the good news is, most breaches take advantage of known and solvable gaps in an organization’s IT and OT infrastructure.
Common gaps include:
- Lack of real-time visibility to asset install base and vulnerability threats.
- Inconsistent patch management strategy between IT and OT systems.
- Absence of a documented incident response workflow or disaster recovery plan.
Given the common nature of the gaps, available solutions and rising costs of unprotected operations, cybersecurity today must be considered as a cost of doing business—an operational insurance policy towards reliable uptime.
These gaps can be addressed by implementing best practices such as:
- Backing up your data and keeping a backup offline.
- Using a risk-based assessment strategy to drive your patch management program.
- Testing your incident response plan.
- Using a third-party penetration tester to check the security of your systems and your ability to defend against a sophisticated attack.
- Segmenting your networks.
- Conducting a tabletop exercise to test your incident response plan.
- Implementing a threat detection solution for your OT networks.
It is just a matter of time before a bad guy is successful in interrupting the operations of a water treatment facility—small or large. After all, they only have to be right once, and defenders have to be right all the time. We are hopeful that by adopting cyber hygiene practices, the day that someone is successful is far off in the future.
References
1. SkyBox Security, Operational technology cybersecurity risk significantly underestimated, November 2021. https://www.skyboxsecurity.com/wp-content/uploads/2021/11/OT-research-report-skyboxsecurity-102521.pdf
3. https://www.cisa.gov/uscert/ncas/alerts/aa21-287a
About the author 
Kamil Karmali serves as the Global Commercial Manager for the Rockwell Automation Global Services organization. He has more than 15 years of experience in cross-functional team leadership, sales management, talent development, and executive consulting in industrial IoT and manufacturing technology.
About the company
Rockwell Automation, Inc. (NYSE: ROK), is a global leader in industrial automation and digital transformation. We connect the imaginations of people with the potential of technology to expand what is humanly possible, making the world more productive and more sustainable. Headquartered in Milwaukee, WI, Rockwell Automation employs approximately 25,000 problem solvers dedicated to our customers in more than 100 countries. To learn more, visit www.rockwellautomation.com.