From The Editor | August 23, 2016

Is It Time To Start Worrying About Treatment Plant Hackers?

Peter Chawaga - editor

By Peter Chawaga

With so many day-to-day concerns, from consistent lack of funding to steadily failing infrastructure, cybersecurity threats probably do not rank very highly in the minds of treatment plant operators and utility managers.

Indeed, cybersecurity threats were only the eleventh highest concern among the utility, municipal, and commercial stakeholders polled for Black and Veatch’s “2016 Strategic Directions” report. Yet there may be reason for the threat of computer hacking to rank a little higher.

“Although strong punitive action with harsh fines or penalties is rarely seen within the water sector for cybersecurity or information technology-related events, the stakes are high,” the report reads. “Because of the large volume of complex and potentially hazardous chemicals managed by water authorities … a potential cybersecurity breach has the ability to impact a significant amount of consumer and voter confidence.”

Though incidents are rare, the threat is very real. Earlier this year, a group of hackers infiltrated an undisclosed treatment plant and managed to change the chemical levels four times, as reported by our Sara Jerome and the International Business Times.

The hackers accessed the plant’s industrial controls systems (ICS) via its operational technology, the software and hardware used to remotely move and treat water. ICS consist of the plant’s distributed control systems, supervisory control and data acquisition (SCADA) systems, and field devices like programmable logic controllers, sensors, analyzers, and actuators.

“Historically, ICS have not been designed with security as a central requirement,” said Michael Arceneaux, managing director of the Water Information Sharing and Analysis Center (WaterISAC), a security network for drinking water and wastewater operations. “That alone doesn’t make them vulnerable, but if those systems are not protected from the Wild West of the internet, hackers could gain access and manipulate the movement and treatment of water.”

Now that ICS are on remotely-accessible networks, the threat of infiltration has become acute. Arceneaux said that if they are connected to the internet and identifiable, hackers can gain access by cracking passwords. Viruses that infect the systems through email, USB drives, or connected mobile phones can also be a route into the plant’s systems and hackers can also enter via the enterprise IT system, he added.

“Typical threat vectors are disgruntled employees or contractors, ‘hacktivists’ not even aware what systems they are compromising, terrorists, or nation-states,” said Joe Weiss of Applied Control Solutions, an ICS security firm. “In a recent honeypot demonstration (making a test computer system look like a real system to identify who is trying to attack it), a fictional, small, rural water system connected to the internet was being attacked by actors from Russia, China, the Middle East, and others within an hour.”

It might sound like a desperate situation, but there are ways that treatment plants can protect themselves.

WaterISAC offers a best practices guide for reducing exploitable weaknesses and attacks. The recommendations include inventorying control system devices and eliminating exposure on external networks, segmenting networks and applying firewalls, and using secure remote access methods. Arceneaux also recommended free or dues-based analysis and mitigation services from WaterISAC, the American Water Works Association’s cybersecurity guidance, and the Department of Homeland Security’s cyber resilience review.

Above all, those with the power to protect against cybersecurity threats must provide the resources to do so.

“It’s essential for boards and senior leadership to understand the potential threats and consequences to the utility and to provide the necessary resources,” Arceneaux said.

Weiss encouraged utilities to treat ICS security with the same degree of rigor that they do IT security, to understand what is actually installed in the field, and to get familiar with the International Society of Automation’s industrial automation and control system security guidelines.