By Jeremy Rasmussen
Cyberattacks targeting U.S. water utilities are no longer hypothetical scenarios, so it is past time to increase public protection by hardening cyber infrastructure.
This past February, a supervisor working remotely at the city of Oldsmar’s water supply plant in Tampa Bay, FL, noticed something unusual on his computer screen. Someone outside of the plant took control of the mouse and moved it across the screen to change the concentration of sodium hydroxide, or lye. All of this was happening right in front of his eyes.
Used correctly, lye helps control the acidity of water. When the concentration is altered to higher levels (in this case it was increased from 100 parts per million to 11,100 parts per million), the result can be extremely harmful. Lye can cause severe corrosive burns to the throat, esophagus, and stomach, with permanent damage if swallowed.
The potential Oldsmar water plant crisis was ultimately avoided thanks to the actions of the supervisor mentioned above. But the incident once again spurred concerns around cyber vulnerability at water utilities and the type of impact a breach could have on local residents.
The risks are such that in the Oldsmar breach, the FBI and the Cybersecurity & Infrastructure Security Agency (or CISA, the U.S. government’s cybersecurity organization) got involved. In this case, CISA found the breach was likely the result of factors that could have easily been avoided:1
- Desktop-sharing software called TeamViewer, used by IT staff for remote access to deliver periodic support, may have been compromised and used to gain unauthorized access to the system.
- Employees were sharing a single poor password for all computers using the remote access system.
- Vital security updates for the Windows 7 operating system had not been performed.
Moving From Reactive To Proactive
Since then, Microsoft Exchange and Office 365 systems have also been breached worldwide. Ominously, authorities have concluded that many U.S. state and local governments were specifically targeted, among other sectors.
One thing is crystal clear: Municipal water districts and related utilities need to harden systems and processes as fast as possible. What’s more, these cannot be “one-off ” initiatives. There are 153,000 public drinking water systems in the country, and more than 80 percent of the U.S. population receives their potable water from these drinking water systems.2 Taking these figures into account, it’s clear that water systems must move now from being reactive to proactively deploying best practices in cybersecurity.
These practices must focus on immediate cyber-hardening programs, such as vulnerability assessments, penetration testing, crisis response, and remediation planning, as well as include ongoing monitoring and oversight. In most cases, that means employing a managed security service with the depth of experience, security systems, monitoring procedures, and expertise to stop cyber intruders at the door more efficiently and effectively than can be done in-house. Every facility must commit to these improvements, from those in larger U.S. cities to smaller facilities such as Oldsmar, serving its community of 15,000 people.
Separating IT And OT
Another cybersecurity best practice for entities like municipal water organizations or utilities begins with separating two key elements, operational technology (OT) and information technology (IT). As water treatment facilities become increasingly more digitized and complex — by adding more internet-connected devices that control various parts of the processes, for example — OT becomes more susceptible to cyberattacks. Some teams simply haven’t extended security protocols into the OT realm. For now, the best course of action is to separate the OT networks from IT.
Securing Remote Access
Facilities next must assess the use of remote-access solutions. Not surprisingly, remote-access solutions have become increasingly widespread as a result of COVID-19. While they offer tremendous benefits, such as enabling employees to execute critical job functions and get support from outside the office, they also dramatically increase susceptibility to attacks. According to a recent research report entitled Cybersecurity in the Remote Work Era: A Global Risk Report, 42 percent of organizations report they simply do not know how to defend against cyberattacks aimed at remote workers.3
The same study also found that 31 percent of respondents are not requiring their remote workers to use authentication methods, and only 35 percent require multifactor authentication. Access to system control must be protected by advanced-identification protocols, including the following:
- Ensure that all employees are using strong passwords that include upper and lowercase letters, numbers, special symbols, and more.
- Use multifactor authentication where users must present two or more pieces of evidence to access a program.
- Embrace whitelisting, where only identified entities are allowed access to the facilities network.
Managed Cybersecurity Services
In addition to tightening the protocols of your team, the value of identifying a third-party cybersecurity partner at this critical time cannot be overstated. Cybersecurity companies combine 24/7 threat monitoring with the ability to identify and react to breaches as they happen, which ultimately minimizes impact or damage, or avoids it altogether.
In the case of Oldsmar, the good news is that a potentially deadly crisis was averted. The bad news is that other dangers loom large. U.S. Sen. Mark R. Warner, D-VA, chairman of the Senate Select Committee on Intelligence, put it nicely when he said, “This incident has implications beyond the 15,000-person town of Oldsmar.”4 More needs to be done, and this includes a new and expansive set of best practices that all adhere to across all facilities. This is how we prevent another incident and ensure the integrity of our drinking water.
Whether it’s a public water system, a major bank, or a small business, every organization needs to take proactive measures against cyber threats.
About The Author
Jeremy Rasmussen is chief technology officer and chief information security officer (CISO) at Abacode, a next-generation managed cybersecurity and compliance provider (MCCP) that works with municipal water plants and utilities across the U.S. Leveraging a unified platform, Abacode helps businesses of all sizes implement a holistic, framework-based cybersecurity program with a unique service model that enables customers to transform cybersecurity challenges into a competitive advantage.