Guest Column | July 10, 2017

Water And Wastewater Control Systems: Overcoming A Tidal Wave Of Security Concerns

By Gabe Authier

It was reported in Verizon’s 2016 Data Breach Digest that a hacktivist group associated with Syria hacked into an anonymous water utility’s control system and changed the levels of chemicals being used to treat tap water. An unnamed water district, dubbed the Kemuri Water Company (KWC), experienced unexplained patterns of valve and duct movements over at least a period of 60 days.

It was discovered that attackers were manipulating the chemicals used to assure safe drinking water, and also altering the water flow rates causing disruptions to water distribution. Many other activities went unnoticed, including theft of more than 2.5 million unique data records, until Verizon’s forensic investigation started.

In this case, physical safety was at risk but luckily didn’t happen due to alert functionality that caught the chemical and flow control issues. Also, it appeared that the type of outside attackers who gained access were likely “hacktivists” — usually not motivated by financial gain.

The attack was a real-life example of what the security industry has been warning about for many years — our critical infrastructure and industrial control systems (ICS) are a key target for hackers, and they are poorly protected. 

Industrial control systems monitor and control critical infrastructure, including utilities like water, electricity, and energy. They are programmed to do jobs that ensure that the water sent to people’s homes has the correct level of chlorine in it and that the electricity in towns and cities is always running. If industrial control systems were to be compromised, regular services could be disrupted and significant harm could occur.

While the Verizon discovery shows the attackers responsible for this attack did not seem to have a good understanding of the systems they were targeting, it does highlight that industrial control systems and water plants are a target for cybercriminals. If the attackers had been successful, the outcome could have been very different. For instance, imagine if a U.S. water plant was attacked. Water plants are heavily relied upon by the fire brigade, hospitals, and agriculture, as well as hundreds of millions of American households who rely on community water systems for their daily supply of water. Anything done to jeopardize this or contaminate the water would be disastrous.

The Elephant In The Industrial Control Room

One would assume that given the importance of critical infrastructure such as water utilities and wastewater treatment plants might be running with new generation ICS and state-of-the art security technologies available to assure public safety and security against cyber threats.

Much of the equipment within the U.S. critical infrastructure sectors is at risk of aging out, needing replacement or upgrade, yet still in production use. For instance, many systems within the water and wastewater industry were built in the 1950s, long before today’s sophisticated cyberattacks, so they were never developed with security, modern networking architectures and communication protocols, and the internet in mind.

When the systems were built they had to be controlled manually, but over time new technology has been introduced to allow pumps to be controlled through automation or remotely via the internet. However, by transitioning to Internet Protocol (IP) communications instead of custom industrial protocols, adding systems built with commercially-off-the-shelf (COTS) hardware and software components, these systems are now exposed to a host of vulnerabilities and attacks.

This means these systems are in drastic need of replacement or upgrade in order to assure high availability and stronger security and safety. However, many of their operators are reluctant to carry out these updates out of fear of disruption that could result in downtime. In industrial control environments, a key business driver is ensuring reliability and availability of data, and their operators fear that if the technology was to be updated it would result in downtime, which could cause problems to their services. This also means that systems are often left unpatched and are therefore not protected against many well-known vulnerabilities.  They could also be at risk of a number of security threats like phishing, ransomware, and Distributed-Denial-of-Service (DDoS) attacks.

Given how poorly water and wastewater systems are secured, and the impact an attack could have, it is no wonder these systems are such a key target for hackers. Cybercrime is one of the biggest threats businesses and consumers are faced with today, and while most industries are continuously modernizing their technology to defend against today’s sophisticated attacks, it seems there is an elephant in the industrial infrastructure control room.

What’s The Solution?

Given the growing complexity of industrial environments, it’s important that water and wastewater plants adequately protect against digital threats. A successful attack could wreak havoc on society, particularly if attackers did anything to tamper with the chemical levels in the water. However, doing so requires a multistep approach that focuses on network security, endpoint security, and industrial controller security.

So what can they do to strengthen their security posture?

The answer rests with industrial control systems security best practices. For instance, organizations need to inventory all their industrial vulnerable endpoints, achieve secure configurations of those assets, and monitor for malicious or unapproved changes.

Using their network needs as guidance, they should then design a network with separate zones and segmentations so that they can adequately contain a threat when it arises. All the while, organizations need to secure their industrial controllers via visibility into threats and changes to industrial control systems, protection of vulnerable controllers, and assurance of authorized changes.

In addition to this, they should also follow the below steps:

  • Deploy anti-malware and breach detection where possible.
  • Prevent unauthorized applications from running by deploying application whitelisting.
  • Prevent unauthorized changes by deploying secure configuration.
  • Minimize known vulnerabilities by deploying vulnerability management where possible.
  • Avoid physical attacks by enabling USB lockdown on all industrial control systems devices.
  • Segment the network with firewalls/IPS between business and industrial control systems networks.

Hackers tend to focus on low-hanging fruit targets, which take the least effort to compromise while yielding the biggest return. Water and wastewater management control systems are a great example of this. The industry needs work to make their systems more secure and able to withstand today’s sophisticated cyber threats, otherwise it won’t be long before they come under attack.

Gabe Authier is a senior product manager at Tripwire, a leading provider of security, compliance, and IT operations solutions for enterprises, industrial organizations, service providers, and government agencies. He has over 15 years of experience in Product Management and Information Technology, with certifications in Agile practices and Pragmatic Marketing methodology, and is passionate about software development that brings solutions to the marketplace to solve customer problems.