How water utilities can improve cyber-confidence in the OT space

Dec. 7, 2021
Organizations need to now monitor their full OT systems and all the equipment in it—old and new, multi-vendor, and at all patching levels—365 days a year.

With two high-profile 2021 cyberattacks on US utilities, there's a focused effort to digitize and modernize utility systems to protect against future attacks. As industries like the water sector engage in deeper cybersecurity discussions, it's important that they understand where to start and what steps to take.  

Andrew Nix, operational cybersecurity consultant at Schneider Electric, offers insight on cyber-threats facing the water sector and advice on how water utilities can put themselves on a pathway towards cyber-confidence. Take a look...

Smart Industry: What is the state of cybersecurity with the OT elements of water utilities? 

Andrew: Digital modernization and automation of utility systems is bringing great benefits, but it’s also bringing new security risks. US Department of Justice is estimating that cybercrime will cost the global economy $6 trillion this year, so water utilities must embrace cybersecurity controls and work toward a pathway to cyber-confidence. Two big recent cyberattacks on US utilities underscore the importance of this clearly rising threat to critical infrastructure, including water and wastewater treatment plants.

Years ago, many industries, like water, had never thought to engage in cybersecurity-related conversations. That has changed with advancements in cybersecurity threats. Now, these teams are having to focus on how best to achieve OT security.  

Many modern OT cyberattacks have demonstrated a shift from targeting specific manufacturing companies and placing ransomware directly onto a network, to hackers using more widespread, ‘agnostic’ attacks by searching for misconfigured devices, open ports, or even through manufacturers’ support systems of suppliers and vendors.   

An attacker can now potentially access far more targets through those un-secure channels than by focusing on one company. It’s harder for businesses to recognize attacks on their network when they are not the primary target, but the organizational risks remain the same. 

This new need for support and oversight is causing a widespread strain on plants and their operators, because organizations need to now monitor their full OT systems and all the equipment in it—old and new, multi-vendor, and at all patching levels—365 days a year. An attacker only needs one slip-up to get in systems and cause havoc.  

Smart Industry: Are water utilities particularly vulnerable? 

Andrew: Unfortunately, yes, they are particularly vulnerable. These organizations are targeted for two primary reasons:

  • The general age and state of their infrastructure and equipment. These are typically mixed-vendor environments with equipment purchased at different times by different groups for different purposes. This mixed environment makes the operation more difficult to manage and secure because different pieces may be using different protocols, different types of security and contain different vulnerabilities. It only takes one vulnerability in one device, for the entire network integrity to be impacted. 
  • The criticality of the services that they provide. Just like we saw in Florida, if someone is able to cause an event—manipulate process integrity, cause an outage, damage some equipment or contaminate the product—they can impact the lives and safety of the hundreds, thousands or millions (depending on the size of the municipality). Attackers understand this and want to impact the largest group with smallest effort. They recognize that targeting water utilities may be the easiest way to do that.  

Smart Industry: Is this an IT issue or OT issue or IT/OT issue? 

Andrew: Yes, yes and yes! There are still a large number of cyber-attacks that come from the IT channel, then filter to the OT space due to a lack of cybersecurity at the edge. There is also a growing number of malwares that specifically target operational devices and protocols, including those that impact PLCs, SCADA, and power/building management platforms. 

From an attack perspective, both sides represent vulnerabilities—whether directly or indirectly. From an IT/OT relationship perspective, responsibility for ownership, maintenance, patching, and even the standards around building their network. This can ultimately lead to a network that is less holistically defended and less prepared for what to do in defense of a potential cyber-attack attempt.  

Smart Industry: How can water utilities best protect themselves from emerging threats? 

Andrew: Its critical for utilities to make this a priority. Here are steps to help improve your cyber-confidence in the OT space and work towards cyber-sustainability and resiliency:  

 Build a holistic approach to cybersecurity: It is important that your cybersecurity efforts are holistic and vendor-agnostic. Cybersecurity is not a game of picking and choosing protection levels for different systems. Since many OT systems interact and depend on each other to function properly, the entire environment needs to be protected in a way that can be managed centrally. 

 Use available standards: Standards and regulatory requirements, such as IEC 62443, NERC-CIP, AWWA and NIST 800-82, are major drivers for customers to begin their cybersecurity journeys. All security standards contain strong reference models for the secure development of industrial automation and control systems.   

The AWWA cyber-risk tool gives high-level guidance to what cyber-policies and procedures a utility needs in place to run facilities safely, while the Purdue Model for industrial-control systems is for ‘defense in depth’ network segmentation. Both tools provide great starting points but require further assistance to understand how they are applied to a particular industry or facility.  

 Train and enforce a cyber-secure culture: All team members must be adequately trained on cyber-policies to enforce a culture of cybersecurity. Training should focus on the employee’s role and their impact on organizational cyber-risk, and it should go beyond the mandated minimum requirements to implement a role-based cybersecurity workshop for employees. In training and enforcing a culture of cybersecurity, it’s important for everyone in the organization to know how they, in their specific roles, fit into being cyber-secure. 

All it takes is one person clicking on a phishing email to infect the network, so it’s critical everyone receive the necessary training for their role and is provided the most accurate and up-to-date information related to security.  

 Monitor day-to-day operations: Monitoring for anomalous behavior, such as incorrect logins or unapproved changes to the networks, is critical in identifying potential intrusions. Without monitoring and logs, the ability to remediate issues, perform root cause analysis and prevent them from reoccurring is extremely limited. 

 Utilize next-gen tools to fight next-gen threats: Utilize advanced and ‘next-gen’ tools to fight the new next-gen threats. Don’t be afraid of utilizing artificial intelligence (AI) or the cloud.  A new side of the cybersecurity environment is the emergence of AI tools that can do the heavy lifting by learning the network and identifying threats in real-time, then letting employees focus on solving the problems with the insights provided by the tools.  

 Gain insight from outside cybersecurity experts: It’s okay to ask outside cybersecurity experts for help. At the end of the day, organizations both large and small face the same cyber-threats, and your struggles to combat those threats may be more similar than you think!   

If you struggle with selecting the right cyber-tools for your environment, don’t fully understand how to adhere to industry cyber-protection standards or just need help understanding your cyber-strengths and weaknesses, you should feel comfortable asking for outside help. You can balance your staff’s skill level with outside resources and your budget to create a program that works for you, makes you an unattractive target, and minimizes your risk. 

Smart Industry: What is encouraging about security in the utilities realm? 

Andrew: I’m optimistic about the general awareness of this issue and the potential for investments in this area through the government’s infrastructure bill. Today, there is much greater visibility in defending operational infrastructure than there has been in the past few years. This is driving innovation and making it more cost-effective to become an unattractive cyber-target.

In the past, it may have taken nearly a full staff of highly skilled engineers to manage a cyber-platform. Now, there are a plethora of tools available to manage the heavy lifting across a network for to support the existing staff.  

Rather than try to identify/resolve everything themselves—they can now rely on OT cyber-tools and focus on actionable results. These utilities should look to outside vendors and experts to validate what is both needed and a fit for their environment. They also need to not fall for the ‘shiny objects’ but rather focus on tested platforms and those that best math their environments and their specific needs. 

AWWA and IEC are building standards that are helping industry professionals build maps and checklists to be more defendable. In general, there is much more acceptance at the management level than there are specific needs when it comes to defending OT infrastructure.