A Back Door Through the Front Entrance

Your plant’s biggest cyber threat might just be your corporate office

By Carole Hawkins

The Internet of Things (IoT) has arrived and industry is plugging all kinds of smart devices into the cloud for a cheaper, more hassle-free network. Water and wastewater plants are hooking up smart meters, sensors and energy management systems; but all these new Internet-tethered tools also give hackers more surface area from which to launch a cyber attack.

That being said, a smart device is not the platform from which a cyber attack that takes control of plant equipment is most likely to begin. There’s a bigger chance it will come from the computers in your corporate office. It’s the steady march toward connectivity between business offices and operations that’s putting industrial control systems most at risk. That’s because breaking into a business-side PC is better understood by hackers than breaking into a device like a water pressure sensor, security experts say. Once inside, however, a hacker can jump over to your industrial control network.

Cybersecurity: Malware infects wastewater utility SCADA system
Radiflow CEO Ilan Barda appears on the February 12, 2018, edition of the WaterWorld Weekly Newscast to discuss a recent cybersecurity breach that attempted to poach processing power from a wastewater utility to mine cryptocurrency.

How Did We Get Here?

Water and wastewater utilities have been connecting industrial control networks to business networks for over a decade. It’s allowed companies to seamlessly pass data about operations over to business executives. The trend is not likely to reverse itself, said Mille Gandelsman, chief technology officer of industrial cyber security startup Indegy.

“Up until three or four years ago, we’d hear people say their control network is secure because it’s physically disconnected from the enterprise side,” he said. “We no longer hear that.”

Water Systems at Risk

The new connectivity makes work more efficient, but it also adds risk.

Last year, the Department of Homeland Security received 290 reports of cyber attacks against industrial control systems - more than a dozen of which were against water and wastewater utilities. Almost all originated on the business side of the network, said Mark Bristow, who works with the department’s Industrial Control Systems Cyber Emergency Response Team.

The top method used in the attacks was spear phishing. By sending an email that appears to be from a trusted source, the hacker lures the victim to voluntarily send back login or other personal information. Stolen logins can compromise plant operations at a very high level, Bristow said.

It’s how the 2015 attack on the Ukraine power grid began. Hackers stole credentials that allowed them to impersonate legitimate users, and then systematically shut down substations. The incident turned the power off for 230,000 residents. As fellow users of industrial control systems, water and wastewater utilities should take note.

“The fundamental technology is the same. So, the threats found in other sectors really do apply,” Bristow said.

Smart Devices Attacked Too

Although attacks commonly start on the business side, everything attached to the Internet needs to be protected. A chlorine sensor that uses a cloud connection to report data can potentially be hacked. If infected with malware, the device could spread destructive commands to anything tied to it on the ICS network, all the way back to the control server.

The U.S. Justice Department in 2013 reported a remote flood-control monitor had been penetrated during a cyber attack against a small dam in Rye, N.Y. The dam was offline for repairs, so the attack didn’t cause harm. But as journalist Max Kutner reported in Newsweek, hackers were able to obtain water-level and temperature information, and would have been able to operate the floodgate remotely if the dam had been functional.

Securing the System

In 2013, President Obama signed executive order 13636, which called for new guidelines to protect critical infrastructure from cyber attacks. In response, the National Institute of Standards and Technology published the ”NIST Cybersecurity Framework,” a voluntary guide of best practices for critical infrastructure.

The American Water Works Association (AWWA) created its own guidance adapted specifically for the water and wastewater industries (available on the organization’s website). It includes a document that tells ICS managers what cyber security issues they need to consider when operating their water systems.

The association also published a Use-Case Tool, which offers case-by-case scenarios of common upgrades to water systems. It correlates those upgrades to the cyber controls needed to support them. AWWA’s sections plan to offer training by early 2018 to help managers better understand the guidance and use-case tool.

The potential for a cyber attack against a water utility needs to be taken seriously, said Kevin Morley, AWWA federal relations manager and a cyber security expert for the association.

“There’s enough connectivity between OT (operational technology) and IT systems that you need to do your due diligence and figure out how you’re managing cyber risk,” he said. “No exceptions.”

Small Utilities Not Necessarily Aware

Many smaller utilities underestimate the threat, said Anil Gosine, an industry speaker on cyber security. “They think they are too small and nobody’s going to worry about them,” he said. “It hasn’t happened to them, so they’re not willing to invest.”

Gosine led the ICS team at the Detroit Water and Sewerage Department in 2012 when the utility connected its control network to its IT network. The company included cyber security in its upgrade. Gosine said managers of smaller water utilities often feel apprehensive about tackling cyber security, but there are baby steps everyone can take.

“You don’t have to spend $10 million,” he said. “You can do some things to strengthen your system with what you already have in place.”

One strategy is to perform a network audit. Understand each component and how it could be compromised. Software applications should stay updated, passwords need to be protected, unused ports need to be locked down, and security perimeters need to be established. Any dial-up connections that are still on the network are particularly vulnerable and can easily be hacked.

Situational awareness is something many small utilities lack. “If you can’t tell me how many switches you have at your site, you probably don’t have good management of your system,” Gosine said.

Industrial Cyber Risks Are Different... So Are Solutions

These basic security steps seem familiar, since companies have been protecting IT environments this way for years. But an IT hack is different from a hack of the industrial control network. Instead of losing customer billing information, which can be restored from backup, an ICS hack could mean raw sewage is released into the city’s river or a 750-horsepower motor is destroyed.

“If there is a breach, we’re not talking about the availability of data anymore. We’re talking about the safety of people,” said Mike Firstenberg, director of industrial security for Waterfall Security Solutions.

This high-stakes industrial environment has brought new solutions forward, designed specifically to secure ICS systems.

One of these is unidirectional gateway technology, a one-way path installed in place of the firewall that’s normally used between the control and business networks. Firewalls typically connect a protected network to one that is less secure, such as the Internet-exposed business network.

Waterfall Security Solutions manufactures a unidirectional gateway that uses signals of light, not electricity, to pass data one way only - from operations to business. It means a hack on the business side can’t physically jump to the control network. Firewalls can also be configured as a one-way connection, but it’s not truly one-way because underlying Internet protocols are two-way by nature, making a firewall less secure, explained Firstenberg. “A firewall is a software-based product,” he said. “Because it is software, there’s always going to be a way to hack it.”

Vendors are also developing advanced intrusion detection products. These are like an early warning system, alerting operators that a hacker is inside the gates. They monitor network communications for anomalies that might indicate an attack is underway.

The approach uses machine learning to create a model of trustworthy activity. It then compares new behavior against this model.

“For example, if a communication came in from outside the ICS network, that would be unusual. You wouldn’t normally expect that,” said Indegy’s Gandelsman.

Indegy manufactures an intrusion detection product specifically designed for industrial control networks. The company differentiates its product by including protocols unique to industrial controllers in the communications it monitors.

Plan for Recovery

If the worst happens and your company comes under a cyber attack, you should know what you’re going to do to respond to it, advised Bristow. DHS has been providing direct support to help companies deal with cyber attacks since 2009.

“If your response is only to pick up the phone and call DHS or a third-party response vendor, that’s fine,” Bristow said. “But, have that plan in place because you don’t want to be making it up on the day of the incident.”

Editor’s Note: For help with a cyber incident, contact DHS by phone at 703-235-8832 or 888-282-0870, or via e-mail at [email protected].

About the Author: Carole Hawkins is a Jacksonville-based freelance journalist who specializes in real estate, urban planning, industry and transportation, technology, environmental science and small business entrepreneurship.

Stand-alone Access Control

Security should inherently be the most robust system in a customers’ operation and, therefore, consist of contingencies and fail-overs that ensure protection of important subject matters and continued safety of people and valuables. Stand-alone systems provide a viable safety option for any system - including IOT systems.

One form of stand-alone access control are smart keys and electronic locks. Key-centric systems offer an affordable option to data centers with applications as diverse as server racks, server room, office, and building doors. One such system, CyberLock, is used by the City of Seattle. It allows Seattle Public Utilities to control who has access to secured facilities and schedule when they are allowed access.

The audit reporting capabilities of smart-key systems are valuable when regulations require an audit trail, helping to meet a range of requirements from health regulations and critical infrastructure guidelines to security mandates on personal information.