The threat of cyber security breaches has emerged as a growing risk for water utilities. Earlier this year hackers linked to Syria breached the security of an American water utility and tampered with critical systems to control water flow. What practical steps can utilities take to safeguard facilities and customer details from cyber security risks?
By Andrew Williams
A recent PwC study concludes that the average utilities company holds data worth in excess of £50 million to a cyber criminal seeking to exploit that information. Customers are also far more aware of their personal information security than they were even ten years ago.
As a result, the instigators of cyber security threats have evolved at an alarming rate over the last 10-15 years, according to Barry Searle, director of training at intqual-pro. Although once considered to be a state sponsored activity, or restricted to highly capable criminal hackers, the primary skill sets required to conduct cyber crime, espionage or even terrorism can now be “self taught utilising platforms such as YouTube”, he says.
While the traditional, financially motivated cyber criminal is arguably still the most common, there is now also a far greater chance of a disgruntled employee, customer or even competitor, having the capability to disrupt operations through a cyber attack. Furthermore, cyber ‘hacktivism’ continues to grow, particularly in areas such as data leaks and denial of service attacks.
“For the first time we also face terrorist organisations with a legitimate offensive cyber capability, for which critical national infrastructure such as water and wastewater [facilities] would be primary targets,” says Searle.
In his view, the water sector faces two separate threats in relation to cyber security. The first is a threat against assets critical to national infrastructure, such as treatment works and dams, which represent “an appealing target for those criminal actors seeking to cause mass disruption or worse”.
For Searle, the fact that many companies have linked critical and sensitive SCADA systems to broader external networks is “probably the greatest vulnerability” and the fact that SCADA systems are often not on isolated networks, means that many of them “could in theory be accessed as a result malware introduced to primary networks through a technique known as spear phishing”.
Over 90% of attacks were attributed to some form of human error in the last quarter of 2015 and tactics such as spear phishing through social engineering rise year on year, due to the success and ease in which the human being can be manipulated.
“I certainly find that while the technical infrastructure may be suitable within the water and wastewater industry, cyber security culture is years behind that of financial sector, which has more experience in dealing with cyber criminality,” he adds.
As well as the threat to infrastructure, a perhaps greater threat lies in the risk to reputation.
In countries like the UK, the water sector is lucky because customers do not have a choice of which provider they can use and are unable to switch.
Elsewhere, Michael Arceneaux, managing director at WaterISAC - a non-profit, water industry-lead centre for sharing physical and cyber threat information with utilities and water sector professionals in government and private companies - reveals that cybersecurity threats to water utilities “range from common to sophisticated and are generally no different than threats to other sectors”. In common with all individuals and organisations that have computers and are connected to the internet, he also points out that malware, particularly ransomware, is a threat to water and wastewater utilities.
“Network intrusions are also a threat for all organisations. These intrusions can lead to the theft or loss of data and damage to internal business systems and customer-facing platforms, inhibiting a company from conducting business. Another threat is the business email scam, whereby a criminal pretends to be a company executive directing staff to transfer funds electronically to seemingly legitimate, but actually the criminal’s, account,” he says.
“Historically, water utility control systems have not been designed with security as a central requirement. They were primarily designed for their specific missions, like controlling pumps. That alone doesn’t necessarily make them vulnerable, but if those systems are not protected from the ‘Wild West’ of the Internet, hackers could gain access and manipulate the movement and treatment of water,” he adds.
The full scale of the threat facing the sector was illustrated earlier this year, when hackers linked to Syria breached the security of a water utility in North America and tampered with critical systems used to treat and control the flow of water. Elsewhere, there is evidence that an Iranian-backed group hacked a dam in New York state - and the systems of a number of power companies in Ukraine, as well as the Israeli Electricity Authority, have been compromised in recent months.
As Kevin Morley, federal relations manager at the American Water Works Association, explains, some of the more public incidents have also been insider-related actions, as was the case in Maroochy Shire Council in Queensland, Australia, where he says a disgruntled employee accessed the SCADA system and released 800,000 litres of raw sewage, causing environmental and economic damages.
According to Arceneaux, the most common incidents currently reported to WaterISAC involve so-called ransomware, where an employee clicks on a malicious email link in an email or on a website and unknowingly downloads malware that encrypts their data, or inserts an infected thumb drive or personal device.
“The encrypted data is held hostage until payment is made. However, reports to WaterISAC indicate that affected organisations have successfully avoided paying the ransom by restoring their data from back-ups and removing the malware from their networks. This, of course, can be expensive,” he adds.
Commenting on the strategies adopted by facilities to tackle such risks, Searle argues that there is currently far too much emphasis on technological solutions. Although he admits more needs to be done about isolating critical SCADA systems from main networks, he stresses that primary risk to utilities is the “introduction of malware onto a system or network, with an intention of gaining control of systems, or simple data theft”.
“In almost all cases, that malware will require a human action in order to reach the target network. Therefore, better cyber awareness and a changing of culture are the most critical steps that the industry needs to take,” he says.
“Field engineers, call centre staff and operations teams all engage with external networks on a daily basis, yet I’ve met very few that would identify cyber security as their responsibility, or have any idea as to how to manage that risk,” he adds.
At least in Europe, Searle is pessimistic about the immediate prospects of utilities treating the risk seriously - and believes it will take a serious incident within a UK or European water company before effective strategies are implemented. This is largely because he claims the threat is “not yet given a high enough resource allocation at board level”.
“Money has been spent on increasing efficiency and digitalising both operational assets and customer facing services like payment and communication systems, all of which bring increased vulnerability, which has not, in any case that I have seen, been effectively mitigated,” he says.
Looking ahead, he urges companies to carry out full external audits of IT networks and systems to identify specific risks, followed by the splitting of critical operational networks like SCADA systems from business networks to mitigate the risk of operational disruption via a ‘softer’ access point on a business network.
“Water companies also need systems in place to allow employees at all levels to understand how vulnerable the sector is and begin to transform culture and interest. I often use a Stuxnet film as part of my briefing materials. Despite Stuxnet being five years old, I am asked every time in the water sector, ‘is that real?’ by senior members of staff. That, for me is the primary indicator that the level of risk within the sector is not understood, simply because it has not happened yet,” he adds.
In terms of practical steps, Morley also points out that AWWA has developed guidance and a use-case tool that provides a baseline for utilities managers that allows the utility to consider “how they use various technologies ... and provides a prioritised list of controls that would be applicable”.
“The utility can then use the report to evaluate if those controls have been implemented or how they might take action to do so,” he says.
“There are very simple actions that can be taken to manage cyber risk and reduce exposure. This is just as much a liability for a utility as a broken main or failed pump … the value of process control systems to the mission of the utility must be recognised and integrated to overall capital and risk management programs,” adds Morley.
Meanwhile, Arceneaux stresses there are several best practices utilities can implement - particularly those found in a free recent WaterISAC guide called 10 Basic Cybersecurity Measures: Best Practices to Reduce Exploitable Weaknesses and Attacks, developed in partnership with the Department of Homeland Security’s ICS-CERT division.
ICS-CERT has advised utilities to implement the first three recommendations, including inventorying control system devices and eliminating exposure of this equipment to external networks, segmenting networks and applying firewalls, and using secure remote access methods “as soon as practical”.
Other recommendations include establishing role-based access controls, using only strong passwords and conducting cybersecurity training for employees, and encouraging boards and senior leadership to understand the potential threats and consequences to the utility and provide the necessary resources.
Arceneaux adds: “Another key risk that will only grow is the risk from the Internet of Things (IoT) - the devices we use every day that are more and more often connected to the internet, from mobile phones to security cameras. Several resources are available to help utilities understand and manage the risks.”
He adds: “Of course, technology is constantly evolving and the hackers always seem to exploit vulnerabilities before the good guys get around to mitigating them. Cybersecurity is a constant battle.”
Andrew Williams is a freelance writer for WWi magazine, based in the UK.
More Water & WasteWater International Archives Issue Articles