The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
Understanding and Managing ICS Cyber Security Threats to U.S. Water and Wastewater Utilities
September 28, 2020 | Robert Bergman
“Government intelligence confirms the water and wastewater sector is under a direct threat as part of a foreign government’s multistage intrusion campaign, and individual criminal actors and groups threaten the security of our nation’s water and wastewater systems’ operations and data,” begins the executive summary of the American Water and Wastewater Association (AWWA) report titled “Cybersecurity Risk & Responsibility in the Water Sector.”
The report provides the AWWA’s assessment of the cyber threat to the water industry, which it sees as substantial – not just from the perspective of the regulators but also industry employees. They cite a 2019 survey of 20,000 utility employees that revealed fears that cyber threats could have the biggest impact on water and wastewater operations, but that lack of resources and conflicting priorities could prevent them from addressing them adequately.
Their fears are not unfounded. The report describes a range of attacks on water and wastewater utilities, including ransomware attacks, tampering with Industrial Control Systems, manipulating valve and flow operations and chemical treatment formulations, and other efforts to disrupt and potentially destroy operations. The tactics in the water and wastewater industry are similar to those used in other industries, including the following:
- Spear phishing emails to specific individuals
- Watering-hole domain attacks on websites frequent used by groups, such as trade associations
- Google-dorking, in which hackers locate internet-facing devices using Google searches
- Credential gathering in which attackers use stolen credentials to access the target systems and navigate within the system
- Host-based exploitation targeting attached devices
- Open-source and network reconnaissance, exploiting vulnerabilities of unprotected systems
- Direct targeting of the ICS infrastructure to gain control over operations
The authors also identified the following factors that have contributed to the success of such tactics:
- Insufficient antivirus, integrity-maintenance and other security tools, particularly for network devices used by small businesses and operating on residential-class routers
- The fact that some manufacturers build and distribute the devices with exploitable services to make them easier to install, operate and maintain
- The failure to change vendor default settings, enhance security and regularly patch systems and software
- The failure to remove or update antiquated or outdated equipment that is no longer being supported by the manufacturer or vendor
- Overlooking network devices when assessing risk or recovering from a cyber intrusion
Key U.S. government agencies have made water infrastructure protection from cyber threats a top priority. U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the FBI and water industry groups have offered recommendations that water and wastewater utilities can use to reduce exploitable weaknesses and defend against avoidable data breaches and cyber-attacks. These include maintaining an accurate inventory of control system devices, segmenting networks and applying firewalls, securing remote access, establish role-based access controls, strong passwords, timely implementing of patches and updates, enforcing policies on mobile devices, employee training involving executives, intrusion detection measures, and having a cybersecurity incident response plan. The complete list is in the AWWA report.
In 2018 Congress passed the “America’s Water Infrastructure Act,” which expects any water utility serving 3,300 or more people to carry out a “risk and resilience” assessment of its networks, including a review of cyber defenses. The nation’s biggest water providers have until next March 2021 to comply, while smaller companies can wait to act until June 2021.
From Bedrock Automation’s perspective, cyber security begins at the control system level. Anyone who is planning to implement PLC, RTU, DCS or other industrial control system upgrades now should be certain that the new system comes with cyber security built-in at the factory. That way, as they transition their control infrastructure to take advantage of the cloud, IIoT, remote operations and other hallmarks of digital transformation, they can do so with confidence that no one can tamper with their core controls. That is building on Bedrock, so to speak.
For information about how to know built-in control system cyber security when you see it, read here.