Why Cybersecurity Risk for the Water Industry Is So High
Retrofitted OT, lean resources and vulnerable endpoints put the water industry at high cybersecurity risk.
December 9, 2021
Sponsored by ThreatLocker
Like many critical infrastructure verticals, the water industry faces increased cybersecurity risks. Water is managed locally or privately depending on where you live, making it incredibly difficult to regulate and manage. As far as utilities go, water typically has the least financial resources allocated toward it, making cybersecurity a non-priority. On top of that, operational technology (OT) has been retrofitted for remote access creating inherent cybersecurity risk.
As threat actors look to disrupt supply chains, water companies need to ensure water’s continued access and safety. As with all verticals, water companies need to be concerned about the regular threats that all businesses face. As the risk of ransomware and other cyberattacks continues to increase, water companies must be vigilant about attacks targeting their infrastructure.
Typically, when a business loses access to its system due to a ransomware attack, it does not affect people’s ability to survive. Problematically, decentralized regulatory control and limited finances often mean that companies lack the resources for continuous hygiene. Meanwhile, cyber-physical systems (CPS) technologies link enterprise IT networks to OT networks increase the chances that a threat actor’s attack will be successful.
Organizational Status
Across the industry, companies are managed differently. According to the Water Sector Coordinating Council’s “Cybersecurity 2021 State of the Industry”:
4% of survey respondents are with a department of a municipality or county.
7% of survey respondents are with a special district or independent government entity.
3% of survey respondents are with a private non-profit/cooperative.
4% of survey respondents are with a privately owned or investor-owned utility.
With water companies owned and operated in various ways, the financial support for cybersecurity varies widely.
Cyber Risk and Visibility
While threat actors continue to target critical infrastructure, few statistics exist when compared with enterprise IT. An article from 2021, “A Systematic Review of the State of Cyber-Security in Water Systems,” explains that the attacks are rarely made public and that attribution is often difficult. However, the article also notes that the number of attacks on CPSes has increased in recent years, listing attacks like Stuxnet, DuQu, BlackEnergy and Havex. Moreover, the report notes that threat actors targeting water systems include nation-state political actors, cybercriminal financial actors and former employees.
Anatomy of a Cyber Attack
The traditional method for protecting OT systems from IT and vice-versa is air-gapping, an interface between two systems at which (a) they are not connected physically and (b) any logical connection is not automated. (That is, data is transferred through the interface only manually, under human control.) OT systems often run legacy operating systems, and not only pose an increased risk of being exploited themselves as a result of a vulnerability, but also allow attackers to access IT systems by running undetected code on the OT systems. However, water companies increasingly use CPS technologies that connect their OT systems to the enterprise IT network. This allows for more efficient monitoring and integration into billing services.
How the Attack Works
This connectivity undermines air gapping because threat actors can use a vulnerability in the enterprise IT network to gain access to OT. Attackers often start by using a common vulnerability, malicious software or remote access tools (RATs) to access the enterprise network. Once they gain access, they escalate the attack by either using direct controls over OT systems or exploiting poor code in the CPS. They will often exploit privileges within that network or operate silently from the OT operating systems, allowing them to capture information on the IT networks. From there, administrative privileges are obtained to operate in the IT network with admin permissions.
For example, when threat actors attacked a water treatment plant in Oldsmar, Fla., this year, they started by exploiting TeamViewer, a legitimate piece of software, to access the IT systems. This ultimately gave them access to the OT systems, enabling them to increase the sodium hydroxide levels to potentially dangerous amounts. In this case, the attacker went in for the kill and attempted to potentially poison the water systems. However, in many cases there would be backdoors planted that could allow further access.
Why the Attack Is Successful
Many OT systems were built and designed prior to the internet, which means they incorporate legacy technologies. Between design and age, they lack modern security controls, and security tools like scanners are often unable to provide adequate visibility into assets on the network.
These systems are often fragile. A small change or abnormal activity within the network architecture can lead to costly downtime. For the water industry, downtime has greater social implications. Water is fundamental to health and hygiene. Therefore, critical system outages can impact the population’s physical safety.
Municipalities are notorious for having bad IT hygiene. Users often run as local administrators with outdated operating systems and poor training, and fail to implement basic controls listed in CIS and NIST frameworks. This makes them attractive targets for cybercriminals, which leads to major societal implications. Click on Page 2 to continue reading…
Cybersecurity Budget Allocation
Despite the rise in attacks against CPS technologies, water companies continue to struggle with limited IT and OT financial resources.
The “Cybersecurity 2021 State of the Industry” notes the following around IT and OT cybersecurity budget allocation:
38% of systems allocate less than 1% of budget to IT cybersecurity.
1% of systems allocate 1 to 5% of budget to IT cybersecurity.
3% of systems allocate 6 to 10% of budget to IT cybersecurity.
1% of systems allocate greater than 10% of budget to IT cybersecurity.
8% of systems allocate less than 1% of budget to OT cybersecurity.
95% of systems allocate 1 to 5% of budget to OT cybersecurity.
9% of systems allocate 6 to 10% of budget to OT cybersecurity.
7% of systems allocate greater than 10% of budget to OT cybersecurity
These limited budgets ultimately make securing water more difficult, driving companies to seek cost-effective cybersecurity risk mitigation solutions.
Decentralized Regulatory Requirements
To further complicate matters, water companies lack clear regulatory guidelines. Despite falling under the Environmental Protection Agency’s control, water companies also find themselves regulated by state and environmental agencies as well as state public utility commissions.
Although the America’s Water Infrastructure Act of 20183 included cybersecurity, it only mentions it twice, providing limited guidance:
The emergency response plan shall include— ‘(1) strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the system …
The EPA provides a four-page “Water Sector Cybersecurity Brief for States” that lists the 2019 Water Sector Cybersecurity Risk Management Guidance (WSCRMG), including a number of controls that water companies can use to protect themselves from ransomware attacks.
How Locking Down Application-to-Network and Application-to-Application Communication Enhances Security
With ransomware on the rise, water companies need to find threat mitigation strategies that enable them to protect their OT environments. The same connectivity that enables threat actors to move from enterprise IT networks to OT systems also acts as a means of transmitting malware to OT devices.
Installing security updates to endpoint IT devices is fundamental to protecting interconnected systems. However, even a single unpatched endpoint can pose a risk to OT systems. And because OT systems are fragile, updating the endpoints increases risk. This added complexity often requires the water company to schedule maintenance and downtime. Again, since water is fundamental to human health and safety, this is not always a viable option.
By setting deny-all policies for all application communications to networks and other applications, organizations limit access as much as possible. Some benefits of this approach include:
Blocking device and application access to prevent malware from executing on a device
Limiting what applications can access the internet to minimize the risk of threat actors exploiting a software vulnerability
Limiting what applications can be used at the same time to minimize the risk that malware can be transferred to applications that require privileged access
Limiting data sharing between applications to minimize the risk that malware can be transferred from one application to another
Limiting devices’ and applications’ access to resources to minimize the risks that information can be posted or processed on publicly accessible information systems
Ensuring the principle of least functionality to minimize risks associated with what applications can run in an environment, what applications can connect to the internet and what devices can be used to access resources
ThreatLocker is a global cybersecurity leader, providing enterprise-level cybersecurity tools to improve the security of servers and endpoints. ThreatLocker’s combined Application Whitelisting, Ringfencing, Storage Control and Privileged Access Management solutions are leading the cybersecurity market toward a more secure approach of blocking unknown application vulnerabilities.
This guest blog is part of a Channel Futures sponsorship.
Read more about:
MSPsAbout the Author
You May Also Like