Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

Read More

Strategic Cybersecurity for Water Treatment Facilities

Read More

Categories Arrow

All Posts

Strategic Cybersecurity for Water Treatment Facilities

Hackers are increasingly targeting the utility industry, especially after the infamous Colonial Pipeline attack. Water treatment facilities are experiencing more cyber incidents, leading to a rising need for robust, strategic security protocols. How can they protect their networks in today’s rapidly evolving threat landscape?

Security Risks for Water Treatment Facilities

Water treatment facilities face unique risk factors that are crucial to understanding how to build a robust cybersecurity strategy. They’re becoming a prime target for hackers today because they know the utility can’t afford to go offline for long, making the plant more likely to pay a ransom to retrieve their data.

These structures also have to balance physical and virtual security. Industrial control systems bridge both types of security, which can be particularly difficult to navigate. Devices like IoT sensors and testing equipment are among the most crucial and vulnerable in any water treatment facility.

One specific issue many water treatment plants encounter when trying to secure industrial control systems is poor visibility. Facilities can have dozens or hundreds of devices and sensors on their network but lack adequate monitoring to detect unauthorized activity on those pieces of tech. The expansive physical size of a typical facility can make visibility even more challenging.

 

The Oldsmar, Florida, Cyber Attack

A perfect example of this issue is a cyber attack on a water treatment facility in Oldsmar, Florida, in 2021. Authorities initially thought an unauthorized user remotely accessed the facility’s network and changed sodium hydroxide levels to a toxic amount. However, further investigations revealed the incident may have been an accident, but it may never be confirmed due to a lack of clear data on the building’s systems.

The Oldsmar incident is a great portrait of the dangers of poor visibility in water treatment networks. Clear, robust network and device monitoring can prevent cyber attacks and ensure security personnel can determine what happened afterward. In this case, a lack of visibility may have led authorities to believe a simple accident was actually a much more serious security incident.

Strategies for Risk Assessment

A risk assessment is the first step to improving a facility’s security protocols, analyzing existing security measures, highlighting vulnerabilities, and predicting the likelihood of a successful cyber attack. The process starts with documenting every network component, from individual devices to apps, interfaces, and users, including any vendors, partners, or other third parties with access to the network.

Next, identify as many vulnerabilities as possible. It can be helpful to bring in a security expert for this process if a facility does not already have one. The CISA also has a practical guide to threat intelligence sources and common vulnerabilities to look for in a risk assessment.

For water treatment facilities, these vulnerabilities can be things like unsecured IoT devices or remote access apps for employees. Poor account security is also a common issue, particularly in conjunction with a remote access app, such as the one involved in the Oldsmar, Florida, incident.

At this stage, some organizations also run tests and simulations to help them identify their risks. For example, web application penetration testing involves hiring a hacking expert to attempt to break into the network without causing any actual harm. This type of test can reveal the weaknesses a real hacker is most likely to notice and utilize.

After identifying all threats and vulnerabilities, water treatment security personnel must categorize the risks by level. Consider how much a vulnerability could impact workflows if a cyber attack occurred and the likelihood of a hacker leveraging that weakness. Those that are highly likely to occur and have a high impact on the facility should be the top priority.

How to Implement Robust, Layered Security

What can water treatment facilities do to secure their networks after conducting a risk assessment? While every network is different, there are a few core cybersecurity strategies they should consider utilizing.

Network Monitoring

Autonomous network monitoring can significantly improve visibility and threat detection. This technology independently analyzes network traffic around the clock and only alerts personnel when it detects something unusual. It’s highly efficient and allows a small security team to manage a large network of devices, such as hundreds of IoT sensors in an industrial control system.

Identity and Access Management

One of the most common attack vectors today across all industries is compromised user accounts. Hackers use phishing to steal credentials and use that login information to get into a victim’s network. Water treatment facilities need robust identity and access management protocols to prevent this attack.

Luckily, increasing account security is fairly straightforward. Use the rule of least privilege, meaning accounts only have access to the minimum amount of data they need. Require strong, unique passwords and consider using multi-factor authentication (MFA), as well. MFA can go a long way toward preventing unauthorized login attempts, even if a password is stolen.

Network Segmentation

Network segmentation is crucial for water treatment facility plants. It can potentially save the day in the event of a security incident, which is what happened in a 2021 cyber attack on a facility in Maryland.

Hackers hit its network with ransomware but were only able to access internal files, not any water safety systems. All the industrial control and filtration systems were on a separate, isolated network that reportedly wasn’t even connected to the internet. As a result, the ransomware successfully got into the network but couldn’t do anything to threaten water safety.

Every water treatment facility should consider splitting up its network like this. Network segmentation is fairly easy to implement and can significantly reduce the risk of large-scale cyber attacks.

Utilize Security Standards

Today’s leading cybersecurity standard is the NIST Cybersecurity Framework, used in nearly every industry. The NIST has a wealth of guides to help organizations get started and regularly updates with new best practices as threats emerge. Compliance with leading security standards is a great way to ensure water treatment facilities are staying ahead of cybersecurity risks.

Securing Water Treatment Facilities

The entire utilities industry is becoming a prime target for hackers, including water treatment facilities. Luckily, there are strategies plants can use to identify their risk factors and strengthen their cyber defenses. The above tips can help resolve these risks and protect water treatment plants’ networks.
Devin Partida
Devin Partida
Devin Partida is the current editor of ReHack Magazine.

    Recent Posts

    Astronaut on a rocket

    Related Posts

    ISA/IEC 62443 and Risk Assessment: New Horizons in the AI Revolution

    Risk assessment has long been an important component of any cybersecurity program and operation for organ...
    Mohannad AlRasan Apr 26, 2024 7:00:00 AM

    Should ISA/IEC 62443 Security Level 2 Be the Minimum for COTS Components?

    A recent white paper published by the ISA Security Compliance Institute (ISCI) and its ISASecure certific...
    Liz Neiman Apr 23, 2024 5:18:27 PM

    How to Secure Machine Learning Data

    Data security is paramount in machine learning, where knowledge drives innovation and decision-making. Th...
    Zac Amos Mar 12, 2024 11:10:47 AM

    The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence and is the trusted provider of standards-based foundational technical resources, driving the advancement of individual careers and the overall profession. ISA develops widely used global standards; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world.


    The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

    We're on social media. Keep in touch!

    © 2024 International Society of Automation. All rights reserved.