Hackers are increasingly targeting the utility industry, especially after the infamous Colonial Pipeline attack. Water treatment facilities are experiencing more cyber incidents, leading to a rising need for robust, strategic security protocols. How can they protect their networks in today’s rapidly evolving threat landscape?
Security Risks for Water Treatment Facilities
Water treatment facilities face unique risk factors that are crucial to understanding how to build a robust cybersecurity strategy. They’re becoming a prime target for hackers today because they know the utility can’t afford to go offline for long, making the plant more likely to pay a ransom to retrieve their data.
These structures also have to balance physical and virtual security. Industrial control systems bridge both types of security, which can be particularly difficult to navigate. Devices like IoT sensors and testing equipment are among the most crucial and vulnerable in any water treatment facility.
One specific issue many water treatment plants encounter when trying to secure industrial control systems is poor visibility. Facilities can have dozens or hundreds of devices and sensors on their network but lack adequate monitoring to detect unauthorized activity on those pieces of tech. The expansive physical size of a typical facility can make visibility even more challenging.
The Oldsmar, Florida, Cyber Attack
A perfect example of this issue is a cyber attack on a water treatment facility in Oldsmar, Florida, in 2021. Authorities initially thought an unauthorized user remotely accessed the facility’s network and changed sodium hydroxide levels to a toxic amount. However, further investigations revealed the incident may have been an accident, but it may never be confirmed due to a lack of clear data on the building’s systems.
The Oldsmar incident is a great portrait of the dangers of poor visibility in water treatment networks. Clear, robust network and device monitoring can prevent cyber attacks and ensure security personnel can determine what happened afterward. In this case, a lack of visibility may have led authorities to believe a simple accident was actually a much more serious security incident.
Strategies for Risk Assessment
A risk assessment is the first step to improving a facility’s security protocols, analyzing existing security measures, highlighting vulnerabilities, and predicting the likelihood of a successful cyber attack. The process starts with documenting every network component, from individual devices to apps, interfaces, and users, including any vendors, partners, or other third parties with access to the network.
Next, identify as many vulnerabilities as possible. It can be helpful to bring in a security expert for this process if a facility does not already have one. The CISA also has a practical guide to threat intelligence sources and common vulnerabilities to look for in a risk assessment.
For water treatment facilities, these vulnerabilities can be things like unsecured IoT devices or remote access apps for employees. Poor account security is also a common issue, particularly in conjunction with a remote access app, such as the one involved in the Oldsmar, Florida, incident.
At this stage, some organizations also run tests and simulations to help them identify their risks. For example, web application penetration testing involves hiring a hacking expert to attempt to break into the network without causing any actual harm. This type of test can reveal the weaknesses a real hacker is most likely to notice and utilize.
After identifying all threats and vulnerabilities, water treatment security personnel must categorize the risks by level. Consider how much a vulnerability could impact workflows if a cyber attack occurred and the likelihood of a hacker leveraging that weakness. Those that are highly likely to occur and have a high impact on the facility should be the top priority.
How to Implement Robust, Layered Security
What can water treatment facilities do to secure their networks after conducting a risk assessment? While every network is different, there are a few core cybersecurity strategies they should consider utilizing.
Network Monitoring
Autonomous network monitoring can significantly improve visibility and threat detection. This technology independently analyzes network traffic around the clock and only alerts personnel when it detects something unusual. It’s highly efficient and allows a small security team to manage a large network of devices, such as hundreds of IoT sensors in an industrial control system.
Identity and Access Management
One of the most common attack vectors today across all industries is compromised user accounts. Hackers use phishing to steal credentials and use that login information to get into a victim’s network. Water treatment facilities need robust identity and access management protocols to prevent this attack.
Luckily, increasing account security is fairly straightforward. Use the rule of least privilege, meaning accounts only have access to the minimum amount of data they need. Require strong, unique passwords and consider using multi-factor authentication (MFA), as well. MFA can go a long way toward preventing unauthorized login attempts, even if a password is stolen.
Network Segmentation
Network segmentation is crucial for water treatment facility plants. It can potentially save the day in the event of a security incident, which is what happened in a 2021 cyber attack on a facility in Maryland.
Hackers hit its network with ransomware but were only able to access internal files, not any water safety systems. All the industrial control and filtration systems were on a separate, isolated network that reportedly wasn’t even connected to the internet. As a result, the ransomware successfully got into the network but couldn’t do anything to threaten water safety.
Every water treatment facility should consider splitting up its network like this. Network segmentation is fairly easy to implement and can significantly reduce the risk of large-scale cyber attacks.
Utilize Security Standards
Today’s leading cybersecurity standard is the NIST Cybersecurity Framework, used in nearly every industry. The NIST has a wealth of guides to help organizations get started and regularly updates with new best practices as threats emerge. Compliance with leading security standards is a great way to ensure water treatment facilities are staying ahead of cybersecurity risks.
Securing Water Treatment Facilities
The entire utilities industry is becoming a prime target for hackers, including water treatment facilities. Luckily, there are strategies plants can use to identify their risk factors and strengthen their cyber defenses. The above tips can help resolve these risks and protect water treatment plants’ networks.