Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Strategic Cybersecurity for Water Treatment Facilities

Hackers are increasingly targeting the utility industry, especially after the infamous Colonial Pipeline attack. Water treatment facilities are experiencing more cyber incidents, leading to a rising need for robust, strategic security protocols. How can they protect their networks in today’s rapidly evolving threat landscape?

Security Risks for Water Treatment Facilities

Water treatment facilities face unique risk factors that are crucial to understanding how to build a robust cybersecurity strategy. They’re becoming a prime target for hackers today because they know the utility can’t afford to go offline for long, making the plant more likely to pay a ransom to retrieve their data.

These structures also have to balance physical and virtual security. Industrial control systems bridge both types of security, which can be particularly difficult to navigate. Devices like IoT sensors and testing equipment are among the most crucial and vulnerable in any water treatment facility.

One specific issue many water treatment plants encounter when trying to secure industrial control systems is poor visibility. Facilities can have dozens or hundreds of devices and sensors on their network but lack adequate monitoring to detect unauthorized activity on those pieces of tech. The expansive physical size of a typical facility can make visibility even more challenging.

 

The Oldsmar, Florida, Cyber Attack

A perfect example of this issue is a cyber attack on a water treatment facility in Oldsmar, Florida, in 2021. Authorities initially thought an unauthorized user remotely accessed the facility’s network and changed sodium hydroxide levels to a toxic amount. However, further investigations revealed the incident may have been an accident, but it may never be confirmed due to a lack of clear data on the building’s systems.

The Oldsmar incident is a great portrait of the dangers of poor visibility in water treatment networks. Clear, robust network and device monitoring can prevent cyber attacks and ensure security personnel can determine what happened afterward. In this case, a lack of visibility may have led authorities to believe a simple accident was actually a much more serious security incident.

Strategies for Risk Assessment

A risk assessment is the first step to improving a facility’s security protocols, analyzing existing security measures, highlighting vulnerabilities, and predicting the likelihood of a successful cyber attack. The process starts with documenting every network component, from individual devices to apps, interfaces, and users, including any vendors, partners, or other third parties with access to the network.

Next, identify as many vulnerabilities as possible. It can be helpful to bring in a security expert for this process if a facility does not already have one. The CISA also has a practical guide to threat intelligence sources and common vulnerabilities to look for in a risk assessment.

For water treatment facilities, these vulnerabilities can be things like unsecured IoT devices or remote access apps for employees. Poor account security is also a common issue, particularly in conjunction with a remote access app, such as the one involved in the Oldsmar, Florida, incident.

At this stage, some organizations also run tests and simulations to help them identify their risks. For example, web application penetration testing involves hiring a hacking expert to attempt to break into the network without causing any actual harm. This type of test can reveal the weaknesses a real hacker is most likely to notice and utilize.

After identifying all threats and vulnerabilities, water treatment security personnel must categorize the risks by level. Consider how much a vulnerability could impact workflows if a cyber attack occurred and the likelihood of a hacker leveraging that weakness. Those that are highly likely to occur and have a high impact on the facility should be the top priority.

How to Implement Robust, Layered Security

What can water treatment facilities do to secure their networks after conducting a risk assessment? While every network is different, there are a few core cybersecurity strategies they should consider utilizing.

Network Monitoring

Autonomous network monitoring can significantly improve visibility and threat detection. This technology independently analyzes network traffic around the clock and only alerts personnel when it detects something unusual. It’s highly efficient and allows a small security team to manage a large network of devices, such as hundreds of IoT sensors in an industrial control system.

Identity and Access Management

One of the most common attack vectors today across all industries is compromised user accounts. Hackers use phishing to steal credentials and use that login information to get into a victim’s network. Water treatment facilities need robust identity and access management protocols to prevent this attack.

Luckily, increasing account security is fairly straightforward. Use the rule of least privilege, meaning accounts only have access to the minimum amount of data they need. Require strong, unique passwords and consider using multi-factor authentication (MFA), as well. MFA can go a long way toward preventing unauthorized login attempts, even if a password is stolen.

Network Segmentation

Network segmentation is crucial for water treatment facility plants. It can potentially save the day in the event of a security incident, which is what happened in a 2021 cyber attack on a facility in Maryland.

Hackers hit its network with ransomware but were only able to access internal files, not any water safety systems. All the industrial control and filtration systems were on a separate, isolated network that reportedly wasn’t even connected to the internet. As a result, the ransomware successfully got into the network but couldn’t do anything to threaten water safety.

Every water treatment facility should consider splitting up its network like this. Network segmentation is fairly easy to implement and can significantly reduce the risk of large-scale cyber attacks.

Utilize Security Standards

Today’s leading cybersecurity standard is the NIST Cybersecurity Framework, used in nearly every industry. The NIST has a wealth of guides to help organizations get started and regularly updates with new best practices as threats emerge. Compliance with leading security standards is a great way to ensure water treatment facilities are staying ahead of cybersecurity risks.

Securing Water Treatment Facilities

The entire utilities industry is becoming a prime target for hackers, including water treatment facilities. Luckily, there are strategies plants can use to identify their risk factors and strengthen their cyber defenses. The above tips can help resolve these risks and protect water treatment plants’ networks.

Devin Partida
Devin Partida
Devin Partida is the editor-in-chief of ReHack Magazine.

Related Posts

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM

Innovations in R&D: How AI Is Transforming Industrial Cybersecurity Operations

Industrial control systems are becoming more complex as evolved cyberattacks threaten industry functions....
Devin Partida Nov 15, 2024 7:00:00 AM

In Conversation with Authors of ISAGCA White Paper on Zero Trust and ISA/IEC 62443

The ISA Global Cybersecurity Alliance (ISAGCA) recently published a white paper exploring the application...
Kara Phelps Nov 8, 2024 12:00:00 PM