Hackers CAN AND are targeting the Water sector. These cyber events can disrupt water operations in a variety of ways, some with significant impacts on public health. Imagine the scenario where hackers interfere with water treatment operational equipment.
Unsurprisingly, organizations like Booze Allen Hamilton are concerned and expect that U.S. water utilities will be the new target of cyber-attack targets for 2019. But why is the water sector the next big target?
Historically, water utilities took longer to embrace modern information technologies and business software compared to other industries. So, unlike the energy sector (which accounts for the majority of the public’s cybersecurity attention), water utilities are not highly regulated. In fact, investment in cybersecurity technology and best practices has been delayed. The Water Industry’s regulatory regime appears to be fractured, there have been many failures to remove antiquated or outdated equipment, and its compliance requirements and information sharing are immature.
These vulnerabilities and pain points are exactly what adversaries look to exploit.
-Feb 2018—Cryptocurrency mining malware impacted industrial controls and was discovered within a European water utility’s network
-Oct 2018—ONWASA, a water utility company in North Carolina was targeted by cybercriminals in a ransomware attack and taken down.
-July 2018—Ukraine claimed Russian hackers were disrupted from attacking a water utility facility.
-Oct 2006—Malware infections at Harrisburg, PA., water system which was carried out by overseas hackers. It originated from an infected laptop PC in which hackers gained access to computer systems at the water treatment plant in Harrisburg.
-2015 and 2016—The BlackEnergy, KillDisk and Havex malware that was lodged inside computer systems at three major Ukrainian power companies. Hackers caused a power outage in Ukraine by remotely switching breakers to cut power, after installing malware to prevent technicians from discovering the attack.
-April 2018—The city of Atlanta was crippled by ransomware attacks that disrupted city utilities. Following the attacks, city employees were unable to turn on their computers, and residents were unable to pay bills, including water bill and business license payments and renewals.
All these events caused major damage to these utilities. The typical entry points for hackers came through spear-phishing campaigns (attacks that target individuals by emails with corrupted links), exploited outdated computer systems, watering hole domains (websites that target users by infecting frequented sites with malware) and attacks on industrial control systems.
We see all the headlines about increasingly sophisticated, more persistent, and more dangerous cyber attacks that could have a greater impact. However, WhiteHawk recently highlighted some basic protocols to reduce vulnerabilities: Utilities at Risk: Solutions at Hand, and Utility Sector; 4 Essential Cyber Risk Measures.
The protocols include:
-Controlling access points
-Building strong organizational security policies
-Identifying systems that need protection
-Separating systems into functional groups
-Access control and intrusion detection
-Explicit commitments to security
-Implementing layered or tiered defenses.
The water sector must develop specific guidance and provide a consistent and repeatable recommended course of actions to reduce vulnerabilities in control systems. The American Water Works Association (AWWA) provides a helpful guide, Cybersecurity Risk and Responsibility in the Water Sector, but we need to move past simply checking off the box to meet compliance needs.
Cyber disruption will occur. Do not get caught unprepared. Find out more about improving your security by connecting with WhiteHawk.