Stopping the Flow of Cyber Breaches
Research into the cyber risks of the water sector reveals leaks at the local level.
The water and wastewater treatment industry is facing cybersecurity threats. The risks affect the sector disproportionately compared to other utilities, given local-level water processing operations.
Along with physically securing its critical infrastructure, the water industry has to leverage available tools to protect against cyber attacks, an expert says.
The need to protect the security of water resources has extended through time, says Maj. Colin Brooks, USA, a signal officer who is an assistant professor of military science at the University of Massachusetts. “There are terrorist threats where water facilities are targeted, and that’s nothing new,” says Maj. Brooks, who also teaches history. “In fact, in the 1930s, J. Edgar Hoover, head of the FBI, was concerned about possible Nazi infiltration and risks of damage to the water sector,” he says. “In the 1970s there were attacks on the water sector by neo-Nazi groups.” More recently, al-Qaida operatives abroad were found to have the diagrams of water systems supplying the U.S. consulate in a foreign country. “So it’s known to be something being targeted by terrorists,” he notes.
The need for physical security at water facilities is now compounded by the additional need for digital protections. Maj. Brooks examined the cybersecurity of the water sector as part of his Master of Science in cybersecurity, which he received from National Defense University (NDU) last spring, and he found weaknesses in the industry.
“One of the classes I took when I was at NDU was on critical infrastructure protection, and I started doing some research on water and wastewater treatment facilities and just found it particularly fascinating because there are a wide variety of vulnerabilities to that sector.”
Cyber threats can come as utilities are otherwise engaged in natural disasters or experiencing physical damage, as seen from a cyber attack last October during Hurricane Lee. Criminals sent malware/ransomware to a particular water treatment facility in North Carolina just as it was confronting the natural disaster. “As I understand, the criminals determined that because [the water treatment facility] was already catastrophically hit by the hurricane and trying to recover, that they would be able to lock down the facility’s system and extort them for money,” Maj. Brooks states. “As it turns out, it only affected their billing system. It did not actually affect the specific critical infrastructure systems. And instead of paying up the money, the facility’s officials did the right thing and contacted the FBI.”
Other cyber-related risks stem from what Maj. Brooks refers to as “happenstance.”
A water facility in Harrisburg, Pennsylvania, was digitally compromised because it was susceptible to spam email. “Because there were vulnerabilities in the system, things that hadn’t been patched or hadn’t been analyzed for a particular security vulnerability, their system was compromised, even though it was not targeted by criminals or terrorists. It was compromised because it was simply susceptible to attack.”
In addition, the ubiquitous nature of supervisory control and data acquisition (SCADA) and programmable logic controllers (PLC) systems puts the water sector—and utilities in other sectors—at risk to cyber attacks.
“The SCADA systems and PLCs are used across the breadth of the different critical infrastructure sectors, so any vulnerability that would be apparent in, say a particular PLC manufactured by the same company, would be a vulnerability in other sectors to a greater or lesser degree depending on how they have that implemented,” the major observes
Many of the PLC and SCADA systems in use by the water industry were implemented in the 1980s and 1990s and, as such, are inherently vulnerable to cyber attacks because they were developed before widespread use of the Internet. “They were designed to have a fail-close or fail-open, so that you could continue to provide service or you could shut that service off if you had catastrophic rainfalls or some other mechanical failure,” he states. “They weren’t originally designed with cybersecurity in mind.”
Water utilities do not have the resources to replace or upgrade these costly systems, Maj. Brooks continues. Water utilities operating at a local level may not have the same resources as a large electric utility conglomerate or a natural gas distributor to combat cyber threats to those systems.
Moreover, with a small staff to run the local facilities, many water companies do not have the resources to focus on cyber health. Often facilities have double- or triple-hatted individuals who are conducting operations, monitoring the system and making repairs, and may not have room for managing cybersecurity.
“I think the number one challenge that local water facilities face is a capacity challenge,” he emphasizes. “What I mean by that is the number of personnel that are assigned to specifically handle these kinds of threats. Thinking of it in terms of confidentiality, integrity and availability—the common construct for cybersecurity—availability always trumps everything else. And for a water facility at the local level that’s definitely true because if you have customers not getting water, that’s their number one concern. Cybersecurity is often considered but not highlighted because these folks are trained to make sure pumps are working.”
In addition, most available funds at water facilities go into infrastructure—not cybersecurity. “About 60 to 70 percent of their money goes into fixing pipes and maintaining those systems,” Maj. Brooks notes.
And when confronted with aging infrastructure and systems that were built and developed in the 1980s—“well before the Internet was so ubiquitous”—the problem grows for water facilities, the major states. “That’s probably one of the biggest things that they face, is having the capacity to do some of these things that are now required because of the current operational environment that we are in.”
Local wastewater treatment facilities can leverage information from industry associations, such as the American Waterworks Association, which provides basic operational as well as technical information about systems, says Maj. Brooks. But for specific cybersecurity information, the Information Sharing and Analysis Center, or ISAC, first created by the Clinton Administration in the 1990s, is better, he says. The ISAC is an information security assessment center where government agencies as well as companies that operate critical infrastructure systems can share cyber-related information, and there is a separate ISAC body for each critical infrastructure sector—as in the WaterISAC—that identifies cyber attack trends, such as malware, for that industry.
“Some of the threats are from terrorist or criminal elements that may not be specific to the water industry but may be broadly applicable to critical infrastructure in general,” he explains. Even so, it is “probably one of the major ways that they can share that information and stay up to date.” The public-private partnership nature of the water industry does add a layer of complexity, he adds. “Obviously some of that information is proprietary; while water facilities do serve the public, many of them are operated privately.”
However, it may be the vulnerability assessment tools from the Department of Homeland Security (DHS) and the Environmental Protection Agency (EPA) that can most help the water sector confront cyber vulnerabilities, Maj. Brooks notes.
“The DHS has teams that can come out and do analysis on their networks,” he says. “They can do a vulnerability assessment, a design architecture review or network architecture verification/validation.”
Another tool promulgated by the DHS is the Cyber Security Evaluation Tool (CSET)—similar to the EPA’s Vulnerability Assessment Tool. Water facilities can enter data into the tool, such as the age of a system or the particular type of pumps in use, as well as input on any known potential risks to the systems.
“This is actually a pretty neat tool because not only is it free to download, you can install it on any system,” the major says. “Basically what it does is lead an operator through a query about the components of the water facility, security measures in place and other data, and then at the end of that, the tool provides recommendations on how to improve security.”
Other available frameworks help the water sector assess, identify and manage cybersecurity risks, including the National Institute of Standards and Technology’s (NIST’s) risk management framework, or RMF. “And while it was designed with federal agencies in mind, it can actually be applied to any kind of industry,” he notes. “It incorporates IT security and enterprise risk management to determine the total risk to infrastructure in the business, so that they can incorporate IT security holistically instead of being an adjunct assessment.”
Two additional frameworks, the National Infrastructure Protection Plan (NIPP) RMF and the NIST Cyber Security Framework for Critical Infrastructure, focus on improving the cybersecurity of critical infrastructure.
According to a recent DHS report on critical infrastructure assessments conducted in 2016, out of all the utility sectors, the water sector has done the most assessments on infrastructure, Maj. Brooks shares.
However, information on the frameworks and available tools is not reaching every part of the water sector. “Certainly state-level organizations are aware of available resources, but it is less well known at the local levels,” he warns. Many facilities do not know that WaterISAC, DHS and EPA could inform them about potential threats and/or how to mitigate them, he stresses.
One of the challenges water sector facilities face in protecting infrastructure from cyber attack is the cost; between 60 percent and 70 percent of the budget goes to maintenance and operations. Maj. Brooks found researchers in Kentucky that developed pre-processors for industrial control systems that can help increase security at little cost. “It’s like using an Arduino or Gumstix, which is just a small computer used to insert into the system without interfering with the overall SCADA system,” he explains. The small processors provide authentication and would allow users to avoid having to replace a whole SCADA system.
“It’s a security preprocessor that forces somebody to authenticate before they are allowed into the field system device and are allowed to make changes,” he says. “And that’s a fairly cost-effective means of better security because it costs about $100 to do that, which is a far cry from tens of thousands of dollars to upgrade the SCADA systems entirely.”