Water professionals know that the nature of water is to always take the least path of resistance – the same pursuit of cyber attackers. In recent years, there’s been progress in cybersecurity on the information technology (IT) side, but the operation technology (OT) platform is severely lacking in protection.
Now is the time to truly focus on the industrial OT side.
IT and OT networks aren’t the same. IT enjoys familiarity, providing internet and email connections as well as financial, business and customer data. The OT network deals with machines, equipment and devices that physically operate our facilities.
The problem: The rate of attacks and risk to operations is far outpacing the maturity of most industrial cybersecurity programs. As systems become more connected and automated, they become more exposed to attacks. Meanwhile, many OT managers can’t tell you what digital assets they have on their networks.
This translates to the pressing dilemma that most wastewater treatment operations – and those in the commercial industrial sector – are at the immature stage in terms of protecting their OT assets from cyber threats.
This is a relatively new area, but it no longer can be ignored at a time when the industry faces a new kind of convergence of motives and opportunities for cyber attackers. These “bad guys” increasingly are getting craftier in exploiting the rapid expansion of OT digital connections.
Cyber criminals: A Growing Threat
Until recently, the goal of attackers – whether they were activists, terrorists, rogue nations or organized crime – usually was to extort ransoms, make political statements or disrupt business. The Colonial Pipeline attack in 2021 marked an acceleration of these attacks on operations. Although technically that was an IT attack, the attackers still successfully caused the OT side of a major oil pipeline to be shut down for a week, dramatically impacting life along much of the U.S. East Coast. The ability to disrupt life for millions of people became a new motivation, and the prize just got bigger.
In recent months, a surge in malicious cyber activity has ranged from a successful attack on a Pennsylvania water treatment plant to several threats in Texas. In the Pennsylvania incident, the attackers – a self-proclaimed group from Iran – simply used the opportunity to spread propaganda. But they made it inside an OT system, and that is the point. They potentially could have turned valves on or off, reprogramed equipment or caused a large disruption or contamination to the public.
But it does not have to be that way.
Every year, Black & Veatch extensively surveys hundreds of stakeholders and decision-makers in the U.S. water industry for its annual water report, with last year’s respondents reflecting the industry’s clear understanding of the consequences and seriousness of cyberattacks. Nearly 80% of respondents said they’ve hired or consulted with cybersecurity experts or information security engineers for their IT/OT systems. Six in 10 acknowledged the need for continuous monitoring as a solid means of detecting malicious activity.
This indicates many entities are at the “now what?” stage. They’ve acknowledged an issue that must be addressed, and they are looking to take some initial protective steps. They need answers, partly explaining why Black & Veatch recently launched a new cybersecurity practice meant to help clients level the playing field – or give them an upper hand – in thwarting cyber criminals.
The ‘Homefield Advantage’
The first step comes with the appreciation that something can and must be done. This digital war is being fought inside your equipment, but that does not make it all doom and gloom. The opposite viewpoint should be championed: Wastewater plant operations should acknowledge their “homefield advantage” that comes with deep knowledge of their equipment after a proper, robust assessment. From there comes a determination of the system’s vulnerabilities and the best ways to mitigate them.
Wastewater system stakeholders control the training and education for their employees and contractors, thereby arming them with the proper knowledge and skills to combat the situation. And they know their strategy, their budget and the next needed investments.
The ball ultimately is in their hands, and leverageing that homefield advantage comes with a game plan that answers foundational questions:
- What needs to be protected? This is the OT asset inventory.
- Where are the gaps in protection? This is the vulnerability assessment.
- How can cyber intruders be detected? This is the monitoring system.
- How can intruders be removed and operations restored? This is the response.
Much more is involved, including hardening the system through basic protections, implementing segmentation to prevent attackers from free-roaming the network, and training employees. Consider these the ABCs, then build from there.
The do’s and don’ts of water system cybersecurity
But the key is getting started now, keeping in mind that the likelihood of attack is 100%. But the likelihood of a successful breech is vastly different with a proactive plan aimed specifically at the relevant OT system.
Avoid a simple gap assessment, given that it simply will find an overwhelming number of openings to cyber threats. Instead, save that money and apply it to a plan that will grow the system’s cyber maturity level and help determine what’s affordable now, then build a business case to get the funds needed. Know that progress comes with digestible, doable steps.
Along this journey, understand the do’s and don'ts:
Don’t stop at compliance
You can be fully compliant and not very secure at all. By its nature, compliance is a lowest common denominator game, often casting a false sense of security. The industry is replete with stories of the fully compliant getting taken down by hackers.
Don’t be fooled by “air gaps” or “DMZs”
An air gap is a myth. It is a type of firewall – sometimes called a demilitarized zone (DMZ) – that serves as an umbilical cord from IT to the OT side, leading facility personnel to think they are secure when in reality they are not.
The reason? Employees and contractors continually update the equipment with downloads from the internet. Some systems use Industrial IOT (IIOT), and those systems usually bypass the internet and use cellular or mobile connections that create vulnerabilities.
Don’t believe you’re too small to be a target
Attackers use sophisticated software to scan multiple systems, simply looking for an opening – any opening. Size is immaterial now; it is all about an opportunity that presents itself for the attackers.
Do get the involvement of an OT cybersecurity expert
You need someone who understands your system and is a hands-on practitioner in this area. The right partner will be invaluable in assessing needs, gathering data to help build a business case, assessing vulnerabilities, designing and implementing a cost-effective solution, helping train employees in all the new protocols and processes, designing a response plan and helping to write new policies. In short, cyber-protection experts will help build protections step by step, raising the client’s cybersecurity maturity level to new heights while greatly reducing the site’s risks.
Do take a look at available federal grant money
The federal government has announced some serious grant money to help water utilities fortify their networks. Don’t have in-house grant expertise? Find the right partner who can help access these funds.
Conclusion
All of this explains why OT is a major vulnerability at wastewater systems across our country – and why it must be viewed through a new lens.
While IT and OT on surface have some similarities, they are very different in that each uses different languages, logics and protocols. Shifting the focus to OT – but by no means ignoring IT – can ensure a safer wastewater system that will frustrate attackers and keep equipment and machines humming, doing their jobs in a protected environment.
