July 22, 2024 Securing Critical Water Systems to Mitigate Cyber Risks

Key practices for securing water systems against rising cyber threats, ensuring public safety and infrastructure reliability.

By Kevin Kirkwood, Deputy CISO, Exabeam

The increase in cyberattacks targeting water and wastewater systems has become a significant concern for national security and public safety.

In 2023, a hacker group linked to Iran targeted the water system of a town in Pennsylvania. This year, Russian-state-sponsored cybercriminals launched attacks on several water systems in Texas and most recently, U.S. intelligence agencies warned that Volt Typhoon, a group associated with China, had breached multiple critical infrastructure systems, including drinking water.

Recent warnings from the White House and the Environmental Protection Agency (EPA) underscore the escalating frequency and severity of these attacks, highlighting the urgent need for enhanced security measures to defend against threats and safeguard critical services.

Monitoring OT and ICS in Water Treatment Facilities

Given these escalating threats, it is crucial to focus on securing the Operational Technology (OT) and Industrial Control Systems (ICS), as these systems form the backbone of water treatment facilities. OT and ICS are designed for operational efficiency and reliability, managing everything from water purification processes to distribution networks, but they often lack basic security measures. This makes them susceptible to attacks that can go undetected until significant damage is done

Monitoring OT and ICS is crucial for water treatment facilities to detect and respond to potential cyberthreats. By collecting telemetry from OT systems, facilities can record process and device data over time, allowing them to correlate changes in physical processes with security events. These security events can range from reconnaissance and network behavior changes to alterations in operator or engineering user behavior, detected or failed malware, and web-based attacks targeting human machine interfaces (HMI). For instance, if a security team gets an alert about an remote terminal unit (RTU) intrusion and then notices an unusual spike in the plant’s chlorine levels, these two events together could indicate a potential attack on one of the treatment plant’s remote sites.

By continuously monitoring these systems, security teams can build a comprehensive picture of what constitutes normal activity within their environment. This understanding allows them to better assess their cybersecurity risk profile and respond quickly to potential threats.

Essential Cyber Hygiene Practices for Water Utilities

However, monitoring alone is not enough. The EPA’s latest call for better protection of water/wastewater systems found that 70% of inspected water systems fail to comply with the Safe Drinking Water Act and possessed critical vulnerabilities. “For example, some water systems failed to change default passwords, use single logins for all staff, or failed to curtail access by former employees,” said the alert.

To effectively bolster their defenses, utilities must practice basic cyber hygiene. This includes several key measures:

• Regularly Update and Change Passwords: Using strong, unique passwords and regularly updating them is a fundamental step in securing systems. Default passwords should be changed immediately upon installation, and password policies should mandate regular updates to prevent unauthorized access.
• Implement Multi-Factor Authentication (MFA): Relying solely on passwords is not enough. Implementing MFA adds an additional layer of security, requiring users to verify their identity through multiple methods before gaining access to critical systems.
• Regularly Audit and Monitor Systems: Regular audits and continuous monitoring of systems can help identify and address vulnerabilities before they are exploited by cybercriminals. Utilities should establish protocols for frequent security assessments and real-time monitoring to detect suspicious activities.
• Provide Comprehensive Training for Staff: Educating employees about cybersecurity best practices is essential. Regular training sessions should cover topics such as recognizing phishing attempts, the importance of strong passwords, and the proper protocols for accessing and sharing information.
• Manage Former Employee Access: Utilities must ensure that access rights for former employees are promptly revoked to prevent unauthorized access. This includes deactivating accounts and changing passwords immediately upon an employee’s departure.

By following these fundamental cybersecurity practices, water utilities can significantly reduce their vulnerabilities and protect their critical infrastructure from increasingly sophisticated cyber threats.

Ensuring a Secure Future for Our Water Systems

Looking ahead, the challenge for water utilities is not just to respond to immediate threats but to build a resilient infrastructure capable of withstanding future cyberattacks. As cybercriminals continue to evolve their tactics, so too must the defenses of critical water systems. By taking proactive measures today, water utilities can ensure the safety and reliability of their services, protecting public health and maintaining trust in our essential infrastructure.

Kevin Kirkwood is the Chief Information Security Officer (CISO) at Exabeam. As CISO, he is responsible for protecting Exabeam’s employees, customers, and data assets from digital threats.

Subscribe to Industry Today