Facing up to cyber security11 January 2022
Andrew Nix, Operational Cybersecurity Consultant at Schneider Electric, tells IWP&DC that water companies, including hydroelectric facilities, are facing growing cyber security threats, and offers advice on how facilities can ensure they are unattractive targets for attack
What kind of cyber security threats are water and power projects facing?
In the water industry – whether its from the perspective of a dam, hydropower project or water treatment facility – cybersecurity as a whole is becoming more and more important. Cyber threats are growing and advancing, they are becoming more automated and more intelligent in how they identify and attack targets. According to Cybersecurity Ventures, cyber crime will cost the global economy $6 trillion this year, which is more than the GDP of the UK – it’s an impressive number.
A lot of companies and utilities in the water industry don’t really recognise themselves as a potential target for cyber attacks, when in reality they are an ideal target. We’re really starting to see that impact more and more in the water space. The reason for this may be tied to the state of the equipment in the water space – with equipment of different ages, from different manufacturers and operating with different protocol. The amount of uniqueness and differentiation between all those devices poses a big challenge to a facility because it can be very difficult to manage the security of all the different equipment from all those various vendors – they use different patches, different operating systems, offer differing levels of support, etc.
There is quite a lot of work involved in helping to secure infrastructure and ensure the whole facility is protected from all the different elements it contains. As an example, if you go and buy a new phone there is always some inbuilt cybersecurity functions for that specific device. However, you then go and install apps, use the internet, get your email, and allow your kids to play on it. That’s a lot of unknowns for the manufacturers. We can’t necessarily cater to all of that, and so it’s really important that you have tools that help you secure the entire facility, the entire network and everything in it, regardless of manufacturer.
It’s so important to be cyber secure in water because of the extremely critical services provided. Like we saw at a water treatment facility in Florida back in February this year, if someone’s able to, for example, cause an event, manipulate process integrity, cause an outage, damage equipment, or contaminate the product, that can impact the lives and the safety of hundreds or thousands of people.
Attackers understand this. They know that if they can cause pain to the facility, if they can cause an outage, that’s the easiest way to get someone to pay them. They’ll get their revenue, and then move on to the next target. They recognise that targeting water is one of the easiest ways to do that, because of all the differences in equipment and the inherent risks in that environment.
Has the move to home and remote working made it easier for facilities to be targeted?
It absolutely has. I think one of the reasons for that is that organisations really struggle with the proper way to remotely operate a facility. They don’t often give workers the right tools to remotely view what’s happening, or take remote control of certain aspects of the facility. When you’re an employee sitting at home, you may be doing what you think is the right thing to get to that facility to, for example, view SCADA screen and things of that nature – but that is a potential attack avenue.
The home network is inherently not as secure as the operational network that you’re connecting to. If you have a vulnerability at home, somebody could manipulate that to get through your system and into an operational computer. We’ve seen that a lot in in different industries where remote access poses a threat.
The other side of that is for the operators at the site who may not know the difference between an attacker that’s manipulating a remote access platform, and a legitimate person trying to make changes. They just see someone that’s connected trying to do things and they don’t know if that’s an approved action or a malicious action – they need something in place that can help them see the difference. They need to be able to log what’s happening, see who’s logged in and how, and be able to vet those connections.
The remote world that we’re in now certainly does add a lot of complexity to how cyber threats are detected. That inherent risk of having outsiders able to control things from outside the facility certainly demonstrates the need for stronger cybersecurity.
How can facilities protect themselves against cyber attacks?
There are a number of different ways facilities can project themselves. The first one is to build a holistic approach to cybersecurity. The reason this is so important is because there’s already a lot going on in the facility. There’s a lot of equipment there, a lot of processes, all of which are very important and can’t be stopped.
If we’re looking at cybersecurity for each vendor, or for individual sections of the facility, it’s just going to add even more complexity and even more risk. If we view cybersecurity as a platform that looks at everything in a holistic and vendor agnostic way, then you’re going a long way and making sure that the entire environment is protected. That way you’ll be able to identify when strange things are happening in the environment or see when one system may be impacting another, and then be able to act on it.
Another thing I think is really important is to use the standards that are available to you as an organisation. There are many, including: IEC 62443 (which is considered the prevailing operational and industrial cybersecurity standard right now); AWWA; the NIST framework; and NIST 800. Those are major drivers to use to begin a cyber journey as they lay frameworks and reference models for organisations to use to secure their control systems.
Equally as important is training and enforcing cybersecurity culture. Every person in the facility needs to know their involvement in a secure cyber architecture. It doesn’t matter if you’re in the control room, in the front office, or a delivery driver - every person can impact cybersecurity in some way! Everyone needs to understand how their actions could present a security risk. For example, if someone plugs their cell phone into a workstation to charge it, that’s a cyber risk. If you bypass something on a system to make your job easier, that’s a cyber risk. If employees understand how actions can impact an operation, and what the cyber chain of events could be, it will help them avoid those pitfalls.
Phishing in email attacks is one of the top methods for gaining access to operational networks – all it takes is one person clicking on a phishing email to infect the entire network. Attackers will send an email that looks like an official email, asking you to log in. When you click something, it will ask for your credentials, and then immediately they’re logging that, giving them a legitimate login to get into your network. This makes it even harder for someone to identify if it’s legitimate or not. Employees need to understand what to look for, it would only take an extra few seconds on an email to check who it’s from, check that it’s not an external address, etc.
The last thing that I’ll say here is don’t feel like you as an organisation have to go it alone. There are a lot of next gen tools that are developed specifically for the OT space, and even more specifically for water, that can really help fight the newest threats that are becoming more and more advanced.
What types of tools to improve cyber security are available?
There are a few different categories based on the NIST framework of tools. Categories fall into the following areas:
- Identify: these are tools that help with an asset inventory. They’re identifying what’s on the network because if you don’t know what you have, it can be very difficult to protect it.
- Permit: these tools look at who’s accessing the system, and will authorise who can and can’t get gain access, giving you a secure network. It includes things like network segmentation and firewalls, the multi factor authentication tools. Even things like Active Directory to help control who can and can’t get to different things.
- Protect: this covers patch management HOST intrusion detection, removable media control, endpoint protection and antivirus - the things that that form a barrier around those devices from malicious tools.
- Detect: this includes things like anomaly detection where we’re using artificial intelligence to identify what’s on the network, how it communicates, and what is its normal day to day process. When something is happening that’s different, it will highlight that to you. It gives you actionable data that you can go and resolve, rather than having to try to monitor everything separately.
- Respond: this is one of the most important tools. Everyone knows what to do in their facility if there’s a fire but very few know what to do in the case of a cyber attack. Attackers are hoping that you’ll be confused, panic and react incorrectly. Having backup and recovery, knowing what to do, and practising what to do in the case of an incident is very important and will really help in making sure that the facility is an unattractive target to attackers.
Should cybersecurity be built into the facility in its early stages of development?
Yes, absolutely. We’ve seen facilities that are delivered with malicious software in them already. It has been suggested that within the first five minutes of operation, an IoT device is initially polled as part of an attack. There’s an incredible amount of gaps that are left when facilities are created or brought online without any cybersecurity, for it to be added later. It’s really trying to reinvent after the fact. There are enough advancements in tools and processes today to launch a facility from day one that is really cyber resilient. This can then be maintained over time rather than trying to play catch up from day one.
Is it harder to build cybersecurity in older facilities?
Truthfully it can be harder and a lot of that comes down to the age of the equipment. They’re not as easy to secure and they may be more sensitive to monitoring and things of that nature. But that doesn’t mean that it’s impossible – anything is better than nothing.
The goal of a facility shouldn’t be to be hack proof. Hack proof is a fallacy. It would be very difficult and costly to achieve. What they should do is try to be an unattractive target. Even if the facility is 100 years old, there are methods to help secure the equipment they have, and make sure that it’s resilient and sustainable. Just because the facility is older and uses older equipment, it doesn’t mean that it’s not worth investing in cybersecurity. You can still protect the devices that are connected and keep them safe, so that they’re not posing a risk to anything that’s deeper into the network.
Is there any additional information our readers should know about cybersecurity?
Something we hear a lot is that companies think it’s an IT issue – those in the operational side think ‘oh we’ll let IT take care of it.’ However, there’s still a large number of cyber attacks that come in from the IT space, and then filter into the OT space, due to a lack of cybersecurity in the operational environment. The critical thing to know is that with operational equipment or critical infrastructure equipment, like PLC, SCADA, IoT, the way that they operate, and the languages and protocols they use are very different than what IT is typically used to seeing.
It’s important to understand that difference, and not just try to apply the same IT principles that you use in an office space, because it will miss things. IT doesn’t know what to look for in that environment. Yes, it is an IT issue, but it’s also an OT issue as well, because of those specifics that are proprietary to those devices, those protocols for PLC, SCADA, power management, building management, etc. From an attack perspective both represent vulnerabilities, both have their own methods of being attacked. It’s very important that we’re on top of maintenance and patching, and give responsibility of ownership to both sides of the equation, not just assign it to one.
It’s also OK to ask for outside help. Schneider deals with some of the biggest and brightest companies in the world, and they still need help. There are areas where expertise and outside insights are useful so don’t think that you have to go it alone. It’s okay to ask cybersecurity experts outside of your organisation for help and guidance, to make sure that you’re secure. It’s better to get that help and understand what to do and correct any issues instead of not knowing and potentially causing a concern.
Lastly, with all of that said, I do think that there’s a lot of optimism in the OT security market today, especially in water and utilities. There’s a lot of tools now that make cybersecurity management easier. It doesn’t require a full staff of folks working on a computer 24/7 to manage, there are tools that can do a lot of that for you so you can focus on other things.
There are standards and support at country level to help secure critical infrastructure at its core. Over the last couple years there’s been a lot of interest and excitement in getting this secured, so now’s a great time to be an organisation looking at how to secure your infrastructure. It’s not too late.