Back
Water Utilities Under Siege: Why Basic Cybersecurity is Still Lacking
Last Wednesday, CISA issued an advisory two days after Arkansas City, Kansas, revealed that a Sunday morning cyberattack forced it to switch its water treatment facility to manual operations. In the alert, CISA urged OT/ICS operators in critical infrastructure sectors to apply the recommendations listed in Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity to defend against this activity and to implement secure-by-design principles and practices
This advisory highlights what many of us who have worked in this industry for years have been saying for years: the basic cyber hygiene of our nation’s critical infrastructure is not being maintained by those organizations responsible for the care and feeding of it.
Lack of Cyber Hygiene Among Smaller Utilities
While the bulk energy sector, which power most of the nation, have been mandated to take action since 2006 with the threat of severe monetary penalties, the vast majority of utilities are significantly smaller entities that rely on municipal funding. Because of this, many of them lack the resources to handle basic cyber hygiene tasks and the staff generally doesn’t have background or training in cybersecurity. Their staff typically focuses on keeping the lights on and ensuring clean water. They may have IT backgrounds but not the specialized cybersecurity backgrounds that would give them an advantage against sophisticated attackers.
However, this advisory isn’t just about the lack of resources of training. What CISA is saying here, and what I’ve been saying for quite some time, is that these organizations aren’t even following the very basics. There is no reason ever that remote access solutions should be exposed to the internet without advanced security, and many modern remote access tools support those advanced features. Additionally, the use of default credentials, which can be changed in less than five minutes, suggests a lack of effort or awareness from those responsible.
The Flaws in Self-Assessment and Regulation
The America’s Water Infrastructure Act (AWIA) that was signed in 2018 required that all water utilities serving more than 3,300 customers to perform a risk assessment which included a cyber portion, but they were permitted to self-assess and submit letters of attestation without proof of compliance. This has left a significant gap in the cybersecurity of these utilities.
At the RSA conference in May, Department of Homeland Security Secretary Mayorkas emphasized the need for action, but many system owners of large water utilities voiced concerns about the lack of concrete solutions. This is all before we even begin to touch things like oil and gas pipeline, which fall under the purview of TSA for cybersecurity regulation.
Despite all the efforts that have been made by people who care about the future of North America’s critical infrastructure, there still is no holistic driving force to reinforce, assess, and enforce a plan of change that would stop these events from happening.
Anyone who’s worked in the bulk electric sector over the past 20 years will tell you that NERC is far from perfect, but it’s better than nothing. NERC allows for significant input and decision-making from system owners and peers, which sometimes makes the process slow and cumbersome, but it has been relatively effective since its implementation in 2006. A decision could have been made in the past 20 years to copy this model and apply it across other critical infrastructure sectors.
The problem remains that municipal utilities—whether power, water, or pipelines—need funding sources they currently don’t have, which the merchant energy sector has by default.
Security-by-Design in Critical Infrastructure
The advisory also references security-by-design standards, a concept that has been gaining traction at Idaho National Labs and other places for quite some time. I’ve spoken at several engineering events alongside Andy Bochman from INL, who actively studies and helps publish papers on building security—particularly cybersecurity—into the engineering designs of systems and devices. I’ve also recently begun working with one of his colleagues, Emma Stewart, as I joined two new NERC working groups focused on cybersecurity for inverter-based and distributed energy resources.
These concepts exist, and there are many people doing important work in this space. Many of us donate our time because we care about the future of North America’s critical infrastructure and want to see meaningful change.
The current state of affairs has persisted for too long. It’s time for a change.
For more of my thoughts on these topics, check out the following articles:
Dark Reading: Securing Our Critical Infrastructure
Security Ledger Podcast: OT Under Attack
YouTube: OT Risk Management
Security Ledger: Third-Party OT Risk
HelpNet Security: OT Network Visibility
LinkedIn: Network Segmentation
10.03.24