Security insights from ThreatLocker
Like many critical infrastructure verticals, the water industry faces increased cybersecurity risks.
Water is managed locally or privately depending on where you live, making it incredibly difficult to regulate and manage. As far as utilities go, water typically has the lowest amount of financial resources allocated towards it, making cybersecurity a non-priority. On top of that, OT has been retrofitted for remote access creating an inherent cybersecurity issue.
As threat actors look to disrupt supply chains, water companies need to ensure water’s continued access and safety. As with all verticals, water companies need to be concerned about the regular threats that all businesses face. As the risk of ransomware and other cyber attacks continues to increase, water companies must be vigilant of attacks targeting their infrastructure.
Typically, when a business loses access to its system due to a ransomware attack, it does not affect people's ability to survive. Problematically, decentralized regulatory control and limited finances often mean that companies lack the resources for continuous hygiene. Meanwhile, cyber-physical (CPS) technologies link enterprise IT networks to operational technology (OT) networks increase the chances that a threat actor’s attack will be successful.
Across the industry, companies are managed differently. According to the Water Sector Coordinating Council’s “Cybersecurity 2021 State of the Industry”: 1
With water companies owned and operated in various ways, the financial support for cybersecurity varies widely.
While threat actors continue to target critical infrastructure, few statistics exist when compared with enterprise IT. An article from 2021 “A Systematic Review of the State of Cyber-Security in Water Systems” explains that the attacks are rarely made public and that attribution is often difficult. 2
However, the article does note that the number of attacks on cyber-physical (CPS) systems has increased in recent years, listing attacks like Stuxnet, DuQu, BlackEnergy, and Havex. Moreover, the report additionally notes that threat actors targeting water systems include nation-state political actors, cybercriminal financial actors, and former employees.
The traditional method for protecting OT systems from IT and vice-versa is air-gapping, an interface between two systems at which (a) they are not connected physically and (b) any logical connection is not automated (i.e., data is transferred through the interface only manually, under human control). OT systems often run legacy operating systems, and not only pose an increased risk of being exploited themselves as a result of a vulnerability, but also allow attackers to access IT systems by running undetected code on the OT systems. However, water companies increasingly use CPS technologies that connect their OT systems to the enterprise IT network. This allows for more efficient monitoring and integration into billing services.
This connectivity undermines air gapping because threat actors can use a vulnerability in the enterprise IT network to gain access to OT. Attackers often start by using a common vulnerability, malicious software or Remote Access Tools (RATs) to access the enterprise network. Once they gain access, they escalate the attack by either using direct controls over OT systems, or exploit poor code in the CBS.
They will often exploit privileges within that network, or operate silently from the OT operating systems allowing them to capture information on the IT networks. From there, administrative privileges are obtained to operate in the IT network with admin permissions.
For example, when threat actors attacked a water treatment plant in Oldsmar, Florida this year, they started by exploiting TeamViewer, a legitimate piece of software, in order to access the IT systems. This ultimately gave them access to the OT systems, enabling them to increase the sodium hydroxide levels to potentially dangerous amounts. In this case, the attacker went in for the kill and attempted to potentially poison the water systems. However, in many cases there would be backdoors planted which could allow further access.
Many OT systems were built and designed prior to the internet, meaning that they incorporate legacy technologies. Between design and age, they lack modern security controls, and security tools like scanners are often unable to provide adequate visibility into assets on the network.
These systems are often fragile. A small change or abnormal activity within the network architecture can lead to costly downtime. For the water industry, downtime has greater social implications. Water is fundamental to health and hygiene. Therefore, critical system outages can impact the population’s physical safety.
Municipalities are notorious for having bad IT hygiene. Users often run as local administrators with outdated operating systems and poor training, and fail to implement basic controls listed in CIS and NIST frameworks.This makes them attractive targets for cybercriminals which leads to major societal implications.
Despite the rise in attacks against CPS technologies, water companies continue to struggle with limited IT and OT financial resources.
The “Cybersecurity 2021 State of the Industry” notes the following around IT and OT cybersecurity budget allocation:
These limited budgets ultimately make securing water more difficult, driving companies to seek cost-effective cybersecurity risk mitigation solutions.
To further complicate matters, water companies lack clear regulatory guidelines. Despite falling under the Environmental Protection Agency’s (EPA’s) control, water companies also find themselves regulated by state and environmental agencies as well as state public utility commissions.
Although the America’s Water Infrastructure Act of 20183 included cybersecurity, it only mentions it twice, providing limited guidance:
The emergency response plan shall include— ‘(1) strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the system;
The EPA provides a four-page “Water Sector Cybersecurity Brief for States”4 which lists the 2019 Water Sector Cybersecurity Risk Management Guidance (WSCRMG).5
As water companies look to protect themselves from ransomware attacks, some controls listed in the WSCRMG that enable them include:
With ransomware on the rise, water companies need to find threat mitigation strategies that enable them to protect their OT environments. The same connectivity that enables threat actors to move from enterprise IT networks to OT systems also acts as a means of transmitting malware to OT devices.
Installing security updates to endpoint IT devices is fundamental to protecting interconnected systems. However, even a single unpatched endpoint can pose a risk to OT systems. Additionally, because OT systems are fragile, updating the endpoints creates an additional risk. This added complexity often requires the water company to schedule maintenance and downtime. Again, since water is fundamental to human health and safety, this is not always a viable option.
By setting deny-all policies for all application communications to networks and other applications, organizations limit access as much as possible. Some benefits of this approach include:
ThreatLocker® is a global cybersecurity leader, providing enterprise-level cybersecurity tools to improve the security of servers and endpoints. ThreatLocker’s combined Application Whitelisting, Ringfencing™, Storage Control and Privileged Access Management solutions are leading the cybersecurity market towards a more secure approach of blocking unknown application vulnerabilities.
1 American Water Works Association. (2019). Water Sector Cybersecurity Risk Management Guidance. American Water Works Association. https://www.awwa.org/Portals/0/AWWA/ETS/Resources/AWWACybersecurityGuidance2019.pdf?ver=2019-09-09-111949-960
2 Tuptuk, N.; Hazell, P.;Watson, J.; Hailes, S. A SystematicReview of the State of Cyber-Security in Water Systems.Water2021,13, 81.https://dx.doi.org/10.3390/w13010081
3 America’s Water Infrastructure Act of 2018, https://www.congress.gov/115/bills/s3021/BILLS-115s3021enr.pdf
4 Environmental Protection Agency. (n.d.). Water Sector Cybersecurity Brief for States. EPA. https://www.epa.gov/sites/production/files/2018-06/documents/cybersecurity_guide_for_states_final_0.pdf
5 American Water Works Association. (2019). Water Sector Cybersecurity Risk Management Guidance. American Water Works Association. https://www.awwa.org/Portals/0/AWWA/ETS/Resources/AWWACybersecurityGuidance2019.pdf?ver=2019-09-09-111949-960