The U.S. recently witnessed a handful of cybersecurity breaches that almost severely compromised important utilities nationwide. In February, Oldsmar, Florida's water system was nearly poisoned when a hacker remotely accessed the system and increased the amount of sodium hydroxide by a factor of more than 100. A few months later, the cleaning and disinfecting procedures in the water system in Ellsworth, Kansas, were shut off remotely by a former employee. And, just last month, Americans saw the cyberattack of the Colonial Pipeline send the country into a panic after fuel and gas transportation was shut down by hackers.
Marty Edwards is currently the vice president of operational technology (OT) security at Tenable and a leading cybersecurity expert. Before joining Tenable, Edwards was the longest-serving director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and was global director of education at the International Society of Automation. Pumps & Systems spoke with him about this recent increase in cyberattacks on utilities, why they're dangerous and what can be done to stop them.
Has there been an uptick in attacks on water facilities recently?
While most experts tend to agree that the rate of attacks is increasing, meaning there are more and more of these attacks happening every single day, another aspect is that we are hearing about them more than we used to. Organizations are to be applauded for their increased transparency during incidents such as these and, as a result, we are hearing about them more often.
Criminal ransomware operators are also increasingly targeting critical infrastructure systems and sectors such as water since production downtime in these systems can be costly and, as a result, worth more money to the criminals.
What makes facilities like water and gas facilities a good target for attacks?
Industrial control systems and operational technology are the very fabric of the things we rely on every day: food, gas, electricity and even water. But as we incorporate new devices and capabilities such as the Industrial Internet of Things (IIoT) into these systems to help improve their reliability and efficiency, the convergence of IT and OT has expanded the threat landscape and created new attack vectors. OT systems were often not designed with security in mind.
Additionally, many industrial environments are no longer air-gapped, which means they’re exposed to the outside world. This creates an expanded attack surface and provides cybercriminals with an opportunity to move laterally from IT to OT, or vice versa. Visibility and control over converged environments like this are foundational to any security program.
Have you seen more or less vulnerability in certain conditions?
Due to the pandemic, system operators have had to rely more and more on remote operations or maintenance access. If these systems are not deployed in a secure fashion, they can lead to an easy access vector for criminals to exploit. I would urge organizations to inventory their assets and specifically look for external or internet connectivity and harden those systems appropriately.
Why is this vulnerability to cyberattacks dangerous?
Water facilities are an integral part of industrial control systems and operational technology, which make up the very fabric of the critical infrastructures that surround us. From water systems to the electric grid to the pharmaceutical plants manufacturing the COVID vaccine, OT devices are the backbone of many things we rely on every day. Restricting access to any part of the nation’s critical infrastructure can have destructive consequences. We saw this play out after a cyberattack shut down the Colonial Pipeline for days, an event that had far-reaching impacts on gas supply across the country. It would have been catastrophic had bad actors been successful in poisoning the water treatment plant in Oldsmar, Florida, a few months ago. We’re starting to see the tangible impacts of these cyberattacks more and more, which hopefully will serve as a wake-up call for the importance of securing these systems.
What can be done to decrease the potential for attacks?
Organizations must understand that securing OT systems also requires securing the IT side of the house. Most industrial environments are no longer air-gapped, which means they’re exposed to the outside world. This creates an expanded attack surface and provides cybercriminals with an opportunity to move laterally from IT to OT, or vice versa. It is essential to maintain visibility into all of the systems and devices that comprise a control system operating critical infrastructure. Logging of all connections into the system and alerting based on policy violations or anomalous behavior certainly can help pinpoint intrusions before they are able to cause any harm. Monitoring your devices for unauthorized configuration changes can also assist in reverting back to normal operations as quickly as possible.
I think some organizations still don’t understand why they need to invest in what I call ‘cyber maintenance.’ If you purchase a large pump or piece of equipment, everyone understands that you need to have things like a maintenance schedule and someone to check the lubricating oil. Computers and control systems are no different—you need to have the people and the processes in place to make sure they are being maintained too.