No water – No Life
By Danny Lacker, IL Water Authority & Eran Fine, NanoLock Security
A recent article in The Guardian reported that Moody’s, the credit rating agency, has warned that UK water companies are facing an increased risk of cyberattacks. Hackers could potentially gain access to operational technology systems, impairing drinking water treatment facilities which can cause lethal consequences, ultimately endangering human lives. This serious issue highlights the growing vulnerability of critical infrastructure, which is known for its limited protection and aging production environments, to cyber threats. Moody’s warning doesn’t come as a surprise, as Southern Water, a water collection, treatment and supply company in southern England, was targeted in January by the Black Basta ransomware group, who claimed they accessed Southern Water’s systems and posted stolen data on the dark web.
Securing The Lifeline: Protecting Critical Assets
Protecting and securing Industrial Control Systems (ICS), such as PLCs directly, is crucial to mitigate the risks of cyberattacks on water infrastructure. Implementing such protections must include authentication and authorization of users, allowing for OT managers to gain control over who can access PLCs. Device-level protections would have prevented the need for manual interventions in the late 2023 attack on a Pennsylvania water facility, where threat actors obtained login credentials and used them to gain access into Unitronics devices.
The Consequences of Inaction: Real-World Examples
While The Guardian’s article focused on the UK, the threat of cyberattacks on water infrastructure is a universal issue. In the United States, for example, there have been several high-profile incidents in recent years, including the 2023 attack on a water treatment plant in California, where an attacker gained unauthorized access to critical systems. The attacker was a third-party contractor hired to operate the facility, which during that time installed software that gave him access to the facility’s systems from his personal computer. After his resignation he transmitted a command to delete crucial programs used in treating the water, which serves 15,000 residents. While this attack raises concerns, the true scope of the issue is even more alarming. A Ponemon Institute study found that every single company surveyed experienced an insider incident. However, this shouldn’t cause organizations to view their workforce as inherently risky. Companies must focus on mitigating these risks, not fearing the people behind them.
Industrial Zero Trust: Regulatory Embrace for Building Resiliency in Water Infrastructure
Responding to incidents, such as the Pennsylvania attack in late 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated that the attackers exploited weaknesses in cybersecurity, including poor password security. The agency also urges water authorities to back up the logic and configurations on any PLCs to enable fast recovery. This aligns with the Environmental Protection Agency’s (EPA) statement that water authorities must bolster their cybersecurity measures, asking to meet certain requirements and make cybersecurity audits available upon regular inspections.
Prioritizing Cybersecurity in the Water Sector
Security involves a simple approach: don’t trust anybody. Therefore, applying and enforcing zero-trust directly to the devices helps protect critical infrastructure, such as water companies. By protecting and securing OT assets, such as PLCs directly, and implementing protections that include authentication and authorization of users, OT managers can gain control over who can access PLCs and prevent unauthorized access.