On February 5, 2021, an unknown cyber attacker hacked into a water treatment facility in Florida, prompting alarm among energy providers who use Industrial Control Systems (ICS). This facility, much like many other water facilities across the country, had embraced modern digital technologies, connecting more and more industrial control systems (ICS) and internet of industrial things (IIoT) to corporate and remote networks. The goal of connecting systems is to support better efficiencies and modernize aging computing infrastructures.
While modernizing ICS systems comes with benefits like, lower costs, it also brings new cybersecurity challenges. In this case, an attacker was able to remotely access their Industrial Control System (ICS) platform twice in one day. The second time, they attempted to operate the various control functions, including one that controls the amount of sodium hydroxide in the water. The hacker changed that from 100 parts per million to 11,100 parts per million. In high concentrations this chemical can cause severe burns to the eyes, skin, digestive system or lungs, resulting in permanent damage or death.
Fortunately, the attack took place in the middle of a workday, when there were people at their desksto see what was happening on the screen in front of them. What if he had chosen to attack overnight, on a weekend, or on a holiday? How would he have been caught, and who would come to the rescue? The facility reported that additional safety systems and checks would have prevented serious harm to the public. However, in the face of this attack some energy facilities are getting cold feet about upgrading to more modern, internet-connected technology.
“Safety” of Historically Disconnected Systems
Water facilities have traditionally been 100% on-premises and disconnected from the internet, and therefore have had little perceived need for cybersecurity. In that milieu, if a facility computer goes down, it’s traditionally been an isolated problem that can be fixed on-site or worked around with manual procedures. This model may appeal to some, who would argue that an attacker on the other side of the globe can’t get to your controls and make malicious changes. On the other hand, you’re very limited in the data you can collect and are missing out on major operational efficiencies. For example, if something needs to be adjusted on a weekend or in the middle of a treacherous ice storm, someone has to physically go into the control room or out into the field with a flashlight. While these manual process have worked in the past, the push to modernize the water industry through smart systems and intelligence analytics is driving significant change.
The Days of Analog are Going Away
Moving from an outdated model to a more efficient one by implementing new technologies is a process often referred to as Digital Transformation, and it comes with tremendous benefits, but can also feel scary because it does introduce new risk. Case in point, if you can access your systems remotely then in theory so could attackers (as in the case of the water plant contamination hack). For some, the answer seems simple – stay away from new technology, especially anything connected to the internet.
In today’s world, however, that simply isn’t reality, because once the technology to operate more efficiently exists, people expect that kind of efficiency. If you’re using outdated control systems, you simply don’t have the data you need to improve outcomes. Today, municipalities are moving to data-driven decision making and often won’t allocate budget to any requests that aren’t backed by sound metrics. If you don’t have them, you’re less likely to get that budget for improvements. Digital technology can absolutely transform water treatment facility operations for the better, including making them more secure than ever. It’s a matter ofensuring your digital transformation is cyber-secure from the beginning.
What is Secure Digital Transformation?
When you are evaluating new technology, you should always consider that it isn’t necessarily the technology, itself, that provides you security or insecurity. It’s just a tool. What will make you more secure is how you architect the technology, and how it is managed. For example, all systems have access points, but how you manage those access point can be the difference between having someone break into your systems unnoticed or not. Decisions about secure access control and how it should be managed fall under the cybersecurity category of policies and procedures. Having strong cybersecurity policies and procedures creates a secure foundation to build upon.
A second strong pillar of cybersecurity is vigilance. In today’s interconnected work, vigilance often comes in the form of continuous monitoring and proactive defenses. In the case of Industrial Control Systems, you will want to have someone monitoring your systems and responding to the ever-changing threat landscape. In days past, that often meant hiring someone to sit in front of your screens around the clock. However, that gets very expensive, very fast. Today’s cybersecurity strategies often include outsourcing monitoring and advanced detection technologies to dedicated organizations that have the resources and expertise to handle incidents. Ultimately, decisions like this should be considered in your digital transformation roadmap.
What Steps Can You Take Right Now?
- Policy Development
Start with a strong foundation and develop policies and procedures to align your security goals with your digital transformation roadmap. This is also a great time to consider outside perspectives with industry specialists in cybersecurity who can help you think through possibilities and scenarios you might not otherwise consider. Essentially, this is a process of looking at what your goals are, understanding the technology you want to roll out (and why), and documenting the way this technology should be configured and managed – both at the outset and on a day-to-day basis. This may include software configurations, log-in procedures, password rules and rotation, secure remote access,and even how you manage physical access to your control room. These policies should be aligned with your risk, resiliency, and emergency response plans. You may remember these efforts from the AWIA questionnaire you were required to fill out under the EPA’s guidance. If you answered “no” to whether or not you had policies and procedures in-place that you can turn to in an emergency (like a cyber attack), you will definitely want to address that gap sooner rather than later. This will benefit you right away by giving you confidence in new technology initiatives.
- Monitoring is Part of Every Healthy Network
Networks have operating systems, users, applications, connections, etc. – all potential avenues for attack. Because of this, networks need to be watched. An unwatched network is begging for trouble. Consider what would have happened if the Florida contamination attack had taken place when most cyber attacks do – in the middle of the night on a weekend. Security Information and Event Monitoring is a very accessible solution you can bake into your digital transformation that basically feeds data from your environment, such as firewall logs or account logins, to a Security Operations Center (SOC). Using smart platforms that are designed to identify unusual activity, your SOC will monitor and investigate alerts for you around the clock. That way, when a serious attack happens, someone is at the ready and can do something about it.
True Digital Security works with a number of core infrastructure providers in the energy sector. We specialize in policy development and security operations. TRUE maintains our own U.S-based 24x7x365 Security Operations Center located in Okmulgee, OK. TRUE is proud to be a trusted provider for pipelines, electrical co-ops, and water facilities. With a full staff of IT professionals on-hand, we would be happy tohelp you roll out your digital transformation securely.
If you would like to talk about decisions your organization is facing with technology, you can request a consultation with us any time. We are here to help!