The cyber threat landscape has changed dramatically in recent years. Cyber threats are more prevalent, destructive, and financially devastating than ever before. State sponsored and financially motivated cyber criminals have recently targeted automation systems including those that serve water, electric, and gas utilities. Securing these systems and their digital assets has become critical to ensure reliability and continued operations.
Anne Neuberger, Deputy National Security Adviser for Cyber and Emerging Technology, announced the U.S. Environmental Protection Agency (USEPA) is expected to issue a new cybersecurity rule soon. The rule is expected to integrate cybersecurity requirements into existing Sanitary Surveys that primacy agencies are required to conduct at water facilities. However, a timeframe for compliance has not been released.
Common cyber threats that may affect control systems include:
- Rogue Control: Unauthorized party takes control of system to perform malicious actions such as adjusting chemical feeds through a Supervisory Control and Data Acquisition (SCADA) system.
- Cyber Warfare: Another nation or terrorist hacks a system to cripple essential infrastructure.
- Disgruntled Employees: A past employee gains access via Virtual Private Network (VPN) privileges that are not terminated at the same time employment ends, or an employee may create a backdoor to access the system without knowledge of the utility.
- Spyware / Data Breach: Sensitive data or customer information is exported from the system, such as credit card numbers or social security numbers.
- Ransomware: Most common cyber-attacks encrypt or lock computer systems, rendering them useless. Entire computer system needs to be rebuilt to prevent the same type of attack from happening again.
Jason Schuler, AE2S Senior Information Technology (IT) Technician / Cybersecurity Specialist, says the best way to keep your systems safe from cyber threats is to prevent them from happening in the first place. The most common ways malevolent actors gain access is through the following tactics. Utilize the associated tips to prevent them from succeeding.
- Email Phishing: A cyber attacker sends an email that attempts to trigger a staff member to provide sensitive data such as a username and password. The emails will often seem urgent and may appear to be sent from a trusted fellow employee. Staff should be trained to carefully review email addresses, not just the sender’s name, before entering information. If there is any doubt, instruct them to contact IT before providing information.
- Phishing Via Phone: Phishing scammers may also call staff claiming to be a member of the IT team. The scammer may say they need a staff member’s password to perform updates on their computer. Or they may ask for information such as an internet protocol (IP) address. Employees should be trained to hang up and contact a member of IT directly to confirm it is a legitimate request.
- Brute Force: The cyber attacker guesses passwords until one works. After a data breach, lists of usernames and passwords can be found on the dark web. Scammers can run down a list of these, trying the usernames and passwords until they find one that works. Encourage your staff to use different secure passwords for all their online accounts. Secure passwords consisting of at least 15 characters utilizing a mix of numbers, special characters, as well as upper and lowercase letters will be more difficult for a scammer to guess. Furthermore, varying a person’s passwords across accounts makes it less likely a data breach will expose their work account.
- Open Ports: Cyber attackers scan IP addresses on the internet for open ports. An open port can be found in programs that require open access to the internet. Examples include SCADA, Human Machine Interface (HMI), Wonderware InTouch Access Anywhere, Ignition, alarm software, security systems, and even VPN services. Great care must be taken when configuring these programs to ensure it is done correctly and does not leave your system vulnerable to attackers.
- Person-in-the-Middle: An attacker sits between two networks or two devices, observing the data transmission to access usernames, passwords, and other sensitive information. It is important to ensure all sensitive data is encrypted before it is transmitted via the internet.
The impacts from a cyberattack could be devastating. Mike Chorne, AE2S I&C Senior Specialist, says during an attack a Programmable Logic Controller (PLC) program that operates a utility could be deleted or destroyed, which would stop automated processes and disable alarms from alerting staff. This type of attack would completely interrupt operations and take the system offline. Another possibility is the data could be modified so facility operators believe infrastructure is operating appropriately when it is not – from an empty water tower to a lift station releasing raw sewage. “A lift station spill or water main break and/or contamination can cause environmental harm, be costly to repair, and erode the trust of your customers. The impacts of a cyberattack can be multifaceted,” says Chorne.
To reduce the chance of a cyberattack impacting your controls systems, Chorne and Schuler recommend the following:
- Check for weak passwords and update them with a minimum of 15-character passwords that include a mix of numbers and special characters, as well as upper and lowercase letters.
- Add multi-factor authentication to VPN access. This involves entering a username and password, plus a secure code that can only be obtained by a device physically linked to the end user.
- Remove former employee access or temporary user access immediately when access is no longer needed.
- Solicit the advice of qualified IT personnel to expand upon the tools and resources available to make your system more secure.
- Provide a user or device only the level of access that is needed to complete assigned tasks. For instance, a PLC does not need direct access to the internet, and a worker who is accessing SCADA does not need direct access to the PLC or to the internet.
- Network segregation – Separate control networks from enterprise networks. Workstations and servers requiring email and internet access should be completely separated (either physically or virtually) from the workstations and servers that make up the control network.
- Apply software patches as quickly as possible. Install patches in a test environment to confirm compatibility with control software prior to deploying to the production environment.
Schuler and Chorne also suggest developing a plan, such as the Risk and Resilience Assessment and Emergency Response Plan required under America’s Water Infrastructure Act, and continuing to update the documentation as better strategies and procedures become available. In addition, having up to date backups can make the difference between restoring a compromised system in hours as opposed to days or weeks.