Ransomware attacks have garnered much of the cybersecurity headlines this year given their impact on industry supply chains and critical infrastructure operations. But among the most eye-opening incidents occurred in Oldsmar, Fla., in February of this year when a malicious actor attempted to raise the level of lye in the city’s water supply.
Had the perpetrator not been caught tampering with the system by a facility employee, this cyber-attack could have resulted in actual physical harm to residents and potentially even deaths. The simplicity of this cyber-attack – compromising a remote access software program installed on the employee’s computer – also illustrates the gravity of the situation facing water utilities as they oftentimes employ decades-old operational technology (OT) systems and attempt to create a patchwork security plan using various IT and IoT solutions they’ve been connected to over the years.
On Tuesday, cybersecurity firm ThreatLocker released a report that details some of the unique challenges that water companies face in trying to bolster their cybersecurity posture. Perhaps one of the biggest issues facing water utilities is how they are structured and funded. In fact, the Water Sector Coordinating Council’s “Cybersecurity 2021 State of the Industry” survey that was featured in the report found that:
- 51.4% of respondents are with a department of a municipality or county.
- 32.7% of respondents are with a special district or independent government entity.
- 9.3% of respondents are with a private non-profit/cooperative.
- 6.4% of respondents are with a privately-owned or investor-owned utility.
Additionally, the same survey found that the cybersecurity budgets for water utilities were alarmingly low. Specifically, as it relates to IT and OT cybersecurity budget allocation, the survey noted that:
- 38% of systems allocate less than 1% of budget to IT cybersecurity.
- 22.1% of systems allocate 1–5% of budget to IT cybersecurity.
- 6.3% of systems allocate 6-10% of budget to IT cybersecurity.
- 4.1% of systems allocate greater than 10% of budget to IT cybersecurity.
- 44.8% of systems allocate less than 1% of budget to OT cybersecurity.
- 20.95% of systems allocate 1–5% of budget to OT cybersecurity.
- 4.9% of systems allocate 6-10% of budget to OT cybersecurity.
- 1.7% of systems allocate greater than 10% of budget to OT cybersecurity.
According to ThreatLocker CEO Danny Jenkins, the lack of investment in cybersecurity at the municipality level is very concerning given the criticality of water resources, however; unlike many organizations that only have to concern themselves with securing their IT assets, water utilities must also think about the physical systems responsible for cleaning and delivering fresh drinking water.
“They have to operate this old equipment and water (infrastructure) that has been around for a long time. Twenty years ago, if we were booking a flight, we went to a desk, we checked in with a piece of paper – there was no OT – it was just IT and then OT got added later on and then IoT and when it got added we were building on more modern infrastructure,” Jenkins explains. “Before IT even existed water was pumping through pipes, so what’s very unique about water, in particular, is your dealing with very few systems that have been updated or integrated into modern systems. So, you’re potentially taking these old systems that have been around for 20, 30, 40, or 50 years, and finding ways to make them work with new systems.”
In the case of Oldsmar, rather than leveraging unpatched systems or vulnerable software, Jenkins said the attackers took advantage of poor IT management practices.
“TeamViewer was installed on a machine there and the object of TeamViewer is to allow remote access to a computer. It is not really intended to be used in an environment like that. Someone was able to get onto that system and just literally change a dial, and we’re not talking about super hackers here, anyone could have gotten onto the system just by typing in a 10-digit code and password in TeamViewer,” he says.”
Although he would like to see water companies come to a greater realization about the need to protect their assets in the wake of this incident, Jenkins says the fact is most water utilities are run by municipalities, which tend not to be the “forward-thinking” organizations.
“You’re dealing with people who have been in the same job for 20 years, doing the same thing for 20 years and unless they actually feel the pain, they don’t think about it. Where this becomes more relevant is when it goes up to the government legislation level and you start seeing states say, ‘we recognize this and now we need to force a change by enforcing policy around this,’” Jenkins adds. “Do I think that is going to happen? I’m a pessimist by nature because I work in security, so probably not. Do I think some people are going to get better as a result of it and there will be more awareness? I hope so.”
When it comes to the steps water companies can take to bolster their cyber defenses in the short term, Jenkins recommends implementing controls wherever possible. “If you take (Oldsmar), they were running TeamViewer and that’s not something you would want to have in your environment and you can’t always trust your users to not download things,” he says. “In cases like this, if we implement controls to block any untrusted software and make sure people are local administrators to put restrictions around users, you take away the risk of people doing things that are out of your control, because ultimately controls are what enforces good behavior.”
For many who work in water departments, Jenkins says they simply haven’t been exposed to some of the threats that are being brought to light today, however; that should not be an excuse to not change.
“People don’t want barriers, businesses don’t want barriers, cities don’t want barriers – people don’t want things that stop them from doing the things they want to do, and security is sometimes about putting the brakes on, slowing things down and putting obstacles in peoples’ way, not because anyone in security wants to make someone’s life difficult but because it is what’s important,” he says.
Perhaps the biggest obstacle that those responsible for securing water resources must overcome, according to Jenkins, is the sense of complacency that comes with doing something a certain way for so long.
“If you live in one house and your house has never been broken into, you don’t think burglary is a problem. But if you are a cop and you get a call every single day saying this house has been broken into or this house has been broken into, you tend to be very, very aware – you go home, lock your door, put an alarm in and do all of these things because you see it all the time,” he says. “We’re at war, this isn’t playtime anymore.”
For more information or to see the full ThreatLocker report, click here.
About the Author:
Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].
