Problem statement: improving cybersecurity in water and wastewater treatment plants
Solution: use a multi-phased approach targeting vulnerabilities and use of cybersecurity best practices to deter, detect and contain cyberattacks
The average water plant doesn’t have a cybersecurity expert on its rolls and that is just one part of the problem. Another part has to do with the emergence of sophisticated hacker groups that are working to target such facilities. The last part has to do with many vulnerabilities in the IoT and OT systems that remain unaddressed due to various reasons.
Fact: in October 2021, cyberattacks on water and wastewater treatment plants rose 7 percent across the globe. Source: Sectrio Threat Research Team
Impact of a cyberattack on a water and wastewater treatment plant
Through a potential breach, a hacker could potentially control key parts of the plant. This includes the pumping system, valve control, and even the control room. All these components are either powered by OT systems like SCADA and PLC or have some degree of automation enabling remote management. By being in control, the hacker can add or remove some chemicals that are added to the water being treated rendering the water unfit for human consumption, or in the case of wastewater, it may not be suitable for release into the environment.
While the problem is being tackled by operators regulatory interventions can help nudge operators to move faster. In the US, America’s Water Infrastructure Act of 2018 or AWIA is a step in that direction. AIWA’s stated objectives include improving drinking water and water quality, deepening infrastructure investments, enhancing public health and quality of life, increasing jobs, and bolstering the economy.
Implications of AIWA
The Act which was signed into law in October 2018, mandates community water systems that serve a population of over 3,300 persons to conduct a risk and resilience assessment of all systems. This includes assessing the state of security of any electronic, computer, or other automated systems that the community water system uses.
While this Act has been in existence for nearly 3 years now, there have been some major cyberattacks against water treatment facilities in the US. These attacks have occurred due to a lack of diligence and a lack of understanding of the threat environment and risk factors that impact the functioning of such facilities.
How water treatment plants can improve IoT, OT, and IT cybersecurity
Water distribution and water treatment operators have to pay more attention to the type of attacks that are happening around them. In addition, they also need to understand the mode of attacks and the mechanisms that could be used to detect, contain and remediate such attacks.
As critical infrastructure, all elements of plant operation and management have to be accorded the highest level of priority. Operators need to pay attention to the following:
- Vulnerability detection and remediation
- Getting the right threat intelligence to detect threat vectors
- Prevent rapid and unchecked expansion of threat surfaces
- No untested and unchecked device or component should be added to the plant infrastructure. Each device should be tested for vulnerabilities
- Networks should be segmented and micro segmented to ensure more control over activities
- Prepare a roadmap for plant cybersecurity covering IoT, IT, and OT assets
- Embrace frameworks such as Zero Trust and IEC 62443 to ensure integration of sound cybersecurity practices at all levels of operations
Such measures will help strengthen the implementation of America’s Water Infrastructure Act and secure the plant from sophisticated actors and malware to some extent. More diligence will however be needed continually to ensure that plant machinery and operations are kept safe and secure.
- Plant security has to be addressed at multiple levels
- Unless there is a clear understanding and appreciation of the threat environment that surrounds public utility infrastructure and the need to protect them, such assets cannot be secured
- Networks and infrastructure have to be secured through best practices
- A roadmap for security is essential and will serve as a guide to scale cybersecurity practices
- Frameworks will act as force multiplier
- Plant employees have to be sensitized