By Gregory Hale
Ensuring a secure water environment remains a key topic for industrial cybersecurity professionals and governmental leaders across the board, but everyone needs to read between the lines to understand what appears to be going on.

Deciphering the potential for attack comes after the White House sent a letter to governors across the United States last week saying water and wastewater systems are continuing to face cyberattacks.

One of those threats is coming from a People’s Republic of China (PRC) state-sponsored cyber group known as Volt Typhoon which has compromised information technology of multiple critical infrastructure systems, including drinking water, in the United States and its territories.

“The feds have been involved in the water sector for a long time,” said Marty Edwards, deputy CTO for OT/IoT at Tenable and previously the director of the DHS’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). “However, when the federal government comes out with a warning or information about a specific threat actor and they start attributing those activities to a country, such as been done with the Volt Typhoon activity, you should sit up and pay attention. The federal government does not do that lightly so they must have some significant evidence they are trying to warn people about and when I take that at one end of the spectrum and I look at still having PLCs s directly connected to the Internet with default user names and passwords, that means we have a lot of work to do.”

Schneider Bold

‘Critical Lifeline’
In the letter to governors, Michael S. Regan, administrator at the Environmental Protection Agency and Jake Sullivan, assistant to the President for national security affairs said, “these attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities. We are writing to describe the nature of these threats and request your partnership on important actions to secure water systems against the increasing risks from and consequences of these attacks.”

“I think they are taking the steps they are deeming necessary to notify the stakeholders in this case it is the water sector,” Edwards said. “We are seeing an uptick in that sector, some attributed to nation states so I think people should heed their warning.

While the issues with the water sector will not end up fixed by federal, state and local governments, it is a beginning to make sure water utilities start some kind of cybersecurity program and keep it moving forward.

“You can toss the numbers around, but a significant portion of the water and wastewater companies are privately owned, so we have private companies operating stuff, we have state and local governments operating stuff, so the feds can’t just wave a magic wand and fix all this stuff overnight,” Edwards said. “On top of that, you have other aspects of industry and industry associations posturing for less regulation and saying we want to build a NERC CIP-like entity that industry is leading the activities in. Quite frankly, we don’t have the time. Had we done this 10 years ago, we would be in better shape. It is going to take some time. The government has to come out with some baseline level of requirements saying you must have this minimum cybersecurity protection in place to operate critical infrastructure. We must. We have got to get there.”

All About Economics
As has been said about the water sector in the past, it all boils down to economics. These are significantly underfunded entities where in a small rural area people pay water bills to the city or town and when the utility comes back and says we have to raise our rates to add new equipment, people just don’t want to pay.

“Cybersecurity is not an easy fix,” Edwards said. They have to figure out how to invest in it from a capital investment perspective. They have to figure out how to maintain that investment over the long term. There are human capital implications where they are going to have to hire people to take care of it. It is going to cost money and the average person does not want to pay more for their water. We are kind of in this Catch 22 where everyone is complaining about costs going up and at the same time we are levying more stringent requirements on them to get better. It is not an easy discussion. From a senior executive or board of director level, we have to have that conversation. This is a clear and present risk to the United States and to the water we consume, and we must address it.”

There have been arguments made where yes, there have been attacks on the water sector in the U.S., but there has been no real disruption of drinkable water to customers. So, does that mean there is overhype of the security concern?

“It is almost through luck we have not had a significant disruption,” Edwards said. “Granted there are some built in resiliencies, there is some storage capacity in the water systems that we don’t have in the electric sector. It is more challenging to store electricity. I would never say the reason we haven’t seen those impacts is because we successfully mitigated the cybersecurity risk. I just don’t think that is true.”

While economics is the main factor behind the dearth of water security, the fact remains creating a security program to remain as resilient as possible is key.

‘Cyber Maintenance’
“It comes to what I call cyber maintenance,” Edwards said. “You buy a large rotating piece of machinery for say $1 million. The company after that capital expenditure doesn’t think twice about hiring the machinist or the lubrication specialist or engineer; they don’t think twice about having the right people on contract to maintain that expensive asset. I don’t understand why we don’t treat cyber assets the same way. We pump millions of dollars into automation systems, industrial control system, and SCADA environments to remotely monitor and control these places, but it seems like for whatever reason we believe as soon as we spent the money, we can walk away from it because computers never break, or you never have to do any sort of preventative maintenance in those environments. It is just not true. Cybersecurity is a preventative maintenance activity you need to do to keep the networks and the systems healthy. If you neglect it, it will eventually break. Why don’t we proactively invest in predictive maintenance programs? We can do the same thing in the networking and computing world. We can put the right sensors and instrumentation on those networks to give us an understanding of when they are not operating at their peak and schedule that maintenance before it bites us. I think cybersecurity needs to be treated like that. If we don’t start thinking like that, we will be operating in the run to failure maintenance technique. If that is the case, we will have to educate the American people that some day when they turn on the water tap and nothing comes out it is because something broke and you have to fix it.”

When it comes to attacks on water utilities, one fear is adding some type of chemical into the water supply. But Edwards does not fret over that as much as worry about ransomware or malware types of attacks.

“Most of the facilities I have seen there had varying degrees of redundancy in levels of dosing,” Edwards said. “They have a separate instrumentation system that is the final check, or they have lab technicians taking lab samples. As an attacker you have to be very thorough to make sure you compromised all those different aspects in the attack chain. I am more concerned about criminal ransomware or commodity malware getting into these environments and shutting them down. And quite frankly right now that is pretty low hanging fruit. We should be able to alleviate any concerns in that area by using good sound cybersecurity fundamentals.”

Wake Up and Smell the Water
U.S. citizens have to wake up from a level of complacency to understand water is a vital component to everyday life.

At the same time water and wastewater organizations whether they are public or privately held need to step up and create a baseline security program and keep improving it as they move along.

“I think it is one of those areas where unless there is a disruption or it is really gone, people don’t connect the dots,” Edwards said. “We are really lucky in this country where you walk into a room and you flip a switch and the lights come on and you walk into the kitchen and you turn the faucet on and clean, pure drinkable water comes out. There is a feeling it is always going to be there; it has always worked. There is an aspect where somebody else will take care of it. Well, that somebody is us. We have to invest accordingly in these environments and systems.”


Pin It on Pinterest

Share This