As threats to public infrastructure from cyber attacks are on the rise from coordinated—sometimes state-backed—actors, public utilities are being forced to seek new risk management frameworks. But there are challenges in doing so.
Matthew Scholl is the deputy division chief of the Computer Security Division at the National Institute of Standards and Technology (NIST), a U.S. organization that promotes innovation and industrial competitiveness by advancing measurement science, standards, and technology. At a recent virtual conference, Scholl said, “Cyber security as a risk, generally, is not discussed with those other risks like water quality, customer delivery, supplier, financial. Those are all risk discussed at that business level. You should have cybersecurity in that discussion, at that level.”
The conference came just days after a ransomware attack on the City of Atlanta, Georgia, that didn’t target water utilities directly, but nonetheless stopped people paying their water bills. The attack locked up the machinery of civil society for a large metropolitan area in North America.
Scholl described such problems as, in part, how individuals view their relationship to the digital world, equating this with “small, rural, […] not immediately impactful,” but this is a misapprehension. “You may think you’re not on threat radar, but there are threats that are specifically designed just for, small, non-IT focused, but heavily IT-dependent organizations that are highly transactional.”
“Often times, people don’t see themselves as targets,” said John Kassel, principal consultant, Black & Veatch, another virtual conference presenter. Unfortunately, unlike more conventional forms of risk, anyone with a digital device that connects to a utility network represents a potential risk vector. Even when water utilities accept that they may be the target of cybersecurity threats, they are often uncertain who needs to respond and what to do. In survey results released by the Canadian Water and Wastewater Association, Public Safety Canada, and Dalhousie University, water utility personnel agreed that that cyber-attacks are becoming more common among utilities that have online systems, yet several noted that it was not their area of responsibility or expertise.
Assessing cyber risk
Experts such as Terry Ingoldsby, president of Calgary-based Amenaza, help critical infrastructure providers analyze their digital vulnerabilities and establish measures to help avoid cyber attacks. Unfortunately, many utilities, water and otherwise, face a common flaw: “The bad news is that the systems that were created to manage and control all of this physical infrastructure, the designs were built to a large extent in an era when cybersecurity was not a consideration,” said Ingoldsby. “These systems were designed with the main focus of security being that they were isolated. The theory was that nobody could get to them, because they are standalone.”
When many of today’s operational technology (OT) networks were installed, said Ingoldsby, the replacement cycle was 15 to 20 years. But, the world of information technology (IT), which powers the utilities’ corporate networks and is the platform used to launch cyber attacks, has become exponentially more sophisticated in the period since OT systems were installed. As a consequence, “if you do manage to connect to the network, [they] are relatively easy to seize control of, in general terms,” said Ingoldsby.
Still, he doesn’t see the growth of cyber threats to infrastructure as apocalyptic. In fact, he’s somewhat optimistic: “It’s fairly tricky for an outsider, who has nothing but cyber visibility of the plant, to necessarily figure out what all of this stuff that they’re controlling does.”
That doesn’t mean that cyber threats can be ignored. The growth of networked devices through IoT and automation are increasing the connections between IT systems and their formerly isolated OT systems. “That increases our exposure; that is why we have a need to expand our risk management paradigm,” said Kevin Morely, Ph.D., manager of federal relations for American Water and Wastewater Association.
Employees on the frontlines
The increasingly interconnected nature of IT and OT means that users on both networks need to be better equipped to understand digital attack vectors and how to decrease utility-wide risk through their own activities. “You need to be able to understand what a credible threat is,” said Kassel. “There’s threat actors out there that may take advantage of you, regardless of where you think you are within the community or within the country.” A new risk management paradigm has to account for all of the individuals on a utility’s network, whether they access the OT network directly or not. Consequently, there is a greater burden on utilities and utility managers to provide cybersecurity skills to their staff.
Usefully, support institutions, such as associations and government, are providing more opportunities for up-skilling and implementing new risk management paradigms. “The Government of Canada in particular has done some excellent service to the community in that Public Safety holds periodic symposiums, workshops, in various parts of the country where they have speakers come in, talk about ways of improving security and doing things,” said Ingoldsby.
“In light of the interconnected nature of Canada’s critical infrastructure, partnerships are required among government and critical infrastructure stakeholders, including owners and operators, law enforcement, and the research and development community,” said representatives from Public Safety Canada in a recent statement to Water Canada. In addition to partnerships, Public Safety Canada emphasizes security measures, business continuity practices, and emergency management.
In the meantime, a quick tip to reduce cyber risk: don’t click strange links. Ransomware attacks succeed, because “people like to click on stuff,” said Morely.
