“I believe the next Pearl Harbour, the next 9/11, will be cyber, and we’re facing a vulnerability in all our systems, but water is one of the most critical, and I think one of the most vulnerable.”

These words of Senator Angus King, Co-Chairman of the Cyberspace Solarium Commission, aptly sum up the inevitable cybersecurity threat facing our public works systems today. 

Cybersecurity for energy and utilities is an often overlooked priority. But several isolated incidents in the last few months have shined the much-needed spotlight on this issue. 

In August, a hacker breached the water supply system of Oldsmar, Florida and tried to poison the entire supply. In January, another hacker tried to poison a water treatment plant in the San Francisco Bay area, potentially endangering the lives of millions of people. In another incident in rural Kansas, a hacker tried pilfering the public water system via unauthorized and malicious access. 

Fortunately, none of these attacks were successful. But it does raise a red flag about cybersecurity for energy and utilities. 

How prepared are we in our defences for public works IT and Security systems? 

In fact, a coalition of federal agencies also issued an official warning about the rising threat to the IT and OT systems of water supply and wastewater treatment plants. The threats outlined in their advisory included spear-phishing, ransomware, outdated operating systems and software, insecure remote work protocols and vulnerable firmware versions. 

What are the best practices for cybersecurity for energy and utilities? 

Water and wastewater treatment utilities are critical infrastructures for every community’s survival. Yet, these systems are vulnerable and easy to exploit by opportunistic hackers. 

In response to the rising number of threats, WaterISAC, the Water Information Sharing and Analysis Center, released an updated list of 15 best practices to address cybersecurity gaps. 

  • Perform asset inventories

Taking stock of your assets is the first step towards enhancing protection. The key is to list and understand every system, software and hardware that’s vulnerable. 

  • Assess risks

The possible risks need to be assessed and mitigation plans developed. Penetration testing can help in analyzing the biggest threats and arriving at mitigation steps. Conducting a penetration test as a regular cadence will continuously support risk management. 

  • Minimize control system exposure 

Protecting the core control system environment from unwarranted external access is vital. Restrict network access, segment traffic and encrypt communication.

  • Enforce user access controls

Rigorously apply role-based access and the principle of least privilege. 

  • Safeguard from unauthorized physical access

These safeguards refer to non-technical physical safety manoeuvres to restrain physical access to the equipment. 

  • Install independent cyber and physical safety systems

Cyber attacks with potential physical effects need to be minimized by separating the networked and physical safety systems. 

  • Conduct vulnerability management 

Assess the threats and gaps in cybersecurity before hackers can exploit them. Closing the gaps as soon as possible minimizes the chances of a cyber attack. 

  • Create a cybersecurity culture

Build an awareness program that outlines the importance of cybersecurity for every employee, regardless of rank in the organization. 

  • Develop and enforce cybersecurity governance

Build and deploy actionable policies and procedures concerning cybersecurity expectations. 

  • Implement threat detection and monitoring 

Continuously monitor and detect active threats in the WWS environment. Consider purple teaming or a cyber maturity assessment to support your threat detection initiatives.

  • Plan for emergencies 

Emergency response plans are key to maintaining business continuity to avoid heavy losses in case a breach occurs. 

  • Tackle insider threats

While not all insider threats are malicious, it’s still important to identify the most vulnerable employees and give them the right training. 

  • Secure the supply chain

The entire supply chain needs to be assessed and secured against attacks. This is also the most common vector of attack. 

  • Address all smart devices

IoT and connected devices have created digital footprints that did not exist earlier. While this particular threat might not seem imminent, it’s best to establish security protocols for it immediately. 

  • Participate in information sharing and collaboration communities 

All the utilities and plants, even if acting individually, must share relevant information with other vulnerable utilities. Communities such as WaterISAC and InfraGard can help in information sharing. 

Cybersecurity for energy and utilities is an important issue that needs to be addressed right away. Lapses in this arena will not only cause monetary losses but also harm millions. This statement alone underlines the gravity of the threat. Following the listed best practices is just the beginning of a long due overhaul of cybersecurity systems in the public works department. If you’re looking to talk further about preventative measures that can be taken to strengthen your cybersecurity posture, contact us at Packetlabs.