Implement strong authentication/password hygiene: require strong and unique passwords and two factor authentication. Enable automatic security updates.Įstablish unique accounts for each individual: no shared or group accounts or passwords allowed. Patch all systems, applications, and browsers. Implement network segmentation (separate and isolate sensitive network resources through firewalls or software defined networks). Enable logging and implement the concept of “default deny all”. Install firewalls at all network entry points. The following recommendations are aimed to providing the most efficient and effective improvements given the resource restrictions facing many utilities:īasic Network and System Recommendations: However, a list is a great starting point for any organization looking to reduce their risk of cybersecurity incidents and accompanying losses. No list of cybersecurity recommendations will address all possible threats to an organization’s systems. However, with an increased focus on cybersecurity hygiene and high-profile hacks, like the one at Oldsmar, these organizations can take big steps to effectively address these gaping holes. Public water utilities may have limited funding and resources available to address all cybersecurity vulnerabilities. The need for remote access for operations and remote control is not going away, but there are measures that can significantly decrease risk. Top 14 Cybersecurity Recommendations for Water Utilities These include network issues (flat networks with limited border protections) staff issues (no cybersecurity staff, unaware users, and over-privileged accounts) system issues (unpatched systems, unauthorized software, unprotected remote access, and weak passwords) and oversight issues (no audit logs and no monitoring). Government and industry studies have highlighted the many vulnerabilities exist within the Operational Technology (OT) and Information Technology (IT) systems at public water utilities. These cybersecurity threats are now aimed at the soft target of public water utilities. Many water utilities are unprepared and extremely vulnerable to these threats given the state of their network and cybersecurity program. Utilities are threatened by cyber criminals of all kinds: script kiddies (unskilled cybercriminals with access to powerful programs), social engineers (cybercriminals intent on tricking the organization into installing remote access program or other breach), insiders (disgruntled employees or ex-employees with knowledge and access), and even state-sponsored terrorists looking to instill a sense of danger and panic. Limited funding forced many utilities to provide remote access for operations inside a network that has adopted very few cybersecurity controls. COVID-19 accelerated the necessity for remote unmanned facilities. Many public water utilities, like Oldsmar, are in a similar situation. Water Utility Cybersecurity Threats and Vulnerabilities The plant was also using an operating system that was beyond End of Life (EOL) and no longer supported with security patches from Microsoft. The Oldsmar plant implemented a flat network with no firewall protecting computers from remote access. The software was no longer used but left running on all systems. The Oldsmar attack was enabled by three key vulnerabilities that, if addressed, would have gone a long way in preventing the attack from occurring:Ī common, simple, and unchanged password was used for all TeamViewer applications within the organization. Based on the reported state of the cybersecurity controls at the Oldsmar system, such a breach could have occurred at any time in the past. It is reported that TeamViewer (a remote desktop application) was installed on the computers that the plant uses to review the status of controls and used by operators to monitor the plant controls remotely. The breach at Oldsmar occurred twice (5 hours apart), and it was only luck that an operator witnessed signs of the breach as the screen cursor moved and the setpoint was changed on the screen they were viewing at the time. Although the breach was “immediately” noticed and the change in dosing was corrected before any meaningful impact to the drinking water occurred, this event highlighted several vulnerabilities many public water systems face in addressing cybersecurity threats. On Februan unknown person gained unauthorized remote access to a water treatment plant in Oldsmar, Florida and increased the setpoint of sodium hydroxide fed into the drinking water system to a dangerous level. The vast number of cybersecurity threats to water utilities have been known, but more recently attacks exposed these cyber vulnerabilities to the public. The complex technology, systems, applications, processes, and staffing that go into ensuring the public has a steady and safe supply of drinking water is not only threatened, but under attack.
0 Comments
Leave a Reply. |