Picture sitting at a café on your laptop answering work e-mails. Typically, cafés are on unsecured networks to allow customers to freely access the internet. This is convenient for use, but if sensitive or targeted documentation is on a device connected to this network, it is vulnerable. This is because devices, when not protected by higher level network security standards on more private networks, can be easily accessed. While working, you receive an e-mail from an individual requesting basic information, and while you hesitate because you have not met them in-person, assume they are in your company and, since basic information is freely shared within the firm, an e-mail response is drafted and sent.

This seemingly innocuous action of answering an e-mail was an actual use case that occurred in 2016 and cost a private firm the research and development on the F-35 fighter jet. One of the military officers was sent a “phishing” e-mail and it received a response in a café. This allowed the attacker access to the company network once the infected computer linked to the company’s network to install malware and take information at will. Additionally, multiple servers were set up across the United States and East Asia to mask attacker IP addresses, making it hard to locate the person or organization behind the data loss until China released a jet with the same schematic months later.

Due to an increase in the real-life scenarios like this one, cybersecurity has been a thought on the minds of federal governments, the financial sector, and other organizations with a growing concern about managing access points. Increasingly, these security concerns are expanding to the infrastructure of nations like water utility infrastructure. With the movement of utilities placing data onto networks, there is a need to protect this often-sensitive information and controls on vital services. A recent PwC study estimated an excess of £50 million price tag on the information the average utility holds. For water utilities, the largest vulnerability is generally considered to be the Supervisory Control and Data Acquisition (SCADA) systems, because they are often not placed on isolated networks. This being said, most attacks on utility systems are attributed to human error, as high as 90% by some measures.

Usually human error is due to an employee granting bad actors access to their system and data through simple mistakes, such as clicking on a malicious e-mail and accidentally downloading malware, inserting an infected USB drive, or using a personal device at work that does not have the proper data access or control measures in place. A compromised network can be held hostage for a ransom, a recent worst-case scenario that has also been on the rise. Fortunately, this attack can be circumvented by shutting down the network and removing the malware while using previously backed up data to restore the system. This method is still expensive though and forces the utility to shut down.

It is important to note that there is not a single type of attack, but different iterations of unauthorized access. The most common threats to water systems are Denial of Service, Spyware, Trojan Horse, a Virus, a Worm, a Sniffer, Key Loggers, and Phishing, which the table below describes. Typically, these attacks usually have the goal of chemical or biological contamination, physical disruption, and interference with computer systems.

Table 1: Displays common cyberattacks specific to water systems.

Common Cybersecurity Threats

Denial of Service Flooding a resource (a network or Web server) with thousands of false requests so as to crash or make the resource unavailable to its intended users.
Spyware Monitors user activity.
Trojan Horse Malicious file or program that disguises itself as a legitimate file or program.
Virus Attaches to existing programs, then replicates and spreads from one computer to another.
Worm Malicious file that replicates itself and spreads to other computers.
Sniffer Monitors information traveling over a network.
Key Logger Records and transmits keystrokes and transmits to the originator.
Phishing Fake websites or e-mail messages that look genuine and ask users for confidential personal data.

In response to the increasing appearance of cyber threats, specifically, to water utilities, the American Water Works Association (AWWA) has created information for limiting access points for malicious attacks on water infrastructure. These standards are based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework . This is a great resource for utilities and should be accepted as part of a utility’s standard operating procedures and IT disaster/recovery plan. Generally, the recommendations are focused on the development of security policies and procedures; reducing impacts on the network when operation failures occur for any reason; educating staff on best practices and maintain security for access to the system; and Service Level Agreements (SLAs) with contractors to also maintain the security standards. These procedures are explained in more details in Table 2 below.

Table 2: Displays common precautions for cyberattacks on network systems. Source

Common Precautions from Cyber Attacks

Governance and Risk Management Define organizational boundaries and framework for security policies, procedures, and systems to manage the confidentiality, integrity, and availability. It is key to keep an inventory of the process control system components.
Business Continuity and Disaster Recovery Structured method for the organization to reduce the probability and impact of systems and operational failure. A Disaster Recovery Plan deals with more significant service disruptions in the network. This means the identification of types of disruptive events, estimating impact, and developing mitigation strategies.
Server and Workstation Hardening This procedure identifies best practices to minimize the probability of unauthorized access to servers and maintain security.
Education Involves identifying best practices and providing formal training on the security policies, procedure, security awareness, and incident response. It is best done with test practice to confirm proper responses from network users.
Service Level Agreements (SLAs) This concerns the management of contracts that specify service requirements to the network. There should be an appointed person in charge of defining, negotiating, executing, and monitoring these contracts.
Personnel security This procedure focuses on the re-accreditation of employees and updates on the policies and procedures that manage them.

It is important that utilities start by conducting an extensive audit of the network(s) used and identify risks specific to each system or application and its respective configuration. In addition, separating SCADA networks from business networks to limit access points to the sensitive SCADA system and make sure all connected devices and access points like backhauls or modems are secured.

Today’s utilities are in a race against individual and state-supported hackers that are increasingly targeting infrastructure networks for varying nefarious reasons. The utility must remain vigilant and aware of their systems strengths and weaknesses while compensating for these ‘soft’ possible access points to limit disruptions. The first place to start is incorporating best practices and investing in training and protections to prevent unauthorized access from occurring.