In March, the FBI and DHS released a joint alert that detailed the activities of Russian state-sponsored cyber actors who were exploiting vulnerabilities in our country’s critical infrastructure control systems—including those in the manufacturing, nuclear, energy and water/wastewater sectors. The alert details the methods the cyber actors used to compromise their targets, including spear-phishing emails, watering-hole domains, credential gathering and network reconnaissance. According to the alert, the actors have had a presence in these systems as far back as 2016, with other reports indicating that some intrusions may go back even further. This is a chilling development that paints a stark picture of the state of cybersecurity in some of the most important utilities in the United States.
Cyber intrusions can go months or years before being detected, and all the while the intruder can be studying the network architecture, components, and typical communication habits to develop an in-depth picture of how a system operates. Considering that the hackers identified in the alert gained access to multiple systems and had years to gather data, it’s safe to assume they’ve developed a detailed picture of critical infrastructure controls. It’s also safe to assume they’ve developed an approach to disrupt operations as well. At this time, many critical infrastructure control systems (especially those associated with water and wastewater treatment) are not equipped to detect anomalous activity or alert staff if something abnormal does occur. Without a proper detection or network monitoring in place, how do infrastructure owners know what’s going on in their systems?
How to Balance Costs and Security of Your Utility
Critical infrastructure owners are often in a difficult position, without having to worry about the security of their control systems. Aging physical assets are a major concern, with estimates for replacement and remediation soaring well into the billions of dollars. Operating budgets are constantly strained to meet current needs and are stretched to find ways to comply with new requirements. In this environment, it’s nearly impossible for utility owners and operators to consider installing new equipment that could detect cyber threats or employ the staff needed to monitor this equipment and make the necessary adjustments.
One option to consider is engaging a managed service provider (MSP). Today’s technology, combined with the right skill and experience, can mitigate the cybersecurity risks at a fraction of the cost of adding staff to accomplish the same goals. This approach has worked well for a number of our water and wastewater utility clients. In order to enable this service, a security appliance and demilitarized zone (DMZ) server should be installed and configured to both secure your system from remote intrusion, as well as aggregate system logs and analyze for anomalies in user access or behavior. Through the same hardware and secure connection, a managed service provider could monitor system behavior and security alerts, distribute operating system patches, update antivirus and anti-malware signatures, upload scheduled backup information to a secure offsite location to support a robust disaster recovery plan, and maintain your user accounts and credentials. By leveraging hardware and software, while ‘sharing’ the cost of security professionals (instead of covering the cost individually), utilities can afford high-level security and services.
In this current global climate, it’s become clear that we, as a nation, cannot ignore the security of our critical infrastructure anymore. No matter the size of your utility, by not taking the proper steps to protect the assets that monitor and control your utility’s systems, you are putting the communities that rely on your services for water, power, or other amenities at risk. Active detection of the traffic in and out of your network is an important step to improve your security posture.