In the world of utility cybersecurity, moves by attackers and countermoves by defenders are ever-evolving. Ransomware attacks are up, in part because hackers have discovered vulnerabilities that can be exploited in both operational technology (OT) and information technology (IT) systems.
According to cyber industry trade associations, ransomware attacks were up by 20% in the first half of 2020. These attacks essentially are today’s high-tech version of yesterday’s second-story burglaries, where thieves entered through open windows and unlocked doors, taking whatever valuables they could find before fleeing.
Hackers today similarly look for open cyber vulnerabilities in a utility’s OT and IT systems. Once inside, they often upload and spread malware that encrypts and locks up critical data. Hackers ideally look for data that is necessary for ongoing operations or billing or other financial transactions with direct impact on revenue. Looking to get in and out quickly, they often then send demands for payment in exchange for the code that can decrypt and unlock the data.
Cybercriminals organized in groups known as advanced persistent threats (APTs) may be viewed as the most dangerous adversaries, but the reality is most for-hire attackers are simply looking for a quick payoff, then moving on to the next target.
Prudent First Step
In the simplest terms, comprehensive gap analyses and maturity assessments are similar. Both are aimed at mitigating risks. A maturity assessment looks at a point in time for the IT/OT system, analyzing the system’s current state. A gap analysis is intended to develop a road map to reach a desired end state. This includes a set of recommended security protocols and standards to be implemented — the end state, if you will.
Both gap and maturity analyses center around people, processes and technologies.
It is often the case that people represent the greatest cyber vulnerability for any organization, not just utilities. In the case of ransomware attacks, the most common tactic is to send phishing emails to people inside the utility. It only takes one employee clicking on a link or downloading an attachment for an attacker to gain the access needed to deploy a ransomware virus. Even worse, attackers may obtain the “keys to the castle” if one or more employees unwittingly give them a username and password.
Addressing this vulnerability starts and ends with good training backed by regular updates and reminders on security protocols. Clear and simple processes for employees to follow will have immediate benefits for cybersecurity.
Improved processes start with a review of all the security documentation a utility has in place. These process documents can address everything from proper creation and storage of passwords (i.e., not on sticky notes pasted to computer monitors) to emergency response procedures in the event of a cyber incident. In many cases, templates for process documentation are readily available from reputable industry sources such as the National Institute of Standards and Technology (NIST). These documents can be customized to fit the water utility’s unique OT/IT environment, while also dovetailing with compliance requirements under America’s Water Infrastructure Act (AWIA) for risk assessments and emergency response plans. It is important to secure executive buy-in with requirements that employees confirm they have read and understand all security processes.
The third element, technology, is ideally focused on cost-effective controls, such as simple configurations inside switches, firewalls around networks, and security boundaries around devices. This could include VLAN (virtual local area network) infrastructure and network segmentation. The controls also could focus on clumping devices within their own individual modules, or subnets. Devices within a subnet are the only ones that are set up to talk to each other, unless specified otherwise.
Delivering Real Benefits
For both gap and maturity analysis, our goal is the same: Give utilities useful and actionable recommendations that takes them from their current state of cyber maturity to their target state, while focusing on the most appropriate mitigations and avoiding over or under-investment. Impactful steps can be taken immediately that create real benefits — over the short, medium and long terms — and have lasting effects on the company.
Our aim is to provide short-term, easy wins. We understand many water utilities, for example, have constrained budgets, so we take pride in developing solutions that mitigate financial risk and expense.
That said, we still want utilities to bear in mind there really is no finish line when it comes to cybersecurity. There are always reasonable and practical moves and countermoves a utility can take to protect itself and its customers — as long as the utility accepts that while there is no “perfect security” end state, there is a targetable level of acceptable risk that stakeholders wish to achieve.
Critical infrastructure has long been a target for cyberattacks.