In early February, cyber attackers made headlines when they hacked into the operating system of the municipal water treatment plant in Oldsmar, Florida, briefly elevating the levels of sodium hydroxide 100-fold. Luckily, a supervisor monitoring the system saw the levels being altered and changed them back without incident. A year earlier, attackers attempted to alter chlorine levels in the Israeli water supply.
These are just two headline grabbing examples of assaults on municipal water supplies. Operators of water and wastewater treatment plants and networks should read it as a sign of things to come and be prepared to develop a culture of cybersecurity within their organizations to avoid crippling attacks.
Ransom and bad actors
These attacks could be attempts to extract ransom, or from an international “bad actor” looking to cause a major civic disruption. Regardless, the consequences of a cyber breach for water and wastewater facilities can be catastrophic, from contaminated water supplies and raw sewage leaking into local waterways, to industrial clients being forced offline due to a lack of access to your services. The financial and reputational costs associated with any of these failures can be astronomical.
Recently, Schneider Electric Canada hosted an hour-long, highly informative panel discussion on “The Importance of Industrial Cybersecurity for Water and Wastewater Works” with our partners- Veolia Water Technologies Canada, AECOM & ICI Electrical Engineering. Here is a quick recap of the session and some of the key takeaways from the discussion.
The good news is that most cyberattacks are not targeted but instead blind automated raids seeking out vulnerabilities in systems. Which is why it’s essential to find and close the weak points in your systems.
The first line of defense is physical security – limiting access to operating systems and isolating vulnerable locations. Remote terminal units (RTUs) are often open to exploitation, connected to the network via unsecured landlines. These connections should be upgraded to secure networks.
Outside contractors can also be a source of vulnerabilities. Ensure that suppliers who need access to your network have cybersecurity procedures that are at least as robust as your own and establish protocols on when and how third-party access is allowed.
At Schneider Electric, we keep cybersecurity at the forefront of all our innovations and initiatives. Our industrial cybersecurity services offer a full range of assessment, planning, policy management and defense methodologies to counter control systems, network and data threats. Knowing where your systems are vulnerable is the first step to protecting them. Our comprehensive assessment and analysis can help reveal those gaps and recommend a clear roadmap to bridge them.
In short, you should start from the position of having everything locked down and open up access on a must-have basis.
Isolate and test
Network infrastructure is also key. SCADA systems should be isolated from the public internet. Segregate your various control networks, establish and monitor firewalls to protect them.
It is critical for water and wastewater system operators to have a cohesive cybersecurity management system in place to prevent intrusions and implement a disaster recovery plan if the defenses are breached. But, like a fire drill, these systems must be regularly tested.
Human error is the source for most cyber attack exploitations, which makes employee training on these threats essential. Field operators should be trained to spot when something is amiss. Cybersecurity should become a part of the corporate culture.
For too long, water and wastewater operators have relied on “security through obscurity” as defense from attack. Without taking proactive measures, cyberattacks on these critical systems are inevitable. The key to weathering these attacks is an educated workforce, secure networks, and creation of a cybersecurity management system that’s regularly tested and updated. To learn more, register for Schneider Electric’s free, on-demand cybersecurity panel discussion now.