The Cybersecurity and Infrastructure Security Agency (CISA) – alongside the FBI, EPA, and NSA – recently released a cybersecurity advisory warning of ongoing cyber-threats to U.S. water and wastewater systems (WWS). The advisory warns that attacks against both information technology (IT) and operational technology (OT) are threatening the ability of WWS facilities “to provide clean, potable water to, and effectively manage the wastewater of, their communities.”
The potential for damage posed by successful cyber-attacks against WWS is alarming. A few extra zeros added to the end of a lye count, for example, can render drinking water incredibly dangerous to drink. But this is not a new problem. Cyber-attacks against WWS have a long, storied history.
Ten years before the infamous Stuxnet – often regarded as the inception of cyber-attacks against industrial control systems (ICS) – a cyber-attack in 2000 against Maroochy Shire Council in Queensland, Australia, released millions of gallons of untreated sewage into waterways and parks. This instance is a striking example of how cyber-attacks against ICS can have physical consequences.
Insider Threats
This attack was the result of an insider threat. The culprit had a laptop and specialized supervisory control and data acquisition (SCADA) equipment in their car, which they used to maliciously manipulate the sewage management control system. They also used radio frequencies during the attack to disable pumping stations.
CISA’s advisory affirms that insider threats remain a persistent risk for WWS facilities. The advisory includes a recent example in which a former employee at a Kansas-based WWS used their user credentials to remotely access a computer and threaten the drinking water’s safety. Fortunately, this attack was unsuccessful.
Insider threats are particularly challenging to identify and interrupt while in progress, as users often launch them with privileged or even legitimate access to systems. WWS facilities can benefit from self-learning AI technologies that can understand ‘self’ for every user and device within an entire environment to detect and respond to unusual behaviors at their earliest stages – no matter who is responsible for the activity or what their intentions may be.
Ransomware
The attacks detailed in the report include multiple ransomware attacks over the past few years against WWS facilities spanning the entire continent, including attacks on facilities in California, Maine, Nevada and New Jersey that were all ransomware of known and unknown varieties.
When it comes to thwarting ransomware, the main challenge is the speed at which the entire cyber-ecosystems can become locked down. Here, the key to stopping ransomware in its tracks is to leverage a defensive technology that can respond at machine speed. WWS facilities can employ autonomous response technology that leverages self-learning AI to take a surgically precise response to an emerging incident – neutralizing only the malicious behavior while allowing legitimate activity to continue to flow freely.
The CISA advisory also foregrounds tactics, techniques and procedures (TTPs) commonly used against WWS, ranging from spearphishing to attacks exploiting outdated operating systems and software to attacks exploiting vulnerable control system firmware versions.
IT-OT Convergence
It is crucial to note that these attacks range from those compromising IT to those directly targeting OT. And regardless of the initial point of entry – be it unsecured remote access or a decades-old programmable logic controller (PLC) – attackers can often easily pivot from IT to OT, and vice versa, due to both known and unknown points of convergence. Indeed, the advisory stresses that organizations with integrated IT and OT systems are more at risk for attacks “either purposefully or inadvertently.”
An employee thoughtlessly clicking on a malicious link in a scam email can inadvertently lead to an attacker disrupting the integrity of drinking water, or spilling sewage into public spaces, as the attacker pivots across the cyber-ecosystem from corporate laptops to PLCs.
To avoid these types of disasters, we need unified protection of IT and OT. Putting OT cybersecurity into its own silo is no longer a viable solution.
Today’s cyber-ecosystems are highly complex, and attacks can move at breakneck speeds. Slapping two entirely different security tools under the same user interface is not enough, nor is creating partnerships between IT and OT security teams. These approaches will create blind spots and friction across discrete organizations and technologies. Instead, we need a single technology that can form a holistic understanding of IT and OT to create a complete picture of the entire ecosystem and respond as soon as an attack occurs.
Self-learning AI provides truly unified protection of IT and OT systems, using the same core technology driven by advanced mathematics to seamlessly protect organizations and respond to threats no matter where or when they occur. Indeed, it has repeatedly thwarted emerging attacks against WWS facilities across the U.S. and abroad.
The U.S.’s WWS facilities deserve the most sophisticated defense the market offers. CISA’s advisory should serve as a wake-up call that these threats are ongoing. And that they will be costly if not dealt with in full.