Why water utilities must invest in cybersecurity
In Albuquerque, N.M., arid conditions and frequent droughts make water a precious commodity that must be carefully managed. Aggressive conservation programs, water recycling and storage of excess water underground (safe from evaporation) are just some of the methods we employ to safeguard the water supply for our 650,000 users. Recently, safeguarding has taken on new meaning for utilities such as ours, as cybercriminals have made water suppliers targets for attack.
Everyone in the water industry fears a repeat of what happened in Oldsmar, Fla., last February, when hackers took advantage of a remote-access system that was beyond the local water utility’s security perimeter. The intrusion only lasted between three and five minutes, according to the Tampa Bay Times. But that was time enough for the hackers to increase the levels of sodium hydroxide (lye) being fed into the water system as a corrosion inhibitor from 100 parts per million to 11,100 parts per million. If not for the operator who saw the change and quickly corrected it, it could have been a disaster.
The harsh reality is that too many water utilities are stuck with antiquated systems and limited visibility into what’s happening in their operational technology (OT) environments. Historically, OT environments and IT environments were completely separated (air-gapped). We are now able to leverage smart sensors to help detect leaks and save manpower. This technology allows water utilities to become proactive as opposed to reactive. However, this also means the convergence of IT and OT environments. Often, equipment within OT environments was never designed with the intent of one day communicating with IT networks. This opens a whole new world of vulnerabilities that must be addressed, and air-gapping is no longer an adequate fail-safe response.
Fortunately, the Water Authority is not afraid of innovation, and we’re taking advantage of remarkable new technology that offers solutions to the challenges of OT/IT convergence and the security risks that arise when these worlds come together.
Deploying this technology was not an overnight process, and we didn’t fully recognize the need for it until our IT and OT teams began collaborating more on system integration. This led to the realization that our end-of-life network equipment was not up to the task—and that our IT staff lacked an in-depth understanding of the operational environment. Cisco technology opened a window for us into that environment, allowing us to safely leverage the benefits of IoT sensors to monitor a vast array of operational metrics: equipment efficiency, water conditions and even the presence of system leaks. This emerged from our participation in Cisco’s County Digital Acceleration program, which included the stand-up of a network refresh with the help of Cisco Customer Experience (CX), and added solutions like Cisco Cyber Vision, an asset inventory and threat detection tool for industrial control systems that gives both IT and OT teams intuitive and clear visibility into all that’s happening. Besides making the utility more efficient, these improvements mean that we can see and respond to anomalies in real time.
You can’t protect what you don’t know about, and you can’t detect anomalous behavior if you don’t know what’s “normal.” Visibility is key to detecting malicious activity before operations are negatively impacted. A common problem with cyberattacks is that security teams simply don’t know they’re happening, leaving hackers free to steal information or disrupt operations for days, weeks or months.
With solutions like these in place, utilities can become hard targets for cybercriminals. The incident in Oldsmar brought important awareness to the weaknesses in utility IT and OT systems that hackers are eager to exploit.
A recent report from the FBI revealed a 69 percent increase in cybercrime complaints from 2019 to 2020, noting that most cybercriminals had access to networks for several weeks or even months before they were discovered. Given these recent events and threats trending higher, utility companies must become more vigilant in securing their operations—which starts with investing in a security strategy that enables visibility for early threat detection.
It can be challenging for any utility company to justify network upgrades or enhanced security, especially when post-pandemic budgets are tight and revenue is down. Given all that’s at stake, though, there is no better expenditure than taking steps now to secure essential utility services for the public.
Kristen Sanders is the chief information security officer at the Albuquerque Bernalillo County Water Utility Authority.