The Proliferation Of Cyber Threats To Water And Wastewater

By Graham Speake, Vice President and Chief Product Architect at NexDefense

According to the American Water Works Association (AWWA), the North American drinking water infrastructure network spans about one million miles, which is more than four times the length of the National Highway System. While this may sound excessive, this infrastructure is in fact necessary to efficiently supply water to all of the United States, which uses 408 billion gallons every single day. Overseeing and in control of our most valuable resource is the water and wastewater industry. This sector of critical infrastructure helps ensure the integrity of services such as healthcare and transportation, provides the source of fire protection, supports the energy, transportation and agriculture sectors, and is responsible for public health protection and overall quality of life.

As important as water is, however, the water and wastewater industry is in the midst of contemplating significant challenges, none more burdensome than the deterioration of aging pipes and the high cost of 24/7 operations. The physical condition of pipes has in fact become so putrefied, that the American Society of Civil Engineers’ last report card issued the water and wastewater industry a “D” grade, along with estimating a $1 trillion price tag to replace the crippling infrastructure. According to AWWA, there are roughly 240,000 water main breaks per year, mostly because even pipes that are considered “new” were established just after World War II, with the older pipes originating as far back as the mid1800s.

Another challenge facing the industry is the retiring workforce, and the skill shortage available to replace them. In fact, according to The Water Research Foundation, water utilities will lose 30 to 50 percent of their workforce in the next decade. While retiring employees are typically replaced by the next generation, young engineers generally lack the operational technology (OT) experience necessary to work in a water or wastewater facility. As a result, the resources available for managing traditional OT systems are declining.

In an attempt to resolve these issues, water and wastewater facilities are adding innovative technology to their systems to maximize the longevity of legacy pipelines and systems, reduce operational costs, automate processes and attract new talent.

SCADA Systems Save the Day

Supervisory Control and Data Acquisition (SCADA) systems were first introduced in the 1960s as a means to monitor and control the state of remote equipment. Back then, all systems were controlled manually and operators had to physically go around each facility to turn pumps on and off. Now, new technology and applications allow the systems to actually automate control processes, collect and store information, produce analytics and display real-time operational data. In addition, the proliferation of wireless and digitally connected systems allows for multiple sites to be accessed remotely through the Internet on any device — even a cell phone. As the majority of water and wastewater operating companies are small to medium entities, managing and operating facilities remotely is seen as a definite advantage.

Implementing advanced SCADA systems not only reduces operating costs and improves performance through automation, but it also reduces the amount of labor needed to operate processes such as the treatment, testing and movement of water. While this reduction in labor demand lessens the amount of new hires needed to replace the retiring workforce, the innovative technologies being implemented into these systems can certainly be used as a tool to attract the next generation of engineers for positions that require manual skills.

But while SCADA helps solve many of todays operational, labor and financial challenges, it is not without dangerous flaws of its own.

The Vulnerability of SCADA Systems

According to the Department of Homeland Security (DHS), there are about 160,000 public water systems and more than 16,000 public wastewater systems in the United States. Each of these systems is becoming part of a massive converged network, with the opportunity for information sharing and communications across the industry. While the controls that operate these systems were once individually managed, wireless technology and interoperability have eliminated the need for personal oversight. As a result, connected water and wastewater systems are now vulnerable to complex attack surfaces for which the industry has never seen. Without appropriate cybersecurity in place, anyone with malicious intent could access the network and contaminate or cease the treatment and distribution of water. 

A recent report from ICS-CERT revealed that the control systems community “may be a target for sophisticated threat actors for a variety of reasons, including economic espionage and reconnaissance.” Of course, the potential to impact health and public safety also remains a primary motivator of nation-state and terrorist adversaries. Of the cyber incidents reported to ICS-CERT in fiscal year 2014, 55 percent involved advanced persistent threats or sophisticated actors — an increase from the previous year. Not only are these types of threats persistent; but also they are extremely difficult to detect. In fact, the reported origin of the majority of incidents remains unconfirmed, because the access vector could not be identified even after the incident was eradicated.

Reports of potential cyber attacks against the water supply are not new. However, it is the emergence of Advanced Persistent Threats (APT) — those defined by stealth, persistence, sophistication and discovery — that are the cause of present day concern. With a large number of the water and wastewater being small to medium entities, they may not have the security expertise to spot and deter any attack against them. Also, the industry tends to prolong the life of its systems more than others sectors in the critical infrastructure, often 30 years or more. This leaves obsolete computer systems essential to the operation of the plant, but unable to be adequately patched or protected from new vulnerabilities.   

This likelihood of a successful APT against the water and wastewater industry is a direct result of the growing threat landscape that exists due to the extraordinary remote access required to operate water supply facilities located in dispersed locations. While remote access is invaluable to efficiency and productivity, it spawns attack surfaces that are hard to identify through perimeter security and other controls.

It is a reality that cyber criminals will only get more skilled with time, but the insufficient security controls of critical infrastructure do not require expert talents to infiltrate. As such, the opportunity for an adversary, such as a nation state, hacker or cyber terrorist, to take control of a system or network is real. The results of an advanced persistent threat could overdose the water with chemicals, flood the streets with untreated sewage, reduce the pressure of fire hydrants, or shut down the distribution of water altogether.

Because these systems are now interconnected, the damage would not be limited to just one location. Rather, an attack could halt the supply chain of water across the country — confiscating our most vital resource and threatening the lives of the public.

Mitigating Risk

Unfortunately, there are no cyber security standards in place that are specific to the water and wastewater sector. The Water Sector Coordinating Council, in conjunction with the DHS and EPA, has released roadmaps towards increasing cybersecurity in the industry. As a guide, however, many companies are following the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards that are designed to secure the power industry. Enforced by NERC CIP standards, water and wastewater facilities should also monitor networks and systems, review alerts and log events. Owners and operators must know what is in their networks, as early detection of threats is key to preventing a successful attack.

In addition, the National Institute of Standards and Technology (NIST) released the first version of the Framework for Improving Critical Infrastructure Cybersecurity in February of 2014 as a result of an executive order from the President. The voluntary framework consists of standards, guidelines and best practices for reducing risks to critical infrastructure. While not yet enforced, the NIST Framework’s should be taken into consideration when developing cybersecurity strategy and managing operations.

While advances in technology can be beneficial to the bottom line, they also create new, complicated and persistent threats. Until there are standards in place, facilities in the water and wastewater sector must be proactive in protecting their property — or risk being a victim or catalyst to a successful attack.

About the Author: Graham Speake is the Vice President and Chief Product Architect at NexDefense. With over 30 years experience in industrial engineering, Graham is a control systems and cyber security expert. In addition to his role at NexDefense, Graham is a SANS trainer and a subject-matter expert to the GIAC Global Industrial Cyber Security Professional (GICSP) certification. Prior to NexDefense, Graham was Principal Systems Architect at Yokogawa Electric Corporation, a major supplier of ICS and SCADA equipment. His responsibilities included the steering and development of security within Yokogawa products, ensuring that relevant security certifications such as ISA Secure and Achilles were achieved. Before Yokogawa, Graham spent nearly 10 years with BP, securing critical plants, such as refineries and oil platforms, in both the U.K and the U.S. Graham also served as an executive with Industrial Control Services, where he developed the software for one of the first computer-based emergency shutdown systems. The software solution, known as EPIC (Emergency, Process, Instrument and Control), was successfully deployed by multiple oil and gas platforms in the North Sea and operated for more than 20 years. Graham is the author of several books on Linux and has been a technical editor for books on hacking.

Image credit: "Crackers," © 2012 elhombredenegro used under an Attribution 2.0 Generic license: https://creativecommons.org/licenses/by/2.0/

Copyright © 1996 - 2015, VertMarkets, Inc. All rights reserved.  To subscribe or visit go to:  http://www.wateronline.com

http://www.wateronline.com/doc/the-proliferation-of-cyber-threats-to-water-wastewater-0001