Watertight Security: Multiple hacks of water utilities highlight the need for IT security

The FBI has confirmed that they are investigating several cyberattacks carried out on water utilities in the US in recent months. The attacks have allegedly been perpetrated by an Iranian government-linked cyber group against water facilities that were using Israeli-made technology.

It comes at a time when operators and managers of facilities linked to critical resources like water are being warned about an impending increase in attacks. This is linked to geopolitical instability over the past few years, with nation-states funding nefarious hacker groups.

The intentions behind the attacks aren’t 100% clear, but disruption of the critical infrastructure, inducing panic, fear, and nuisance, and deterring the U.S. from trading with certain states is clearly at its core.

For Compliance Managers and Utility Managers, there is a greater threat than there was previously. While it might sound ominous, all you can do is view it as an opportunity to take small steps towards improving your security. 

Below we’ll take a closer look at what exactly has been happening in recent weeks and months with cyberattacks on water utilities. We’ll also offer some practical advice for making sure your utility doesn’t become a victim.

Finally, we’ll briefly look at how SwiftComply is helping utilities safeguard against these types of attacks by putting IT Security and Data Privacy at the core of development.

What exactly is happening with these attacks on water utilities?

As we outlined above, the recent spate of cyberattacks on water utilities is being perpetrated by state-sponsored hacker groups in response to geopolitical tensions that the US is involved in in places like Israel and Russia.

While there hasn’t been much media coverage of incidents other than those in Aliquippa, PA, and St. Johns River, FL, the FBI has confirmed that multiple water utilities have been affected by cyberattacks in several states.

While it hasn’t just been the water sector that has been targeted, significant underinvestment and lack of awareness have made the sector vulnerable. 

How are the attacks being carried out?

The recent attacks on water utilities are understood to have taken advantage of frailty in the security of a smart-metering device that is commonly used in water utilities in the US. The Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged that the hackers gained access to the devices by exploiting their exposure to the internet and use of weak passwords.

But why are these devices the weak link in water utilities?

The devices are made in Israel, a political ally of the US in the Middle East. Iranian-backed hackers are effectively saying; “Use Israeli goods at your peril”.

What can water utility managers do to protect against these attacks?

The disruption of one of these attacks could cause your utility a lot of stress. Not only will securing your system be difficult but there will also be consequences of customers’ data being leaked and you having to notify them.

Safeguarding against these attacks might seem like a big undertaking, but taking small actions to strengthen your security will make the biggest difference. These hacker groups typically take advantage of small, obvious weaknesses like simple passwords, phishing emails that look like internal communications, and in the most extreme case, unsecured devices.

5 simple ways to secure your water utility against cyber attacks

Below, we’ve listed six simple steps that can significantly enhance the security posture against cyber attacks. While the fear of these hacks is real, the fact that these hackers typically exploit obvious weaknesses can be used to your advantage. Covering your bases can deter hackers that will view your water utility as being ‘not worth the effort’.

The following 5 steps are a great start, and something you can do pretty quickly:

1. Regular Software Updates and Patch Management

There can be a temptation to leave our computers and devices running on old versions of software and keep hitting the ‘Remind Me Later’ button when we fire them up in the morning. 

However, there’s a good reason Microsoft and Apple release software updates so often. It’s key to the battle of securing vulnerabilities and staying a step ahead of hackers. You should keep all systems, including operating systems, applications, and firmware, up to date with the latest security patches. This helps to close vulnerabilities that could be exploited by attackers.

2. Employee Training and Awareness

As a Utility Manager, the buck stops with you on keeping the public water system safe. In the same way that you educate workers about health and safety, you need to educate them about the importance of cybersecurity. Training should cover recognizing phishing attempts, following proper password practices, and understanding the common tactics used by cyber attackers.

3. Implement Strong Access Controls 

The days of using your favorite color as your password and well and truly gone. With advances in bots in recent years, a strong, unique password is the minimum to avoid a brute-force entry to a system (think of a robot entering thousands of passwords in a matter of seconds and just one of them needing to be right). 

Implementing multi-factor authentication (MFA) is simple too. It’s also best practice to limit access to critical systems to only those employees who need it for their job function, and regularly review access privileges.

4. Regular Security Audits and Assessments

Conducting periodic security audits to identify vulnerabilities within the network and systems should be part of your workflow as a utility manager. Although it might seem like an added burden to an already hectic schedule, it is critical to identify any weaknesses that appear over time. 

To make it as stress-free as possible, it is a good idea to have a template of what needs to be inspected, and ticking them off as you confirm they are up to scratch.

In addition to regular assessments, having a comprehensive analysis done by an external tester will also give you added protection and the peace of mind that you’ve done everything you can to protect against attacks. This can include penetration testing, where ethical hackers try to breach your systems to find weaknesses.

5. Incident Response, Disaster Recovery, & Continuity Planning 

Digital transformation of the water utility sector is undoubtedly making the job of keeping public water safe more efficient. It’s a reality in almost every facet of life, that technology is changing the way we do things. 

However, as we become more dependent on technology, there is a need to improve security to ensure that it’s safe. 

A good example of this is the phones we use. Cast your mind back to the 2010’s, and with limited internet access on our handheld devices, there was;lt a need to have a password or swipe code to unlock our phone. The worst that could happen if someone were to take it, was they could run up your bill by using. 

In little over a decade, however, we now manage our lives through these devices with our most sensitive data (personal, banking, email, etc.) available to anyone who might get past the initial home screen.

While that’s an obvious, everyday example, the same is true for the technology that we have embraced as part of the public water management system. For every piece of technology that we integrate, be it hardware or software, it is important to have the correct security in place to protect the data it hosts, or the function it has in the widener system.

Even with the best safeguards, you should develop and regularly update an incident response plan if anything should happen and the system is compromised and needs to be switched off. This plan should outline the steps to take in the event of a cyber attack, including how to isolate affected systems quickly, communicate with stakeholders, and restore operations.

This incident response plan allows you to remain calm and confident in the course of action you will take in the event of a cyberattack. 

Knowing that there is an alternative solution that can be implemented should anything go wrong, also allows your facility to continue to function as normal, minimizing any impact on you or public water customers.

The SwiftComply take on IT and Data Security in water utilities

While the recent hacks in the U.S. are unfortunate, they’re a reality of operating a water utility in the 21st century. They’re a reality for every type of business, service, or entity that has an online presence and a reason to make them a target for hacker groups, no matter how tenuous they may be.

Our development team at SwiftComply are industry experts in cyber security and take a proactive approach to understanding both existing and emerging trends in the space. This in turn allows us to ensure that we are constantly confirming that our security process is keeping ourselves and our customers safe.

It is these same processes that allow our team to work with the city and municipal water and wastewater utilities to ensure that they are covering everything on their end and that we can support them in patching any vulnerabilities they might have in their systems.

If you have any concerns or questions about the security of your utility, you can always reach out to us and we can provide some guidance or solutions.