Embrace the uncertainty and do it anyway: How a proactive stance can help utilities stay cyber secure
Dawn Cappelli of Dragos, a firm specializing in cybersecurity for industrial environments, breaks down how the water industry can stay ready to respond in a volatile world.
We have already examined how utilities can modernize while staying secure and why they should embrace a global outlook on security. But what happens when attackers arrive at the door?
To understand how to prepare for a cyber incident and respond to an attack, we spoke to Dawn Cappelli, the Director of OT-CERT (Operational Technology – Cyber Emergency Readiness Team) at Dragos, a key partner in Xylem’s work to keep the water sector secure.
What cybersecurity trends are you seeing? Are water utilities facing specific challenges?
The water sector has a unique challenge in the perception that because most utilities are small, they’re not a target of cyberattacks.
In our current geopolitical environment, all critical industrial infrastructure is a prime target. Water is a critical piece of infrastructure, one that would have a potentially outsized impact in the event of an attack.
Utilities can be lightly staffed and often don’t have specific OT security expertise. If you don’t protect your utility and your downstream customers, then you’re an easy target.
In November, a number of water utilities were victims of a cyberattack by the hacktivist group CyberAv3ngers, simply because they used OT assets manufactured by a company from Israel.
Our research into ransomware attacks on industrial organizations – including water utilities – shows that the total number of attacks in 2022 was 605. In 2023, we saw 905 reported attacks - a 50% increase. Attacks against industrial organizations have risen from an average of 1.7 attacks per day in 2022, to 2.5 attacks per day in 2023.
As digital technology becomes more ubiquitous across the water industry, how can utilities ensure they can take advantage of innovation while staying secure?
A proactive stance is vital. One key element of that is having an incident response plan specifically for your OT environment. You must have a plan to respond.
We did a tabletop exercise at Xylem Reach specifically for small and medium-sized utilities. When a ransomware message popped up on the screen, engineers often didn’t know how to respond. If they called the plant manager, often they weren’t sure what to do either. In a worse-case scenario, they might ignore it and hope it goes away.
Knowing who to contact internally wasn’t the only issue. We also found that when equipment was targeted, staff were often scrambling for the right contact information for the manufacturer and didn’t have the necessary information about backups and restoring the system.
Time and preparation are important in incident response. If people have not prepared for the complexity of an incident, then response and recovery can be disorganized, ineffective, and take longer than it would have taken with a well-thought-out incident response plan.
Drills can help identify the gaps so they can be addressed proactively without the stress of an active incident. If we can show people how to prepare to respond, they will be ready when the worst happens.
What common vulnerabilities do you see in the water industry?
Lack of logs in the OT environment. It is one of the first things we request when we are brought in to help a utility respond and often organizations don’t have logging enabled.
Logs let us see how an attacker got in and take a forensic approach to identify how the incident was carried out. Without logs, we might be able to recover from this attack, but we won’t be able to see how they got in and fix the vulnerability - meaning the same issue can be exploited again. With the right alerts in place, logs can also help detect when someone is trying to compromise you before an attack happens.
Assumptions about systems being “air-gapped” are also a challenge. We often hear organizations say their critical systems are “air-gapped” – physically isolated from the internet – but few are. To make matters worse, many OT devices use default passwords – the combination of internet exposure and default passwords offer an easy target.
During the pandemic, many organizations opened remote access to their plants. Some big companies took steps to secure that remote access, but many didn’t. If anyone remotely accesses your plant, you’re touching the internet, so you must evaluate your exposure. For instance, do you use a VPN and multi-factor authentication? Do you know how to ensure your remote access solution is configured securely? Do you patch your secure remote access components?
Some water utilities have good remote access controls, that only allow access for specific users, such as service providers, during a set time window. They also periodically audit remote access to ensure it was legitimate. Simple measures like this can be extremely effective.
How can utilities learn more about threats and how to mitigate them?
We recognize that many organizations don’t have the money or the expertise to stay on top of ever-changing threats, but water utilities don’t have to figure this out on their own.
The recently launched Dragos Community Defense Program (CDP) helps small utilities build an effective cyber defense. Providing free access to the Dragos Platform, threat hunting, and education, it gives utilities with under $100 million in annual revenue the foundation to reduce OT cyber risk.
We also need to share information proactively. For instance, Neighborhood Keeper allows anyone running the Dragos platform to anonymously share data and see trends identified in a sector or geographic area. All CDP participants are automatically enrolled into Neighborhood Keeper.
In addition, Dragos OT-CERT is free for utilities and water operators to join. It offers access to resources for building cybersecurity in industrial environments including an incident response plan toolkit, OT logging toolkits, an OT backups toolkit, and a secure remote access toolkit - all developed specifically for small and medium organizations without OT security expertise.
Ransomware tabletop exercises like the one we conducted at Xylem Reach are also useful. The free OT-CERT OT Ransomware Tabletop Exercise Toolkit helps everyone to prepare for the shared challenge in a calm, supportive atmosphere.
In summary, water utilities must understand that they are potential targets of cyberattacks regardless of their size, and they have a responsibility to their customers to take action to protect their water supply from disruption. The good news is that there are free resources available, eliminating the biggest hurdle most utilities face: lack of finances.