Asvisory of the Day
NATIONAL: DOES OUR WATER NEED BETTER CYBER SECURITY?
This story is brought to you in part by Seaveyors
When musing about cyber terrorism and hacktivism, the first things that come to mind may be election rigging, payment data theft, or identity manipulation. It's odd to think of water resources and internet security having much to do with one another but in these times, it is prudent to.
Security researchers at Georgia Tech's School of Electrical and Computer Engineering have been doing just that, recently creating ransomware,a malicious software designed to block access to a computer system until a sum of money is paid, to simulate an attack on a water treatment facility.
David Fromby, a PHD student and his academic advisor, Dr. Raheem Beyah, built a model of a water treatment plant complete with pipes, pumps and programmable logic controllers (PLC), which are industrial automation controls used for monitoring and controlling input and output.
Using ransomware they wrote, they were able to hack these PLCs, which are commonly used for many manufacturing and industrial purposes. According to Fromby, in the wrong hands, the results could be dire.
"We illustrated what an attacker could do if they knew more and had actual experience with control components. They could drain the water supply while blinding operators to current water levels, or if people don't pay (the ransom), attackers could poison the water system by dumping large amounts of chlorine into it," Fromby said.
In a Verizon report in 2016, they detailed a worrisome incident in which one of their clients, a large municipal water utility facility with over 2.5 million customers, was subject to a security breach.
The company, which Verizon has kept anonymous, referring to them as the Kemuri Water Company (KWC) had asked Verizon to do a pro-active screen of their systems to test for vulnerabilities. Suffice to say, they were quite shocked to discover that their less-than-ideal security architecture had resulted in them being infiltrated.
As is common with many older, enterprise-sized industrial firms, they were using legacy technology, in this case an IBM AS400 system, which was connected for efficiency's sake to both their information technology, or IT systems (billing, customer info, corporate functionality etc.) and their operational technology, or OT systems (distribution, control and metering of the regional water supply).
Through an internet payment application, hackers were able to find their way into KWCs OT systems. This resulted in them manipulating the PLCs that managed the amount of chemicals used to treat the water, and the ones that manage the water distribution system.
Thankfully these were being monitored and employees were able to react quickly enough so that adverse reactions didn't occur to their customer base.
Fromby said that it's all about, "Knowing what's on the network, knowing what's connected to the internet and making sure none of your control systems are connected on the internet," going on to add, "It can be done properly and securely but in most cases organisations do it with efficiency in mind without having someone with a security background making sure that everything makes sense."
Using Shodan, a tool for finding internet connected devices, Fromby and his advisor, Beyah, were able to find over 1400 similar model PLCs that were accessible via the internet.
Beyah suggested that, "It is absolutely critical to monitor the process control network. Traditionally we've been focused on the IT network but with OT you have to monitor it as well."
According to representatives from Toronto Water, "Toronto Water facilities employ a number of Cyber Security safeguards to protect its interests, including physical security and a multi-layered strategy of firewall(s) protection across its Corporate and Toronto Water network architecture."
It is feasible enough for a large scale water utility company to spend the money required to safeguard its operations but when it comes to small town ones who face budget cuts and have to tighten the purse strings, it can be difficult to implement a security strategy for both IT and OT systems.
As ransomware is becoming more prevalent however, they're not going to have a choice for long.
A to Z
For articles published before 2017, please email or call us
|Have a question? Give us a call 613-501-0175 |
All rights reserved 2020 - WATERTODAY - This material may not be reproduced in whole or in part and may not be distributed,
publicly performed, proxy cached or otherwise used, except with express permission.