The threat of cyber-attacks to the water industry, as with many other major sectors within the UK economy, is increasing at an alarming rate. The good news is that there are ways to protect against malicious attacks, as Mark Cleary of the TES Cybersafe Division explains. (This article was also featured on WWT Online)
Cyber security is the protection of IT and industrial control systems from attack by hostile individuals or groups. Cyber attackers can be motivated by theft, or disruption of service with the aim of extortion, but they can also be linked to terrorism, industrial espionage or hostile state action.
Critical National Infrastructure (CNI), such as the water industry, is becoming a more attractive prospect for hackers to attack. It is therefore crucial that organisations put measures in place, such as those outlined in this article, to combat this threat.
5 TOP TIPS
- Embrace Connectivity
Contrary to previous belief in the water industry, where the security of industrial control systems (ICS) relied heavily on physically separate, or ‘air gapped’ networks, it is now commonly accepted that a connected network has more advantages than disadvantages. It quite simply is not enough to rely on company policy to enforce an air gapped system, and the resources required to adequately police the air gap could be better used embracing connectivity, which is much more easily monitored and offers greater benefits. With the large geographical spread of a typical water network, being able to manage network security centrally not only saves money, but crucially, allows reaction times to be drastically improved.With a mix of different departments, site operators and sub-contractors requiring connectivity on multiple sites, monitoring all network activity is a mammoth task. The good news is that there are solutions available to help you detect and identify suspicious activity early, create secure links between sites and stop attacks in their infancy before any damage is caused. - Go Phishing
The use of phishing campaigns to gain network access or spread malware is growing; a recent study estimated that approximately 91% of successful data breaches are started with a spear-phishing attack (where hackers send an e-mail appearing to be from a trusted source). Whilst the industry may not always be the intended target, it is possible that ransomware campaigns could bring down some ICS systems.It is vital that staff are trained how to spot a phishing attempt and understand the potential impact their actions could have on the organisation. There are many solutions available now that allow you to simulate phishing campaigns by sending out suspect emails, monitoring employee behaviour and provide engaging training to staff who require it. It only takes 1 person to compromise your entire network; providing regular training to keep security strong must be a priority. - Think like an attacker
One of the biggest problems facing the security of ICS networks is that we are all too busy with our daily duties to stay on top of the constantly changing profile of our networks. Change often happens with little regard for security.By taking a step back and looking at the network from the eyes of an attacker you can sometimes spot very obvious flaws in your security. An exercise as simple as standing outside a site and using a free app on your phone could show wireless devices in range that could be targeted by attackers. Carrying out deceptions on staff to get hold of information (social engineering) is also a commonly exploited route used in an attack, and is relatively easy to test.You can have professional ICS penetration tests conducted to build a better picture of how your site could be exploited by an attacker. With their experience, they will have expert knowledge on the tools commonly used by attackers, which actors pose the greatest threat and guide you on where to focus your security efforts.Not only will penetration testing allow you to harden your site against an attack, it will also allow you to assess the possible outcomes of an attack taking place. This allows planning on how to get the plant up and running quickly in the event of an incident. - Deploy an Intrusion Detection System
There are many products on the market now that monitor your network for suspicious activity. An ICS network will have different types of traffic and activity that you won’t find on a normal IT network. Its commonplace to find critical ICS hardware, which wasn’t designed with network security in mind, connected to a network. In some cases, even the slightest level of network discovery probing by an IDS device could take critical plant offline. Knowledge of the ICS environment is critical for a successful deployment.Done right, an IDS can give an excellent tool for managing the entire network. Suspicious activity may not necessarily be a sign of an attack; in some cases it can actually be a good indicator of plant failure. Detecting a threat early helps minimise the disruption caused. - Be aware
Threats are constantly changing. Not only do we need to keep abreast of current threats facing the ICS sector, but also the IT sector, as most of the same problems still apply. To keep up to date in the UK there are many great platforms freely available. CISP (Cyber Security Information Sharing Partnership), run by the NCSC (National Cyber Security Centre) is an example of one such platform. CISP is like a social network for security: it is not exclusive to security professionals and all UK businesses can avail of the service. If there is a cyber security threat affecting the UK, you will find it mentioned in CISP. The platform provides easy access to security experts from various business sectors and should be closely monitored.Other sources worth keeping an eye on are CVE databases (Common Vulnerabilities and Exposures). These sites are setup to inform you about what known vulnerabilities exist and should be used as reference point when selecting new kit.As a word of caution, it’s worth remembering that just because a particular product has no known vulnerabilities, doesn’t mean that it’s safer than other products or immune to attack. More commonly used products tend to have more vulnerabilities listed as there is a bigger draw for an attacker to target them. It may be that a product you are considering isn’t widely used and may never be scrutinised to the same level as the bigger names.