American Water, the largest US water utility, was targeted by a cyber attack on October 3. The attack, which affected the quality and distribution of water to citizens, is part of a long list of similar water cybersecurity incidents in the US. The FBI, CISA, and international partners released a new document outlining the security principles of operational technology (OT) to address the situation.
OT Security Principles Are Issued by the FBI, CISA, and International Partners
The CISA-FBI Principles of Operational Technology A cybersecurity document, signed by global cybersecurity agencies, provides guidelines for creating and maintaining a secure critical infrastructure OT environment. Tom Marsland, the VP of Technology at Cloud Range, discusses the release.
Marlsand, the ‘Attack Master’ at Cloud Range, is a pioneer in creating and deploying cyber-attacks for live-fire simulation incident response training. He suggests that water providers should consider technologies that provide visibility into OT and IT systems, but closer communication between IT and OT teams and traditional cybersecurity training for OT teams is more crucial.
IT teams often lack understanding of OT systems and how to secure critical infrastructure components. Budget, resources, costs, and skilled workers are affecting water security in the country. As teams are spread thin, they may choose convenience routes, like interconnecting systems, to make their jobs and lives easier.
Cybersecurity involves conducting drills and simulations to prepare for potential threats. Companies should have an incident response plan for their OT/ICS systems, and security teams at water plants must practice running the plan under different simulated scenarios. If live production environments are unavailable, using a tool like a cyber range can be crucial for simulated responses.
Outdated and Legacy OT-IT: A Mitigation Strategy
The water industry is facing numerous risks due to outdated technology and outdated operating systems (OT). According to EPA inspections, more than 70% of water systems have several vulnerabilities and are insecure.The EPA also warned that outdated IT systems connected to OT environments pose a significant threat to nation-state actors.
Marlsand emphasized that legacy systems are not the threat themselves but rather require segmentation and other defenses to safeguard them. He suggested that operators should take a similar approach to other OT systems, as many are built with firmware that makes updates difficult or impossible.
Fortra’s AVP of Research and Development, Bob Erdman, warns that operating system (OT) systems are long-lived and can operate without major changes. To protect them, it is recommended to isolate the OT network, only pushing necessary data and telemetry information out, and never allow systems to enter the OT environment.
The Old Network Segmentation Problem
Cyberattacks often involve attackers breaching IT systems and moving across an open network to access OT resources. Network segmentation can help, but many companies fail to do so due to growing interconnections in OT systems, such as utility providers sharing information for load balancing, making it increasingly difficult to maintain these systems isolated.
Erdman from Forta emphasized that convenience and ease of use are major drivers of interconnections, as faster access, work from anywhere, and convenient access require more openness than is prudent for critical systems with life and health implications.
Seth Geftic, Vice President of Product Marketing at Huntress Labs, warns that without proper segmentation, malicious actors could infiltrate IT systems and access backdoors into OT networks, posing a threat to critical infrastructure. Geftic suggests that businesses should focus on internal segmentation of OT infrastructure rather than treating it as an umbrella form of infrastructure.
Cloud Range’s Marsland suggests companies can mitigate attacks by segmenting and controlling access, ensuring network visibility and monitoring software or firmware, and developing an ICS-specific incident response plan. This involves identifying the right team, establishing procedures, and conducting regular drills and exercises to restore compromised systems, as they behave differently than traditional IT systems.
The Bottom Line
The CISA-FBI’s new OT cybersecurity document is a positive step towards security for water providers in the U.S., indicating that not all security measures require costly investments. The document suggests that organizations can secure installations if they have the will, hoping to prevent a potential crisis.
