How to Protect Utilities from Cybercrime
Like many public entities, water, and wastewater treatment systems are increasingly vulnerable to cyberscrime threats. Some public works professionals have learned the hard way about the need for planning and protective measures to keep their systems safe and secure.
In addition to providing a full slate of engineering services, Morrison-Maierle has a technology subsidiary, Morrison-Maierle Systems that has recently hired Josh Botz, a cybersecurity expert to help assist our clients who own and operate water and wastewater systems with risk assessments to help alleviate potential problems.
We recently sat down with Josh to talk about cybersecurity and different measures you can take to help protect your water or wastewater treatment plant.
MM: Welcome to Morrison-Maierle, Josh. We’re glad you’re part of our team of cybersecurity experts at Systems. If you would tell us a little about your background in the security world.
Josh: Absolutely! I started getting interested in cyber security while I was still in the military. When I transitioned into my civilian career, I started out working as an analyst contracting with the US Intelligence Community. I worked with some brilliant engineers, in unique organizations, and even had the opportunity to work with a Cyber Research and Development (R&D) program that opened my eyes to the extent of the growing cyber risk. What a blessing! While I loved the mission of working in that sector, now that I get to work with smaller organizations, I get to better see the direct impact of my work. It really is wonderful knowing I may have played a role in preventing an attack and keeping a business running smoothly.
MM: What are some best practices that utility system operators should be aware of regarding cybersecurity?
Josh: One of the biggest distinctions for this industry is the use of SCADA/ICS-type systems. Typically, the security of these is not managed the same way a workstation would be and require a different approach that is often missed. An astounding number of breaches involve SCADA/ICS compromise. One study found that in 2019 only 11% of organizations dependent on these systems had not experienced a breach. This should be frightening, especially because of the potential for cyber terrorists to use this maliciously against the public. Patching these types of systems is critical and assuming that they are secure could be dangerous.
MM: If a utility manager needs a risk assessment of their system, how long and involved is this process and what can they expect?
Josh: I hate to say this, but it really does depend on the specific organization. You can expect an engagement to last at least a week or more and it will require you to have information and resources prepared for the assessor. They will want to learn everything they can about your risk profile in a short amount of time, so be prepared to field a lot of questions. Ask for a preparation checklist well in advance to keep things running smoothly and reduce the impact on your staff during the assessment.
Here are the biggest factors that affect the intensity (i.e. cost) of a risk assessment:
- Scope of the assessment
Note that the size of the organization is not necessarily the same thing. It sometimes can be better to start with an assessment of one part of a network before moving on so that the workload and cost of remediation are manageable. - Current baseline security.
If an organization is just starting its cyber security program, then an initial assessment could take much longer as there are a lot of basic controls that need to be established. This is not difficult but it is time-consuming. A solid baseline opens doors to work on more advanced security implementations such as zero-trust architecture, which should be the goal of every organization. - Level of preparedness for an incident.
A risk assessment also includes a review of how prepared an organization is to respond to events like ransomware, data breaches, and recovery processes. This is often neglected by organizations, especially putting them into practice by holding annual tabletop exercises to test the plans, but the industry is getting better as insurance companies are requiring evidence of this more and more. Having an incident response plan (IR) and a disaster recovery and business continuity plan (BC/DR) is critical because there is no such thing as perfect cyber security. Additionally, I’ve found that organizations that take the time to develop these well usually have much better security because the leadership is demonstrating an intentional approach. It also develops awareness across the whole organization.
MM: We know that part of good cybersecurity hygiene is providing knowledge sessions for onsite staff. What do you recommend as far as training is concerned?
Josh: Cybersecurity really does start at the individual level and is independent of rank or role. There are two types of training that if implemented would keep staff well informed and reduce overall risk.
- Recurring cyber awareness training.
Even though this can seem tedious to staff, it keeps security top of mind. The topics for this should be simple and cover the most common events your staff are likely to face such as recognizing phishing attempts, social engineering, and reviewing the processes for reporting suspicious activity. You can start to build a culture of security with basic quarterly training that doesn’t need to be more than 15 minutes. - Tailored security training.
This is certainly more time intensive and a larger investment if you don’t have in-house expertise but can have a greater impact. These can involve mock scenarios involving threats that are relevant to your industry or reviewing examples of other breaches in the industry and conversations about how you would have responded. Get your team comfortable thinking about security beyond the surface level and they will be able to recognize more advanced threats that are beyond what technical security controls can provide. Depending on the organization, I would recommend doing this once or twice a year.
MM: Is it possible to incorporate cybersecurity practices at water system plants with other municipal entities? If so, how is that usually handled?
Josh: Excellent question! The best approach to this is to adopt practices from vendor management. Even though you might not be partnering with a traditional vendor, your organization should have a process for assessing the security of other entities. A tactic that hackers use is to compromise smaller companies that don’t have the expertise or budget for cyber security and use that to gain access to bigger fish. Just because you are a cyber security pro does not mean that you aren’t at risk! I see this type of attack frequently and it can be very difficult to recognize because an attacker can take their time to learn how to mimic your vendor and pose as them using legitimate email addresses and points of contact.
Beyond vetting vendors, the best ways to prevent this are to have tailored training for a vendor-related incident and to adopt a zero-trust architecture. You can help your partners by talking about cyber security with them and collaborating on the security controls between your organizations.
MM: We know cybersecurity is constantly evolving. What are some current trends or threats we should be aware of?
Josh: Wow, that is a difficult question to answer. Hackers are extremely adaptable and can change their tactics and techniques on the spot. If they find a door is locked then there are hundreds more that they can try and now we are facing not just individual hackers, but whole teams of well-funded cyber criminals working in concert. You can even hire these teams yourself on the dark web! An example is Ransomware as a Service (RaaS) – they have call centers and everything set up to serve your criminal needs.
MM: What are some cybersecurity issues that are increasingly on your radar?
Josh: Cybersecurity is constantly moving and changing but here are three areas that have my attention:
- Increased insider threats.
Disgruntled employees find out there is potential profit from damaging their employer and become an incredibly dangerous threat. This is difficult to prevent, and it doesn’t even need to be intentional or malicious; it can take the form of advanced phishing and your employee just trying to be helpful. - Budgetary limitations and expertise.
It can be difficult to recognize the operational value of a cybersecurity program because if it is doing its job then you won’t hear about it often. This can cause leadership to question the cost even though the goal is to prevent the expense associated with a breach, which often puts companies out of business. It is also difficult to even find security professionals as there is a huge shortage in the field. Current estimations show that more than 40% of cybersecurity positions are unfilled. We are struggling to keep up with current threats, and there is something newly discovered every day. - Mass compromise.
One day I am going to wake up and every company I work with will be compromised. As an example, there was a critical vulnerability discovered a couple of years ago called Apache Log4j that had a nearly universal impact. This was frightening of course, but I believe something much worse is coming. The security community is responsible for doing everything it can to prepare, but our ability to respond will be tested much more than our ability to defend. Preparing for recovery is non-negotiable.
MM: Is there anything else you would like to add about cybersecurity?
Josh: My answer to your last question was a bit “doom and gloom” so let me also share what keeps me up at night with excitement and curiosity:
- Emerging technologies like quantum computing, artificial intelligence, and virtual/augmented reality.
It is hard to predict how these will impact cyber security! We have theories but hackers and defenders are still exploring the possibilities. I work more and more with tools that use machine learning and the capabilities are impressive. There will be behemoth threats resulting from these technologies too, but new defenses will develop alongside them. - Adoption of cloud technologies.
The flexibility offered through the cloud and the options available for disaster recovery is amazing. Software companies are already on board with this and managing their platforms in the cloud but other companies can be hesitant because of sticker shock on the cost. There are very justifiable reasons for the cost which I won’t cover now, but I fully expect 90% of my clients’ infrastructure to be cloud-based within 5-10 years. Currently, it’s less than 10%. The question I ask myself is “Who is better at cyber security: Josh Botz or Amazon, Google, and Microsoft?” I want a cloud provider on my team. - Individual cybersecurity.
People are becoming more aware of the threats they are exposed to and are recognizing that the inconvenience of security controls like MFA and using a password manager are worth the time and effort. I bug my family about this all the time because I don’t want to see them get compromised. Excellent personal cyber security hygiene on a mass scale would do a tremendous amount for the security community in general and really frustrate the bad guys. I spend a lot of time thinking about how to get people interested in their own security. It would bother you if you couldn’t remember if you locked your car. It should really bother you if you haven’t locked down your digital presence.
Your Next Steps?
As we’ve stated before, each utility is unique and has specific demands when it comes to cybersecurity. Wherever you are on your journey, it’s never too late to start with this information, make a list of your questions, and then reach out to us for assistance or more information. Our door is always open.