Article

3 Security Strategies for Municipal Utilities and Critical Infrastructure

By Rex Johnson

On February 5, 2021, an attacker compromised a water plant in Florida. They attempted to poison the water supply by changing the level of sodium hydroxide (or lye) in the water to more than 100 times the normal amount. The change was immediately detected by a plant operator, who changed the levels back before the attack had any impact on the system.

Unfortunately, these attacks are not unique. On April 24, 2020, an attack was made on an Israeli water distribution system from an external state-sponsored organization. In 2019, the cleaning and disinfecting procedures of the Post Rock Rural Water District in Ellsworth, Kansas, were shut down remotely by a former employee. Both these incidents involved tampering with the public drinking water system and endangering the health of entire communities.

Unsecured systems invite unnecessary risk

Depending on the threat actor, there may be a variety of motivations for these malicious efforts. In one example, a water utility CIO asked active defense solution provider LMNTRIX to investigate the actions of a disgruntled high-level IT team member. The CIO had no hard evidence of wrongdoing, just a suspicion. The LMNTRIX team pulled information from the environment and was able to collect evidence of backdoor accounts the employee created that would allow him (or other malicious users) the ability to tamper with the water system. This activity would not have been detected otherwise, and the results of the investigation lead to closing these backdoors and eventually terminating the employee.

The good thing about these incidents is that they were stopped before human health and safety were compromised. Still, they are urgent reminders of the harm that could be brought to citizens through unsecured critical infrastructure systems on which communities rely.

We live in a world in which we can be connected at all times. We have instant access to our banking information and music playlists and the ability to talk to almost anyone from anywhere on the planet. If we need information, we can just jump on Google and find answers. Sometimes even the correct answers. And the pandemic has only heightened our reliance on remote work and a digital economy.

Interconnectivity increases vulnerability

It is easy to think that hackers will spend their efforts on energy and ignore local water utilities. But the hacks above indicate this is not the case. According to a March article in Government Technology, water utilities should take a serious look at their investments into cybersecurity. The article points out that as smart water meters are rolling out, they will expose systems to the internet. Some of the legacy systems that are still in place were never intended to be online. These systems cannot just be phased out, and a retrofit of new technology can open doors for cyber-attacks.

Public and private sector organizations have begun to take the mission of cybersecurity more seriously over the past few years. In 2018, the federal government founded the Cybersecurity & Infrastructure Security Agency (CISA) as a standalone federal agency under the Department of Homeland Security (DHS). CISA is the nation’s risk advisory body, responsible for coordinating with key federal, private, and specific sector agencies to build more secure infrastructure against cyber threats.

Resources for municipal and county utilities

Water utilities and other critical local utilities will continue to be targets for threat actors, whether from inside or outside an organization. CISA recognizes this and offers assistance to state and local agencies. Efforts include such programs as the State and Interoperability Markers system, helping states and territories self-assess gaps in both strategic and financial cyber planning. Information and other services are available on the website Cyber Resource Hub.

There is also about $25 million in new federal grant funding to support cybersecurity efforts in state and local agencies. Last February, the Homeland Security Secretary stated that state and local governments under the Federal Emergency Management Agency will be required to spend at least 7.5% of their awards on cybersecurity, saying “Our nation’s cybersecurity is only as strong as our weakest link.”

Protecting infrastructure and citizens

Here are three practical steps municipal utilities and critical infrastructure organizations can take:

  • Conduct periodic risk assessments: A regular check-in will help you understand your current cybersecurity maturity. Consider a rotating schedule for the annual risk analysis. This means having a different type of assessment every year. For example, one year could be focused on policies and procedures, making sure you are still current and address present and active threats. The next year could be a review of the technical infrastructure, including a network penetration test or, in the case of sensitive industrial control systems, a more specialized review. And finally, the third year could be a test of business continuity or incident response plans, such as a simulated attack. Rotating the risk assessment plan allows for a broader evaluation within a realistic budget.
  • Build a security awareness program: An effective security awareness program includes an annual training event with meaningful messaging throughout the year, usually in the form of bulletins, newsletters, or other forms of internal communications. This will help heighten awareness of suspicious activities by internal employees and address threats before they happen.
  • Find a managed detection and response (MDR) provider: One of the most effective things organizations can do is find a partner to help them track and prevent malicious actors from causing harm. Unless you are able to monitor everything in your environment and detect false positives, it is extremely difficult to do this with internal solutions. Effective MDR services include:

The threat-detection capabilities of traditional managed security service providers (MSSPs) are limited to monitoring logs and identifying known threats with a focus on preventing intruders from entering the network. But once a threat actor penetrates the network perimeter, ongoing malicious activities can go completely undetected, taking months to detect and then respond to a breach. 

The increasingly interconnected nature of our world will continue to create vulnerabilities – and our local water utilities and other local state-wide infrastructure will continue to be at risk. Cybersecurity finally has the attention of our nation at the highest levels. The Biden administration has nominated someone to serve as the first national cyber director and supports the CISA mission.

This new focus on cybersecurity opens the door for municipal utilities and other critical infrastructure to improve their cybersecurity programs and protect the health of their consumers/citizens. Just one human being poisoned by tainted water is too many. Contact me to discuss how CAI can help your organization select the right partner to help you on your cybersecurity journey.

headshot of rex johnson

Rex Johnson

Director, Solution Delivery, CAI

If you would like to chat with Rex about how to implement these strategies today, fill out the form below.

Follow us: