Do OT Cybersecurity and Water Mix?
Written By: Bill Medcalf
My day job revolves around all things OT, network infrastructure, security, and even data analytics. For many years, my off time was spent as a volunteer with the local Fire Department. As you might imagine, learning how to protect the lives and safety of the citizens who live within the fire district required a lot of diverse training. One of the topics which we regularly trained on was how to deal with a mass-casualty event.
I recently read an article that used the term “mass casualty”, which is an event that overwhelms the local healthcare system, where the number of casualties vastly exceeds the local resources and capabilities in a short period of time. This term was used in reference to what the outcome would have looked like had a recent cyberattack been successful. Fun Fact: in the U.S., there are approximately 70,000 water and wastewater utilities, many of which are small and may possess minimal cybersecurity expertise among staff. The article was about a water system that had been affected by a cyber-attack. Review of the incident showed the attackers were working to increase the chlorine levels in the water supply to residential areas. Fortunately, the facility had taken measures to guard against cyber-attacks and stopped the attack before any real damage could occur. Had the attack been successful, many people would have been at risk of getting sick or worse. Reading the term “mass casualty” triggered me to re-think the way that I think about the potential consequences and scale of a cyber event.
In an article by E-International Relations, author Sam Powers mentions Al-Qaeda and how their “members have been tracked seeking information on SCADA systems in the US including wastewater and water supply facilities.” (1) In the midst of the COVID-19 pandemic, The Vice President and CISO of United Airlines also “warned companies against compromising on cybersecurity,” reminding people that there is “no question that cyber criminals were taking advantage of the crisis and that industry data showed threat activity had increased by as much as 1000%.” (2)
Best practices tell us that cybersecurity is dynamic, meaning we should regularly review our risks and current cyber posture. The NIST Cyber Security Framework says the first step in protecting a manufacturing facility from cyber threats is to identify the “crown jewels” of our business (the assets and systems which are critical to manufacturing). After these have been identified, the next steps to building an effective cyber security plan are protect, detect, respond, and recover. We know the threat landscape is continually evolving. To ensure our security measures are adequate and up to date with the current threats, we must re-evaluate risks and vulnerabilities often. This information will ensure we are making the right decisions when evaluating our detect and protect strategies. With due diligence and planning, we should be able to greatly reduce or eliminate the likelihood of a cyber event causing a mass-casualty event in our community.
I hope that sharing my new thought-trigger will inspire you to strengthen and re-evaluate your cyber posture.