COMMENTARY: Financial Risks of Cyber Incidents and How to Mitigate Them

By Pete Lund

The recent devastating droughts in the U.K. and the U.S. have driven water restrictions in affected regions, making Water and Wastewater facilities’ Operational Technology (OT) and Information Technology (IT) prime targets for cybersecurity attacks as the industry’s role in a safe and healthy society becomes more essential than ever. With the discussions of IT and OT digital convergence and recent government guidelines and executive orders, it is important to understand why and how the Water and Wastewater industries are especially at risk.

The Financial, Safety and Security Risks

Critical infrastructure organizations have three concerns when it comes to cybersecurity and the risk of an attack: first and foremost, the safety of its employees and people it serves, business continuity, and financial consequences. When looking at some of the more recent OT cyberattacks, the financial impact has been exorbitant. For instance, when the IT systems of the Colonial Pipeline were infected with ransomware in 2021, OT operations ceased the delivery of fuel to the East Coast of the U.S. primarily due to lack of visibility into OT. This, along with the nearly $5 million in ransom, caused substantial financial loss and lengthy downtime. Just over a year later, they’re facing additional, costly ramifications as the Pipeline and Hazardous Materials Safety Administration (PHMSA) seeks to implement fines totaling nearly $1 million in OT security regulation violations.

Preventable attacks like this go beyond the public health and safety of the general public; it also may ruin the reputation of the victimized company, tarnish their name, cause the loss of future business opportunities, increase the costs of cybersecurity insurance, and ultimately cost employees their jobs.

So, what does this all mean for the water and wastewater industry?

Most importantly, a cyberattack can have an instantaneous impact on public health and safety. In the 2021 Oldsmar, Florida water treatment facility hack, the threat actor infiltrated the network through insecure remote access software and increased sodium hydroxide levels in the water supply in an attempt to poison residents.

Malicious files entering an air-gapped network via a USB drive, infected work-from-home computers, and poor overall network hygiene are only some of the points of intrusion. If cracks are present in a facility’s IT or OT infrastructure, cyber criminals will find and exploit them. Outside of causing direct harm to the public, they can damage on-site equipment like pumps and valves or trigger unwanted actions that can lead to environmental disaster.

A disruption to the water supply during a drought can be just as dangerous. Just last month, South Staffordshire PLC in the U.K. was hit with a cyberattack that put the water supply of nearly 2 million at risk. This, unfortunately, will likely not be the last time a water facility is targeted. As the Center on Cyber and Technology Innovation (CCTI) stated in June of this year, the Water Industry is ripe for attack, and the industry as a whole should focus on bolstering IT and OT cybersecurity.

Mitigating Attack Surfaces

Threat actors are looking to hit where it hurts most – the necessary industries that keep the world running smoothly. That is why focused efforts must be made to ensure vulnerabilities in locations like water and wastewater treatment facilities are removed from the equation.

What is needed in order for OT and IT teams to come together in the event of a breach to protect all levels of the business, from the plant floor to the top floor? From managing risk to meeting compliance requirements, it’s important for both sides of the business to understand best practices when it comes to securing IT and OT communications.

In most cases, OT is frequently isolated from IT on air-gapped networks or demilitarized zones (DMZ). However, the air gap can be breached when files or devices are transferred into, across, and out of secure environments, whether it’s to provide updates to SCADA systems, download log files, or more. So, how can the water industry upscale their OT security to prevent such incidents? For starters, deploying physical checkpoints in secured environments to scan portable media is an effective way to ensure no malicious content enters the facility. Leveraging asset discovery and management tools also allow security teams to monitor normal versus abnormal behavior on connected devices and networks. Advanced threat prevention technologies, such as multi-scanning, Deep Content Disarm and Reconstruction (Deep CDR), and Proactive Data Loss Prevention (DLP) are effective ways to mitigate file-borne threats to critical networks.

Humans are also the first line of defense. There is no better solution than awareness; training your workforce on how to keep cybersecurity top-of-mind as they conduct business is the best way to combat threats as they become more prevalent. Adopting appropriate training and investing resources into IT/OT cybersecurity mitigates risks not only to your business and your employees, but also the customers you serve.

At the end of the day, there is no price that can be put on the peace of mind in knowing that your facility can continue to safely serve the people that so inherently rely on you for clean water.

Pete Lund is vice president of products, OT Security, for OPSWAT, a software company focused on infrastructure protection and cybersecurity. He is responsible for developing and executing the growth strategies for OPSWAT’s OT Security business.

Leave a Reply

Your email address will not be published. Required fields are marked *