By David Schultz | 14 March 2017
Water utilities face unique cybersecurity threats and federal officials who work on both environmental protection and law enforcement are urging the utilities to assess their vulnerabilities in this area.
This will become a greater issue in the future, federal officials said, as more water systems try to cut costs by moving toward full automation.
The EPA has been collaborating with the Department of Homeland Security to develop new training materials that are tailored specifically to the water industry, especially to small systems that serve rural communities. David Travers, director of the Environmental Protection Agency’s water security division, said much of the existing cybersecurity training is broadly geared toward all utilities.
“A lot of this stuff is completely impenetrable to people in our sector,” he said at a March 13 conference of state drinking water administrators.
Helen Jackson is with the DHS Office of Cybersecurity and Communications. She said she mainly works on the “pre-boom” issues of assessing risks and preventing incidents, rather than the “post-boom” tasks of detecting breaches or recovering compromised infrastructure.
Jackson said the cyberthreats to water utilities can come in a number of different forms: there’s ransomware, in which hackers demand compensation to relinquish control of equipment they have hijacked, or insider threats, which involve a system being compromised by someone who was granted access by the utility. Jackson cited a 2016 IBM survey that found insider threats constitute 60% of all corporate cybersecurity incidents.
Then there are the threats to a utility’s equipment posed by the equipment itself. Jackson said, as supply chains become more complicated, “it’s difficult to really understand the companies and products you’re purchasing.”
Travers said this is something utilities need to keep a close eye on, especially since the move to automation means some water treatment facilities are now no longer staffed around the clock.
“We’ve become increasingly vulnerable,” he said. “As we rely on a fully automated system, I think there’s a certain degree of expertise that’s lost. … Now you have operators who may not know how to run the system” during an outage.
The Raven Group is a Corporate Counterintelligence consulting firm that helps companies protect their data, systems, trade secrets, intellectual property (IP), employees, and reputation. Raven’s consultants of former CIA Intelligence Officer and Federal Law Enforcement Special Agents have spent a lifetime protecting our nation from threats of every kind and are second to none. Let us bring that expertise to your company.
Raven’s defensive intelligence services are un surpassed. The best defense is a good offense!