The Water Crisis That Could Have Been
At the beginning of February, a water treatment plant in Oldsmar, Florida suffered a cyber intrusion that could have spelled disaster. A malicious actor gained remote access to one of the plant’s supervisory control and data acquisition (SCADA) systems, upping the amount of sodium hydroxide in the water to one hundred times its normal level. Luckily, an employee immediately noticed the change, alerted authorities to the behavior, and readjusted the levels back to normal before any harm could reach Oldsmar’s fifteen thousand residents.
Though that quick acting employee and the water plant’s safety controls helped the city avoid a potentially deadly disaster, the incident sparked widespread discussion about the security (or, more pointedly, insecurity) of our nation’s water and wastewater treatment facilities. From natural disasters to cyberattacks like the one that targeted the Florida plant, utilities must contend with myriad threats to their critical assets. Such dangers are particularly pronounced for smaller utilities, tasked with keeping their SCADA and industrial control systems (ICS) running with just a fraction of the budgets and staffs their larger counterparts enjoy.
Blood in the Water for Utilities?
Though the Oldsmar incident has brought questions of water treatment security to the forefront, such concerns are by no means new. In its landmark 2020 report, for example, the Cyberspace Solarium Commission explicitly warned of vulnerabilities in the water supply’s infrastructure, which includes nearly seventy thousand entities, arguing that “water utilities remain largely ill-prepared to defend their networks from cyber-enabled destruction.”
Just recently, the Commission’s senior advisor and former executive director Mark Montgomery warned that out of America’s handful of “lifeline infrastructures,” water is the least secure. Leading up to the February hack, the water and wastewater sector have suffered from a wide array of cyberattacks, including those that inserted ransomware or allowed perpetrators to tamper with operations.
However, the water sector is not the only utility at risk. A 2017 survey showed that cyber threats were rated the number one fear amongst more than twenty thousand utility operators, and a 2020 study saw a forty-nine percent year-over-year increase in ICS vulnerabilities. It would not be surprising if, with this latest hack front and center, some attackers feel emboldened to try their hand at infiltrating other water or critical utility systems for their own nefarious purposes.
With local governments owning about eighty percent of America’s water systems, opening up more federal grants or low-interest loans to smaller operators may be one solution for helping bolster the security of that particular sector. Such changes at the policy level would undoubtedly help, but there are also concrete, more immediate steps utilities of all stripes can take today to minimize their attack surface.
Protecting Utilities Is an Urgent Priority
The intrusion in Oldsmar’s case came through an internet-connected SCADA device, exposing the risk that keeping such devices online poses for utilities and the communities they serve. In response to the incident, the Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) issued guidance for water and other utilities to help shore up vulnerable systems with secure practices.
One such best practice is hardening operational technology (OT) networks. According to the advisory, “remote connectivity to OT networks and devices [i.e., SCADA systems and ICS] provides a known path that can be exploited by cyber actors.” As such, CISA and the NSA recommend reducing external exposures as much as possible and hardening/disabling any unnecessary features or services.
For utilities that have chosen to partner with Acronis SCS for their data and full asset protection needs, that work is already done. Our hardened full-disk image backup software for federal government and utilities is specifically designed for non-connected environments of a sensitive nature, particularly enclaves or air gapped networks, even those running legacy architecture or proprietary applications.
To provide assurance to customers that our product is secure, Acronis SCS Cyber Backup 12.5 Hardened Edition has been certified by the Department of Defense Information Network Approved Products List, Common Criteria, and now FIPS 140-2. Its FIPS validation, the newest of the three approvals, demonstrates our solution has undergone rigorous testing and review by government labs and meets extensive requirements for military-grade encryption.
With utilities’ sensitive air gapped environments in mind, our hardened software never makes outbound connections over the internet back to a home server (or anywhere else, for that matter). This unique zero-connectivity design bucks the software industry’s trend towards connectivity and subscription-based approaches, which often do not adequately align with the utility industry’s cybersecurity needs. Using a hardened solution in an already-hardened environment empowers IT administrators with actionable, real-time intelligence about the integrity of their network. If an attempt at outside communication occurs, administrators know something is amiss right away – and can take appropriate action to thwart any threats immediately.
That peace of mind is critical when America’s water, power, communications, and transportation services are on the line. Unlike other backup tools on the market, our hardened solution is designed to provide both data and full critical asset protection, so the SCADA systems that keep our nation’s utilities running can failover and be seamlessly replicated to bare metal or other systems, if needed. In a crisis situation (should a utility be targeted by ransomware or another attack vector, for example), that functionality is paramount for avoiding potentially devastating downtime.
Such functionality is also helpful as utilities manage their general day-to-day maintenance, including applying patches and security updates to critical systems. These updates, while necessary, can cause systems to reboot or in extreme cases, crash – a harrowing proposition for utilities responsible for providing critical services to their communities. Acronis SCS Cyber Backup 12.5 Hardened Edition and its ability to quickly spin up full-disk images of assets on bare metal or dissimilar hardware makes such worries a thing of the past.
Keeping Utilities Resilient & Running
As the Oldsmar incident made clear, hackers are eager and willing to take advantage of any weaknesses in a utility’s cyber defenses, even if doing so (or perhaps especially if doing so) will cause harm to the American people. Next time a hacker targets one of our nation’s water or energy suppliers, the victim may not be able to skirt disaster so easily. Hardening critical assets and using appropriate tools that provide operational assurance for non-connected environments will ensure America’s utilities can remain resilient and running – no matter what.