Charting the Cyber Risk Landscape for Water Facilities

Adversaries in cyberspace have the resources to outrun most IT and OT security teams, especially in tight-budget water and wastewater system (WSS) sector facilities.

One reason for this is that IT security for water systems mainly comes in the form of firewalls and VPN technology meant to secure the network perimeter, and virus scanners meant to protect end devices. These are ineffective against exploits of unknown vulnerabilities on those same firewalls through techniques such as sophisticated spear phishing campaigns and living-off-the-land (LOTL) attacks. No virus scanner or classic firewall will recognize these because the attacks look natural and legitimate to them.

Rethinking Cybersecurity Approaches

Given where water system security stands, it is especially critical to heed the February 2024 warning from the Cybersecurity & Infrastructure Security Agency (CISA), NSA, and FBI that “state sponsored adversaries compromise and maintain persistent access to U.S. critical infrastructure” – primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors. In its advisory, CISA focuses on key Advanced Persistent Threats (APTs), observing that their “choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations…. [they] are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions.”

From this viewpoint, it is logical to conclude that keeping adversaries out of your networks using classic cybersecurity approaches is difficult or even impossible. So, what can water facilities and their security teams do to prevent disruption when the attacker may already be pre-positioned on the network?

The answer is, you need eyes and ears in your OT networks – network security monitoring – to detect any activity that shouldn’t be there, anything that may signal the presence of an undetected threat. This is what is known in cybersecurity terms as “defense-in-depth,” a multi-layer security architecture that provides you with a second line of defense.

Network Security Monitoring – Key to Risk Mitigation

In another advisory titled “Ongoing Cyber Threats to U.S. Water and Wastewater Systems”, CISA lists network monitoring as a key mitigating measure. This monitoring enables security staff to detect communication patterns and activities that are unusual for their networks – activities that can be detected even if adversaries deploy LOTL techniques. Such activities might include:

1. New connections of a host within the OT network, from IT to OT, and to external sources
2. Unfamiliar requests from hosts
3. Unfamiliar data transfers, especially to external proxies
4. Unexpected change of functions and parameters
5. Access (attempts) to OT systems by unauthorized (i.e. new, unknown) hosts
6. Unsuccessful login attempts as a result of password spraying activities
7. Access of industrial control systems at unusual times, which may indicate that a legitimate user’s credentials have been compromised
8. Unexplained SCADA system restarts

Landis+Gyr security arm Rhebo provides utilities with powerful OT monitoring and an integrated network intrusion detection system (NIDS) specifically designed for utility operations technology. The proven monitoring with anomaly detection gives operators and security managers:

1. Full visibility on all OT assets and communications
2. Immediate detection of known vulnerabilities
3. Real-time notification of suspicious activities and technical anomalies

Landis+Gyr OT security monitoring keeps water facilities in control when undetected threats emerge on the network. It enables cybersecurity staff to recognize the tracks of the intruders, locate them, dismantle their activities, and anticipate and prevent their plans for disruption.

Learn more about the Landis+Gyr OT monitoring with integrated NIDS.