Device-level cybersecurity for U.S. water infrastructure | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Cyberattacks on U.S. water infrastructure are rising. The National Cyber Strategy includes new regulations directing an increased focus on cybersecurity to ensure the safety of public drinking water.

Threat actors and nation-states have already attacked U.S. water systems, like the failed Iranian cyberattack on a New York dam in 2013, and the January 2021 cyberattack, when a water treatment plant in the San Francisco Bay Area suffered an attack where an undisclosed hacker deleted crucial programs used to treat drinking water.

The most significant cybersecurity risk for water facilities often comes from insider threats: human error, stolen credentials, and malicious actors. While incidents stemming from the first two categories are more common, all insider attacks are on the rise, as indicated by the Ponemon Institute’s research, which found that every surveyed company had experienced an insider incident last year.

The 2021 incident in Oldsmar, Florida, demonstrated the impact of human error when an employee accidentally clicked the wrong button. The recent attack on the Discovery Bay Water Treatment facility in Tracy, California, by a contractor, shows how dangerous a malicious insider can be when using their access to set out to cause intentional harm.

Securing more than 55,000 decentralized public water systems and 16,000 wastewater systems in the United States poses a considerable challenge, especially in an industry with limited cyber awareness and resources. It only takes one unsecured device or a single human error or worker manipulation by an outsider to jeopardize the water safety of hundreds of thousands if not millions of residents.

The key to combating insider attacks is managing and monitoring insider privileges, not the individuals, which can effectively eliminate the attack vector.

Upcoming regulations don’t address core issues

While securing Programmable Logic Controllers (PLCs) eases many of the cybersecurity burdens on water facilities, centralized regulations governing these protections do not yet exist.

The National Institute of Standards and Technology (NIST), American Water Works Association, Department of Homeland Security, and Cybersecurity and Infrastructure Security Agency (CISA) all provide some degree of risk management oversight and best practice recommendations, but no enforceable national standards or regulations exist. Without greater involvement from private-sector cybersecurity companies and industry groups, the feasibility and scalability of any such standards remain questionable.

In March, the U.S. EPA issued a memorandum that stated that cybersecurity needed to be included in water system audits. That was later struck down by the U.S. Supreme Court. However, cybersecurity of critical infrastructure is still a major concern of both the EPA and Biden administration.

NIST has recently emphasized the need for the “protection of individual OT components (devices) from exploitation.”

On a global scale, both the Cyber Security Agency of Singapore and the European Union have issued regulations and recommended best practices to address the importance of adopting zero-trust principles and configuring devices to protect OT assets at the device level.


Click Here For The Original Source.

National Cyber Security