Is Your Water Safe — from Cyber Attacks?

So far, 2021 has seen some serious cyberattacks – with significant consequences. First there was the massive SolarWinds attack. Soon after, the Florida Municipal Water supply was attacked, with hackers tampering with the internal controls and attempting to poison the water supply in the city of Oldsmar with massive amounts of lye. “It was a wake-up call,” Pinellas County Sheriff Bob Gualtieri said. “Water systems, like other public utility systems, are part of the nation’s critical infrastructure and can be vulnerable targets when someone desires to adversely affect public safety.”

There are lessons from this water breach for the electric sector and other utilities. According to Utility Dive, there are similarities between electric and water utilities – including shared vulnerabilities, like software that allowed hackers to access the water plant’s supervisory control and data acquisition systems.

Local Florida media reported that, according to Sheriff Gualtieri, “a hacker (or hackers) gained remote access to a plant operator’s computer Friday, February 5 and within a few minutes had increased the levels of sodium hydroxide dramatically from about 100 parts per million to 1,100 parts per million.” In addition, the plant’s computers shared passwords and ran outdated operating systems, according to a Massachusetts government warning to water companies, a warning that should be heeded by everyone in the utility industry.

According to Frank Cilluffo, director of the Auburn University Center for Cyber and Homeland Security, it’s a “physical-cyber convergence.” And it’s something that should have everyone worried.

We’ve been hacked in major ways, so how can companies become more cyber secure? How will actions taken in Washington – driven by these latest infractions – impact people on the ground who make decisions about what to do at their companies? In other words: How can companies protect themselves? And how might federal policies support or hinder those efforts?

One thing is clear. A total rethink of cybersecurity is needed. SiliconAngle reports that “top security pros say the SolarWinds hack and the COVID-19 pandemic have accelerated a change in their cybersecurity spending patterns.” The challenges are steep. Chief information security officers must secure an increasingly dispersed workforce. They also need to be mindful and wary of software code – even code coming from reputable vendors and the very patches that are designed to protect against cyberattacks. Businesses and organizations are developing what is being called “zero-trust” approaches that include better identity access management and improved endpoint protection and cloud security.

What can the Biden Administration do in its first 100 days to support these cyber security efforts? The Washington Post’s Tonya Riley highlights six priorities in “Here's what cybersecurity experts think Biden should prioritize in his first 100 days,” based on responses to a survey administered to top cyber security experts. The bottom line is that “if the President takes cybersecurity seriously then others will take it seriously,” said Jeff Moss, founder of the DEF CON cybersecurity conference.

Here are the six priorities, as reported by Riley in The Washington Post:

1. Biden should fill out his cybersecurity team: “Two key positions remain unfilled: the White House cybersecurity czar – a Senate-confirmed position newly required by a recent defense bill – and director of the DHS’s Cybersecurity and Infrastructure Security Agency,” Riley reports. Bobby Chesney, law professor at the University of Texas at Austin, said, “The president should quickly announce his nominee for CISA director, press for that nominee to be confirmed quickly, and push hard for Congressional funding for CISA to be able to execute its new threat-hunting authority.”
2. The government needs to spend more money on cybersecurity: There needs to be increased spending for CISA, Riley reports. Biden has already called for roughly $10 billion in funding from Congress for cybersecurity and information technology in his coronavirus relief proposal. That includes $690 million for CISA.
3. DHS shouldn't be the only priority: In addition to the NSC and CISA, additional regulatory agencies need oversight and coordination. These agencies might also need new authority to help them address pipeline, power grid, and telecom security. The State Department also has a role to play in cybersecurity. “Elevate the State Department’s role in cyber defense: It’s tempting to focus on NSA, CIA, and DHS, but the administration will need a fresh diplomatic effort to lead international cyber policy initiatives,” said Laura Galante, a senior fellow at the Atlantic Council’s Cyber Statecraft Initiative. “State’s ability to reshape perceptions of U.S. cyber operations could have outsized effects on Russia and China's actions in this domain and beyond.” The language for these efforts is “cyber diplomacy,” which has been embraced by Secretary of State Tony Blinken.

4. Partnerships with the private sector could take center stage: “Improving cybersecurity also means strengthening relationships and the private sector and building partnerships in the tech industry, which is on the front line of fighting this battle every minute of every day,” said Jay Kaplan, co-founder of Synack. “Ethical hackers and researchers inside cybersecurity firms, cloud providers or online retailers understand what it takes to defend against the threat and can help build better cyber defenses.” The surveyed experts called for joint efforts to tackle growing ransomware attacks.

   Appearing before a Senate committee on February 23, Brad Smith, president of Microsoft, said its researchers believed “at least 1,000 very skilled, very capable engineers” worked on the SolarWinds hack. “This is the largest and most sophisticated sort of operation that we have seen,” Smith told senators.

5. Biden should invest in innovative techniques: The Post reports that Michael Daly, chief technology officer for cybersecurity and special missions for Raytheon Intelligence, is calling for a “National Cyber Moonshot” initiative to boost the defenses of national and critical infrastructure. “He’s also calling for more investment in “scalable and automated" solutions that can help detect breaches.” Marcus Fowler, director of strategic threat at Darktrace, suggested that Biden should embrace autonomous defense systems; these are systems programmed to stop sophisticated attacks without being controlled by a human. “Deterrence and defending forward are no longer enough to protect against or disrupt the new era of cyberthreats we are facing,” Fowler said.
6. Biden should look toward international allies: This priority is connected to calls for increased cyber diplomacy. We won’t be able to protect against attacks from Russia and other adversaries by ourselves. The United States will need to partner with other countries. There are calls for the US to join the Paris Call, “an initiative led by the French government for international allies to combat cybercrimes, as one step toward international coalition-building.” Democracies need to work as allies to fight against the onslaught of hacks, breaches, and attacks against sensitive industries that threaten national – and global – security.

We will all need to work together to stop future cyberattacks. The challenge of reskilling – on an individual level, on a corporate level, on a national level, and on an international level – is front of mind. This might be a silver lining of the pandemic. We are all taking a critical look at our use of technology and where and how we do our jobs to evaluate what is working, what needs to be reformed, and how we can better protect ourselves. When we work together, our shared vulnerabilities – whether they be due to the pandemic or due to cybersecurity attacks – can only make us stronger.

Can CYRIN Training help?

In a word, Yes. And we’ve got training on several issues that were exploited in the SolarWinds and recent Florida water supply attacks including:

• Secure Network Setup, including VPNs
• Man-in-the-Middle Attacks
• Web Application Security Analysis
• Cyber Forensics

If you have the unfortunate incident and you do get hacked, we even have forensics training that will help you analyze your system and understand at a deep level, what went wrong, and how to protect yourself against future attacks.

It’s all here. You just have to use the tools. If you think training is expensive or time consuming, consider the alternative. Contact us now – and you might be part of the group that says – we missed that one. We’re fortunate that our training was up-to-date, that our staff and systems were ready. Situation normal, we’re open for business.

Don’t let it happen to you. Contact us.

< Read other CYRIN Newsletters