There has been an avalanche of advice, best practices on best practices for industrial cyber security (e.g. Fast, Simple, Secure: Implement CISA et al HMI (practically) recommends Agilicus AnyX, CISA: 8 Top Cyber Actions for Securing Water Systems). This blog post summarises key takeaways from my recent webinar on this topic, focusing on practical steps you can take to improve your plant’s security posture.
The Risks Are Real – and Growing
We’ve all seen the headlines: the Kansas City freshwater plant shutdown, the Muleshoe, Texas water tank overflow (we even posted the video of the HMI hack on our website!), and the infamous Oldsmar, Florida incident. These aren’t isolated incidents; they’re the tip of the iceberg. For every publicly reported attack, there are likely many more going unreported. Nation-state actors aren’t just after a quick ransom; they want persistent access for future exploitation. This makes even undetected vulnerabilities a serious concern.
Deciphering the Avalanche of Advice
The constant stream of alerts from CISA, the DOJ, the FBI, and other agencies can be overwhelming. They often call for immediate and sweeping changes that may be difficult, if not impossible, to implement. Many of these directives, while well-intentioned, lack the practical context needed for implementation in industrial settings. For example, the blanket call to remove all VPNs from networks is unrealistic for many plants. These advisories need to be translated into concrete action items.
Evergreen Tactics: Simple, Effective Security
Let’s focus on practical, cost-effective measures, regardless of the specific attack vector:
- Stronger Identities, Not Shared Passwords: The number one problem? Default passwords and shared accounts. A recent CISA report revealed that 94.4% of US Coast Guard entities had at least one default password. This is a disaster waiting to happen. The solution? Move to single sign-on (SSO) and multi-factor authentication (MFA) across all your systems. We recommend focusing on the HMI first, as it’s the most human-facing element. An identity-aware proxy can make even legacy systems secure by handling authentication separately. This eliminates guessable passwords, accounts that never change, and simplifies access for employees and third parties.
- Defence in Depth – Beyond the Air Gap: The “air gap” is porous. USB drives, cellular modems, and remote support tools all represent potential entry points. Defence in depth requires multiple layers of security. Network segmentation, robust backups (offsite and protected from flooding!), and well-defined incident response plans are crucial. Understand what you have through thorough inventory and regular security assessments.
- Zero Trust is a Principle, Not a Product: Zero trust isn’t a magic bullet; it’s a philosophy centered around three things: Who (identity – strong authentication of individual users), What (authorisation – defining what each user can access), and How (secure access methods). If you have those three components, you’re well on your way to a zero-trust architecture.
- Addressing the Moral Hazard: Your vendors and partners may prioritise simplicity over security, pushing for shared credentials. This creates a moral hazard; you bear the risk, they enjoy the ease of access. SSO and MFA align these interests; it’s simpler for your partners and significantly more secure for your plant.
Moving Beyond the “Avalanche” – Practical Steps
The government’s eight key recommendations for securing water systems boil down to:
- Reduce Exposure to the Public-Facing Internet
- Conduct Regular Cybersecurity Assessments
- Change Default Passwords Immediately
- Conduct an Inventory of Operational Technology/Information Technology Assets
- Develop and Exercise Cybersecurity Incident Response and Recovery Plans
- Backup Operational Technology AND Information Technology Systems
- Reduce Exposure to Vulnerabilities
- Conduct Cyber security Awareness Training
Remember, you don’t have to be better than a nation-state actor; you just need to be better than your neighbours.
Conclusion: Security as an Enabler
The world has changed. Remote access is now essential for efficiency and responsiveness. Security doesn’t need to be a barrier; it can be an enabler. By implementing these practical steps, you can significantly reduce your risk while maintaining operational efficiency. Contact us at Agilicus to learn more about how our solutions can help you secure your wastewater treatment plant.