Water sector, you’ve been hacked

This would be terrifying. A cyberattack on water infrastructure could lead to widespread panic and potentially significant illness and loss of life, with substantial effects on other critical services such as firefighting and hospitals. It could shut down our economy. It begs the question: is the water industry taking cybersecurity seriously? By Kirsten Kelly

South Africa has the third highest number of victims of cybercrime in the world, costing us R2.2 billion a year, according to the Accenture State of Cyber Security Report 2021. Here are some more red flags: • The Department of Justice and

Constitutional Development recovered from a debilitating ransomware attack that unfolded in

September last year, affecting all its electronic systems. • Transnet was the target of a cyberattack that affected crucial systems and caused our ports to shut down. The attackers encrypted files on Transnet’s computer systems, thereby preventing the company from accessing their own information while leaving instructions on how to start ransom negotiations. The ransomware used in the attack likely originated from Russia or Eastern Europe. • The National School of Government was targeted in a ransomware attack costing around R2 million. • Private hospital group Life Healthcare was also targeted last year in an attack

that affected their admissions systems and email server. These incidents paint a worrying picture of how vulnerable South Africa is to cybercriminals and even cyberwarfare. While digitalisation is reshaping the water sector for the better, it also increases cybersecurity vulnerabilities. A 2019 paper, titled ‘A Review of Cybersecurity Incidents in the Water Sector’, highlights an increase in the frequency, diversity and complexity of cyberthreats to the water sector.

Water utilities typically face the following cybersecurity threats: • Criminals access water systems and flow operations, manipulating water flow and chemical dosages in water treatment works. • Cyberattackers can gain access to customer data through water companies’ online payment systems. • Attackers can also gain administrator credentials and work their way laterally through the water network.

Why is the water sector vulnerable?

“Unlike its critical infrastructure counterparts, the water sector is in the hands of a vast array of organisations, many of which are small and underresourced. There is some level of data sharing and integration between these organisations and networks. When there is a cyberattack, it is dealt with in isolation; there is no sectorwide communication and sharing of the incident. This prevents the water industry from being proactive and learning from each other,” says Professor Annlizé Marnewick at the University of Johannesburg.

“Furthermore, the water sector relies on a variety of physical infrastructure and operational technology systems (sensors, actuators, logging devices, meters, pumps) that are connected to the internet to gather remote data

• Every 24 seconds a host accesses a malicious website • Every 1 minute a bot communicates with its commandand-control centre • Every 34 seconds an unknown malware is downloaded • Every 5 minutes a high-risk application is downloaded • Every 6 minutes a known malware is downloaded • Every 36 minutes sensitive data is sent out of the organisation (Source: SecurePalm)

to support activities like metering and billing, or predictive equipment maintenance. There are many entry points for cybersecurity attacks within our sector,” explains Dr Jeremiah Mutamba, senior manager: Strategic Programmes, Trans-Caledon Tunnel Authority.

Sunitha Venugopal, director at SecurePalm, adds that an organisation must close hundreds of hypothetical doors (entry points) to avoid a cyberattack, where a hacker only needs to find one open door to conduct a cyberattack. “The odds are stacked against all organisations, but the water industry is extremely vulnerable. Typically, this sector operates a lot of legacy-based operational technology with well-known vulnerabilities that cybercriminals can easily exploit. People are opposed to updating or changing these systems because they are expensive and still in working

Russia has attacked Ukraine by land, sea, air and cyberspace. In the hours before Russian troops invaded, Ukraine was hit by never-before-seen malware designed to wipe data. Russian cyberattacks have undermined the distribution of medicines, food and relief supplies. Their impact has ranged from preventing access to basic services to data theft and disinformation. Many of these cyberattacks have been designed to disrupt the provision of emergency services in the immediate aftermath of airstrikes.

Given that the USA and EU have banded together in support of Ukraine, the scope of a cyberwar could be broad. While all eyes have been on the RussiaUkraine war, the water sector in the USA has been preparing for an onslaught of cyberattacks from Russia that could lead to drinking water contamination, service disruptions and ransom demands.

As tensions between Russia and the USA rise, the threat of cyberattacks against water and wastewater infrastructure from all directions increases. The Biden administration has unveiled a 100-day action plan – a voluntary strategy – to increase the protection of water systems from attacks.

• A water treatment plant in

Florida, USA, was attacked. In that incident, a hacker broke into the IT system of a water treatment plant and remotely accessed the computer system.

The plant operator observed the mouse moving around on his screen and access various systems that control the water being treated. The hacker tried poisoning the supply, by adjusting sodium hydroxide levels from 100 parts per million to 11 100. Because the plant operator observed what was going on, the attack was thwarted in time. • A wastewater treatment plant in Maroochy, Australia, was attacked by a person whose application for employment was rejected. This caused the plant’s pumps to stop working, where wastewater was discharged into the sea. • A waterboard in Michigan,

USA, had a ransomware attack where $25 000 was paid to cybercriminals in order to resume operations. • Pumping stations and treatment facilities in Israel were attacked by cybercriminals suspected of being affiliated with the Iranian regime. They attempted to increase the level of chlorine in some of the water supply systems. The government quickly countered, prompting all the water and energy infrastructures in the country to change the passwords to all their Scada systems to guard against any further intrusions. • Volue, a Norwegian company that equips several water treatment facilities with applications and software, fell victim to the Ryuk ransomware. The ransomware spread to the information systems of 200 public water suppliers in the country. Several customer front-end platforms were impacted. order. These legacy systems often have a default configuration where you cannot change the username and password of the switch dashboard. Furthermore, updating operational technology with cybersecurity can be slow going, as services must run 24/7.”

Effective implementation factors of a cybersecurity system

The main purpose of cybersecurity is to protect all organisational assets from both external and internal threats, as well as disruptions caused due to natural disasters. The following factors need to be considered when implementing a cybersecurity system. • Strategy: This will assist the water industry to reduce risk and promote resilience (quick recovery after an attack). • Standards and protocol: To successfully implement cybersecurity, water institutions need to identify and comply with all mandatory cybersecurity requirements and controls. • Culture: A cybersecurity culture needs to be embedded in the overall water industry culture. This is done by generating an awareness and knowledge of imminent threats.

Globally, most data breaches in the water industry are the result of a human factor, and employees in the water sector must see cybersecurity policies as rules and not just guidelines. • Program: A cybersecurity program is informed by strategy. Programs will allow multiple, timely and full backups of critical systems and data as well as program maintenance. One needs to practise the restoration of the system from backups. There should also be a business continuity plan in the event of a cyberattack. • Insurance: Recovering from a cybersecurity attack could be expensive for organisations in the water industry. Cybersecurity insurance is an important risk management tool considering the sensitive nature of the data being generated in the water sector. This insurance will serve as an effective part of a resilience toolkit, to enable expert emergency support. • Intelligence: Cyber intelligence is the knowledge, skills and experiencebased information concerning

Removable media (USBs) Spear phishing Ransomware

Remote technicians

Software vulnerabilities

Virus and BOT

Missing boundary SECURING AGAINST ATTACKS

End-point data protection Threat emulation and extraction technologies Anti-ransomware Secure VPN connectivity and two-factor authentication

IDS/IPS

Anti-virus and anti-BOT

Firewall and segmentation

• Choose a lengthy password (more than 10 characters) – password length is more important than complexity • Do not enforce regular password resets • Screen all passwords against commonly used and compromised passwords • Allow the pasting of passwords • Enable ‘show password’ while typing • Limit the number of failed password attempts before account lockout • Implement two-factor authentication

cyberattacks and threats. It will help the water sector make faster, informed security decisions and change behaviour from reactive to proactive when combatting attacks. Cyber intelligence tools allow the sector to leverage IT, joining other stakeholders (universities, CSIR, WRC) to create an environment for the research and review of challenges and causes – ensuring a more proactive security position. “Like many other nations, South Africa has an overarching national cybersecurity strategy. National policy suggests that the water sector sets up a computer security incident response team (CSIRT) that shares any cybersecurity incidents with all water industry

bodies, as well as at a national level,” adds Marnewick. • Worksheet: A cybersecurity worksheet will be used to keep a list of the highest cybersecurity risks, with details on how these will be addressed. The cybersecurity worksheet normally contains three sections: - cybersecurity actions - description notes - date of completion. From the documentation process, institutions can draw valuable lessons to improve future cybersecurity management and share this information with each other.

Operating Range Flow - 10m³/hr up to 2500m³/hr Head - 4m up to 120m

Applications - General liquid pumping - Power plants - Bulk Water - Steel mills - Refineries - Chemical plants - Cooling and heating systems