News Feb 16, 2021

Awareness and Vigilance Help Prevent Cyber-Tampering at Water Treatment Facilities

Cyber-tampering is on the rise. Awareness and vigilance can help thwart an attack. Our thought leaders share some initial steps water providers can take to protect their assets.

Blue and white water treatment facilities and equipment

Cyber-tampering is on the rise. Awareness and vigilance can help thwart an attack. Our thought leaders, Global Technology Leader Operational Technology (Cybersecurity) Adi Karisik and Vice President, Operations Management and Facilities Services (OMFS) Steve Meininger share some initial steps water providers can take to protect their assets.

On February 9, 2021, the national news media reported on a malevolent attempt to access process control systems and change chemical dosing at a municipal water treatment plant in Florida.

The system was accessed via a remote access program shared by plant workers, and luckily, the attack was thwarted by an alert operator, who was able to quickly switch the sodium hydroxide dosing back to safe levels.

This incident hits close to home. Jacobs serves public agencies and private entities, delivering water and wastewater utility operations and maintenance (O&M), facilities management, public works and municipal services. We’ve delivered OMFS for clients in government and industry for 40 years – we treat hundreds of millions of gallons of water and wastewater every day.

We’re fortunate, as Jacobs has leading  expertise in operational technology cybersecurity, specially focused on Industrial Control Systems (ICS), and we’ve engaged  these resources for many of the water systems we run. We invest in robust cybersecurity solutions for the protection of many of our clients’ water operations. In these facilities Jacobs operates and manages, we’re constantly monitoring ICS activities, proactively initiating cybersecurity rules and policies, as well as implementing mitigation measures – and have been doing so for years.

On July 23, 2020, the National Security Agency and the Cybersecurity Infrastructure Security Agency issued an advisory for immediate reduction of exposure across operational technologies and control systems as they are expecting more of these type of attacks to happen in future. *

Intentional cyber penetration into U.S. water utility process control systems by rogue nation states, insider threats (through intentional and unintentional attacks), and a variety of criminal groups have been reported. Cyberattacks have disrupted critical process operations in all industrial sectors (e.g., energy, manufacturing, water, transportation, building management systems, etc.) Consequently, these attacks have the potential to disrupt, or even compromise production or service.

Investment in our water systems is also critical to managing the cyber threat. Many water and wastewater utilities across the U.S. remain dependent on aging and legacy equipment and software that is poorly documented, no longer supported by the vendor, and is unpatched, all of which leave critical assets extremely vulnerable to increasingly prevalent modern forms of cyberattacks. If left unchecked, that vulnerability, coupled with cyber intrusions, can result in disastrous effects on the environment and consumers ranging from chemical spills to contamination of the water supply. And the frequency of these events is increasing.

The U.S. Environmental Protection Agency, in its 2019 Baseline Information on Malevolent Acts for Community Water Systems report, has deemed cyberattacks as one of the most likely of malevolent acts for water systems.  To that end, we’d like to share some best practices from our experience both as an O&M provider and as a leader in cybersecurity. While each individual situation will vary, some initial steps water providers can take include:

  • Ensure compliance with appropriate cybersecurity standards.
  • Ensure that your Business Network is segregated from operational network (Purdue model).
  • Know and keep updated:
    • Asset inventory
    • Catalog all CVEs (common vulnerability and exposures) that affect current assets
    • Perform live or virtual penetration testing
    • Ensure security and managed access to all devices and terminals
    • Make sure that all appropriate patches are applied
    • Ensure firewall rules and polices are up to date
    • Ensure that any unusual activity in the operational technology (OT) environment is captured and analyzed.
    • Leverage multi factor authentication
    • Ensure regular password rotation

It’s important to note that while active cybersecurity posture and measures greatly reduce the likelihood and consequences of a successful cyberattack, no system can ever be guaranteed to be 100% protected. Constant monitoring of the OT environment is highly recommended. 

We know this recent event is unsettling, but the good news is that our nation’s water utilities recognize the risk and are proactively addressing the issue. Sharing best practices, industry standards, and lessons learned are also helping communities prepare and protect. Dependable and safe water infrastructure is essential to human health and the nation’s economy, and Jacobs remains vigilant in helping to manage and secure our precious water resources. 

The information in the article is for general use only and not for reliance.

* Source: U.S. Cybersecurity & Infrastructure Security Agency/National Security Agency Advisory – July 23, 2020

About the authors

Steve Meininger is vice president of Global Operations Management and Facilities Services (OMFS) at Jacobs and leads operations, maintenance and related technical and advisory services delivered for clients at more than 300 sites. The OMFS practice is comprised of 2,500 staff who provide operations and maintenance for water and wastewater utilities, buildings and industrial facilities, public works and municipal infrastructure throughout North America and in several international locations.

Jacobs Global Technology Leader for Operational Technology Adi Karisik has more than 20 years of highly specialized professional experience in information technology, enterprise IT cyber security, operational technology, management consulting, intelligence consulting as well as providing specialized services in Defense and Intelligence domain. He managed several classified and open programs/portfolios in both U.S. and Europe and has developed and leads a focused Operational Technology Services Practice within Jacobs.

You might be interested in...