Thought Leadership Dec 12, 2023

Protecting Critical Infrastructure: OT Cyber Risk after Aliquippa

By John Karabias and Adi Karisik

Jacobs Vice President, OT Cybersecurity John Karabias and Jacobs Global Technology Principal – OT Cybersecurity Adi Karisik discuss the pressing issue of cybersecurity in water utilities and critical infrastructure, focusing on recent threats and the need for a proactive approach in quantifying and addressing OT risks. This is this first article in  a multi-part series on securing critical infrastructure by these authors.  

In the dynamic landscape of Industrial Control Systems (ICS), the persistent rise in cyber threats targeting critical infrastructure operational technology environments requires newfound action to quantify and mitigate cyber risk. This year, marked by a surge in nation-state-led operational technology (OT) cybersecurity breaches, the U.S. water sector has been targeted repeatedly. The recent cyberattack on the Aliquippa Municipal Water Authority in Pennsylvania, orchestrated by the Iranian-backed Cyber Avengers, underscores the vulnerabilities within the sector, echoing previous incidents dating back to the 2011 Springfield Illinois hack.

In the intricate realm of ICS environments, maintaining a delicate balance among physical security, cybersecurity and automation is essential for ensuring operational stability. The recent breach in Pennsylvania serves as a reminder of the potential consequences of OT vulnerabilities in the water sector including the downstream ability for breaches to affect facility operations and water quality. As global attacks on OT systems rise, water utilities must evolve their methodology for quantifying risk and apply cybersecurity measures that allow them to assertively respond and remain resilient through any form of OT breach.  

Fat tails are changing the risk outlook

After the novel and deeply damaging Volt Typhoon breach in Guam, it is evident that malicious entities, including nation-states, strategically target critical infrastructure to maximize harm and demonstrate severe consequences. This low-probability, high-consequence formulation is akin to the concept of “Fat Tails” as introduced by essayist Nassim Taleb in several of his major books on risk in the finance sector. Taleb’s erudite essays on risk and distributions have shown how entities from Wall Street to the U.S. Pentagon consistently underweight the likelihood and consequences of catastrophic events commonly known as “Black Swans.”   However, OT cyber breaches are no longer Black Swans as they occur increasingly frequently and have the potential for Fat Tail effects causing irrevocable harm. We have grown more accustomed to fat tails in society with recent examples including the COVID-19 pandemic. These events disproportionately affect organizations and the surrounding communities. The OT vectors are yet another area where fat tails could be deeply consequential if not properly mitigated. 

OT security measures to assess risk and act now

The water and wastewater sector has emerged as a prime target for cyber threats due to its critical role in sustaining life support for citizens. In water as in other OT environments, operators must be aware of the various access points to OT and the lack of fortification often found at these access points. Organizations must realize the value from business, maintenance and equipment vendor perspectives – of connecting systems and having routable access between enterprise and the control systems. They must also accept that malware has been developed including Flame, Stuxnet and BlackEnergy that can circumvent air-gapped networks. 

In today’s OT environment, it’s easier than ever to cause harm. With something as simple as a flash drive or Wi-Fi connection, a malicious or inexperienced insider could infiltrate and infect critical OT systems. Water entities can improve their risk posture by bracketing risk through the lens of design, upgrades and at defined critical points. Leveraging methodologies such as "secure by design,” organization that build cybersecurity into the design and manufacture of technology products, can efficiently incorporate proven practices and technologies that reduce digital risk.

Operational cybersecurity measures can be taken to synchronize hardening measures across Supervisory Control and Data Acquisition (SCADA), OT and physical systems. Adhering to standards such as NIST 800-82 are important foundational tenets to address SCADA segmentation risk right away. OT should be designed with a stable OT networking environment in tow, and physical systems and sensors should be efficiently linked to SCADA networks leveraging communications that OT networks can reliably support. These measures can be taken now to materially improve an organization’s risk posture. At Jacobs, we have embraced the ethos of “secure by design" by embedding cybersecurity into project design through operations and maintenance. But this alone isn’t enough. We’ve moved beyond full lifecycle OT security delivery to consultatively identify and plan for a myriad of OT cyber risk scenarios and their attendant tradeoffs. This is the new security paradigm for the industrial age. 

Securing OT for next age of industrial progress

Quantifying cyber risk in OT is a complex task with significant consequences. Operators need to understand the human, operational and financial impacts of cyber breaches, taking a holistic approach to risk assessment. As OT moves into a new age of convergence powered by the industrial Internet, OT leaders must recognize the ascendancy of "fat tail” distributions in OT incidents and update risk and investment calculations accordingly. 

Organizations should promptly quantify the new landscape of OT cyber risk, using established standards and hardening principles. This proactive approach helps critical infrastructure facilities shift from vulnerable targets to secure, technology-driven hubs that propel the next generation of industrial progress.

About OT cybersecurity at Jacobs

At Jacobs, we provide comprehensive support across various digital domains, including IT, OT, IoT and IIoT, to address the needs of our clients in critical infrastructure, national security, manufacturing and data-driven environments. Our dedicated team prioritizes confidentiality in IT environments and secures operational processes and designs in OT environments. This focus empowers our clients' resiliency. We tailor bespoke strategies and solutions to meet specific client requirements, ensuring the utmost protection, security and process hardening. Choose Jacobs as your trusted partner committed to safeguarding your interests.

About the authors

John Karabias

John Karabias is the Vice President for OT Cybersecurity at Jacobs. John has 15 years of experience in cybersecurity and technology. He has served in technical and corporate strategy leadership roles in cybersecurity serving critical infrastructure sectors including water, transportation and advanced manufacturing. John also serves as an adjunct professor of information systems at Loyola University of Maryland and is a board member of the North-eastern Maryland Technology Council. 

Adi Karisik

Global Technology Principal at Jacobs Adi Karisik boasts over 20 years of expertise in information technology, cybersecurity and intelligence consulting. Prior to joining Jacobs, Adi has managed classified programs globally and holds diverse skills in behavioral profiling, combat operations and predictive threat analysis. Fluent in multiple languages, he is a respected figure in the Department of Defense and teaches at the Naval Post Graduate School. Since 2012, Adi has been at the forefront of big data analytics and in 2017, he established Jacobs' Operational Technology Services Practice, which has grown exponentially. As a key player at Jacobs, Adi contributes significantly to the intersection of technology and cybersecurity.