Cyber Threat: Attacks On Utilities May Be Next
Our late February 2021 headlines were dominated by the freak winter storm that resulted in a massive power grid failure in Texas, USA. For days, this interruption left Texas residents stranded in dangerously cold temperatures, suffering from a lack of water, and with limited access to resources such as grocery stores and the internet. Businesses were paralyzed and, sadly, people died. While Mother Nature was the one who hacked the Texas power grid this time, it is certain that nation state hackers and other nefarious characters stood up and took notice of the storm’s devastation.
An attack by a malicious hacker could prove to be more disastrous than was created by Mother Nature. On average, hackers can exist, undetected, on an unsuspecting network system for up to two months. How much can that hacker learn about the network and what nasty damage can be done during that period of time?
Attacks on utility systems impact more than the bottom line and our first concerns should be directed toward the citizens who would be affected by a loss of electricity, heat, water, and general living conditions. While it’s not pleasant to envision such a time, without electricity these people could be left in isolation without light, communications, food, and an inability to provide for themselves. Without water there are both serious health risks due to disease and dehydration and more day-to-day comforts related to a lack of showers/baths, clean laundry, and toilets that cannot be flushed.
A complete shutdown is not the only utility system hack to happen this year. Also this February the FBI shared that a hacker tried to poison thousands of Florida residents by increasing the level of sodium hydroxide (lye) in the city’s water system. The hacker accessed the utility’s system via TeamViewer, an outdated remote access and file sharing software used in the past by the utility’s IT team to troubleshoot the system. TeamViewer had been replaced by more modern software many months earlier but had not been removed from the utility’s system. Had one of the utility’s IT team members not noticed a moving mouse across a terminal screen, the outcome could have been tragic and resulted in many casualties.
As technology professionals, it is up to us to install precautions that will protect our communities from such attacks. We all know that we need to place firewalls, software, and other best practices to prevent any unauthorized entry to the network, but we also all know that while we can build up defenses, there is no ‘sure thing’ that can guarantee that the entire network is secure. A single vulnerability, anywhere, the entire network is vulnerable. Therefore we must be vigilant and constantly seek out any weaknesses in our systems, using the best practices available.
To illustrate this point, imagine locking up your home when you go on vacation. You may have made sure that all of the doors and windows were secured and the alarm system was armed, but what about the garage? Imagine a door between the garage and your home…and the garage has not been alarmed. Is your home secure if an intruder can access the garage and break through the door leading into the home? No.
You may be thinking about the sensors set up to detect movement inside the home while the system is armed? Shouldn’t they alert authorities? You would be correct, but sensors aren’t fool proof and an intruder could still find ways to move around, undetected. What damage could that intruder wreak while you are away?
In thinking through protecting our systems, it’s best to start by looking inside the network and considering best practices. A good place to start is by utilizing a security framework, such as NIST or the SANS 20 Critical Security Controls. These frameworks may seem a little daunting at first, but can be accomplished by breaking down the tasks:
- Self-Audit. The first step is to do an honest self-audit against whatever framework you have selected. Start by marking up the framework to show what you have already accomplished. This reduces the level of effort and avoids confusion as to what still needs to be done. The next step, based on your company, is to prioritize what controls are most important. Then it’s a matter of working down that list and installing controls by priority.
- Create a Cyber Security Culture. Simultaneously, and probably most important in any organization, is to create a cyber security culture. Best security practices often exist outside of the information security group. Having functional users working within the framework not only helps to minimize risk, but they also represent additional security eyes to sound an alarm if an anomaly is found.
- Back-up. Some people believe as long as they are doing a back-up of their data everything will be okay. This is a half-truth. Best practices require that “restores” be initiated as verification that the back-ups are working and that they can be successfully restored.
As with many of the other security controls, we must be diligent and not ephemeral, particularly when lives are at stake. It would be difficult to stop hackers from trying, but through careful preparation, knowledge, and an adherence to best practices, we have a fighting chance at keeping them from gaining access to our systems.