As the US federal government begins to put its eye on securing more of its infrastructure against the rising risk of large-scale cybersecurity attacks, a late January statement from the White House has put its eye on securing more of these legacy facilities. 

Beginning with water, the U.S. Environmental Protection Agency (EPA), the National Security Council (NSC), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Water Sector Coordinating Council and Water Government Coordinating Council (WSCC/GCC), are taking part in President Biden’s Industrial Control Systems (ICS) Initiative. This is part of National Security Memorandum 5, Improving Cybersecurity for Critical Infrastructure Control Systems. 

Improving cybersecurity in the water sector and food supply chain

The Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan concentrates on high-impact activities that can be surged within 100 days to protect water resources by improving cybersecurity across the water sector. The federal government and critical infrastructure community will help facilitate the deployment of technologies that provide cyber-related threat visibility, indicators, detections, and warnings.  

Prior to this, the federal government set out to create new standards and regulations, beginning with the American Water Infrastructure Act of 2018 (AWIA 2018), which called for water utilities to perform an assessment and response plan.

The United States relies on a decentralised water utility network, putting state, municipal, and city governments in charge of managing their own utilities. While some private companies cover vast regions, it is common to see individual towns and cities manage their own water for their residents.

Part of the AWIA-2018 recommends monitoring the operational networks at water utilities. Continuous monitoring, anomaly detection, incident management & reporting, and remediation planning are vital to remaining compliant. These clearly defined deliverables will aid in protecting the water infrastructure for people throughout the country. An effective ICS/SCADA protection plan requires comprehensive identification and mapping of all devices, connections, ports, and other network assets. Only then will utility providers be able to detect vulnerabilities and exposures while assessing them in terms of severity and potential impact if compromised.

Similar to the private manufacturing facilities, these fragmented systems open new attack vectors for competitive nation-states, criminals, and black-hat actors to exploit vulnerabilities.

Strengthening a facility’s cybersecurity

Unlike the public sector, which is driven by protecting their residents, private producers like the food and beverage manufacturers need to keep their consumers safe and their food supply chains secure in order to meet safety standards, ensure maximum revenue, and ensure uninterrupted operations. Two recent examples of attacks on food organisations were an attack on Schreiber Foods, which saw them temporarily stop operations, and another on candy maker Ferrara who had to shut down operations and various facilities right before Halloween.

Both had layers of legacy and modern systems without the ability to catalog and monitor all systems in a virtual environment. Unlike IT systems that can throw firewalls at suspicious corners of their operations, OT facilities can never be 100% secure, as stopping a production line to prevent a cyber attack would have a massive impact on operations. These facilities’ lack of OT network mapping, along with a lack of rapid identification and response capabilities, meant that they had longer downtime and revenue loss than was necessary.

Smaller municipalities that manage potable and wastewater, as well as distributed production plants, allow for more autonomy and flexibility in operations. Yet, a lack of centralised standards and regulation presents opportunities for hackers looking to disrupt their delicate Operational Technology (OT) and Industrial Control Systems (ICS). This is especially true at a time when these facilities are facing the need for remote access and operations to remain resilient during natural disasters and pandemics, beyond cyber attacks.

Devising an ICS protection plan can be a daunting task. There’s no one-size-fits-all solution, and in many cases, operators have incomplete visibility into their networks.

It’s critical to partner with an MSSP organisation to save time and resources in implementation. This allows the smaller distributed water utilities and food manufacturers to harden vulnerabilities that they face in their systems today immediately. This strengthening of a facility’s cybersecurity posture is not just a large technical load but also introduces a significant risk of project failure without the right mixture of partner and toolset. Resources are too critical to rely on the educated guesswork of industry veterans and experts.