A criminal cyber-attack on a UK water company in August 2022, which saw hackers gain access to customer banking details, led utilities to urgently reassess cybersecurity strategies. For Philippe Willems, engineering manager at technology company Ovarro, the biggest cybersecurity threats facing the water sector today is an attacker taking control of its IT or operational technology (OT) systems to steal data and block or disrupt operations.
Risks stem from water companies still using legacy systems which were installed many years, if not decades, ago.
These systems have minimal, if any, cybersecurity features and present a huge digital attack surface — this means there are many pathways an attacker can take to gain unauthorised access to a computer or network.
“Protecting insecure legacy infrastructure can seem like a daunting challenge,” Willems said. “The main task for water companies is to update or protect their existing systems. This requires a detailed analysis of their OT network vulnerabilities, before establishing an initial plan to protect the most vulnerable entry points for attackers.”
There are three main attacker types, according to Willems. The least concerning are hackers who do it for the sake of doing it. Then there are the attackers who want to block access to computer systems using malicious software, such as ransomware, until a sum of money is paid. The most dangerous and under-the-radar threat comes from state-backed attackers trying to gain access to water companies, and other critical infrastructure, in what is called cyber-warfare.
Companies should undertake a full assessment of their security systems. The correct steps can then be taken to protect these systems. Actions may include replacing existing unsecured devices with cyber-secure devices, by using firewalls, or by segregating IT and OT networks, to ensure any access routes to critical operational networks are blocked to unauthorised users.
Ovarro as a supplier is in the process of obtaining IEC 62443, an international series of standards published by the International Electrotechnical Commission (IEC) that address cybersecurity for operational technology in automation and control systems. This includes the certification of its devices, processes and procedures.
“We received security advisories from the Cybersecurity and Infrastructure Security Agency (CISA) about the software components we use in our devices,” said Willems. “If we are affected, we publish a security advisory with a description of the fix or workaround we have implemented.”
In the UK, Ovarro has joined the Industrial Control System Community of Interest (ICS COI), hosted by the National Cyber Security Centre, to further drive compliance and cutting-edge cyber security into products and practices.
Water companies and the supplier community must use the same standards. For devices, IEC 62443-4 is used. For integrators, IEC 62443-3 is used and for owners of systems, IEC 62443-2 is used.
This is a key concept of IEC 62443- companies like Ovarro can provide certified devices, but these devices must be correctly installed and configured by the system integrator. Then the owner, in this case the water companies, must enforce best practices from their employees and other authorised users. If any of these practices are not implemented correctly, the cybersecurity of the whole system will be vulnerable to attacks.
In 2021, industrial cybersecurity platform Claroty performed testing on Ovarro’s TBox remote telemetry unit (RTU) and detected vulnerabilities. After correcting them, new versions of Ovarro’s software are released.
Willems said, “If there is no correction possible, we establish a workaround. On very rare occasions, we may recommend our customers do not use the affected feature to eliminate risk.
“If vulnerabilities are detected, we publish detailed security advisories to inform our customers of technical details and mitigation information and direct them to software updates and workarounds.”
Thorough testing, including by external specialists, is vital. Ovarro carries out multiple stages of testing. The systems are tested in-house first, by engineers in charge of the development, then by a dedicated team assigned to software tests. Beta versions are also provided to selected customers who help test the systems in real-world situations. Finally, the company works closely with cybersecurity specialists for penetration testing.
Unfortunately, the scale and complexity of cyberattacks against the water sector is likely to increase. Attackers will always find new ways to penetrate systems and companies are continually assessing how difficult it will be to attack their system and how much money it will cost to protect them to an acceptable level.
But technology to tackle threats is developing at a fast pace and is moving towards being fully automated, driven by artificial intelligence (AI) and machine learning (ML).
“Of course, robust security cannot be achieved through hardware or software alone, but through a joined-up strategy, comprising people, policies, products and procedures,” Willems added.