This article first appeared in The Water Report
On Friday 12th May, The WannaCry ransomware cyber-attack was launched, infecting more than 230,000 computers in over 150 countries worldwide within its first day and severely impacting organisations such as the NHS, Spain’s Telefonica, FedEx and Deutsche Bahn. This has pushed cyber security and resilience against such attacks centre stage again. This time the NHS was affected, but could the water industry, with its critical infrastructure and valuable customer information, be a future target?
What are the actual types of attack that a water company may be subject to, their likelihood and impact? What are different institutions putting in place to manage the cyber threat and what should water companies be doing now?
The cyber threat
Cyber threats, can be considered in three broad areas: threats to a company’s core IT systems; to personal data which companies hold and to a company’s operational technology (OT). These inevitably overlap, but provide a good basis for segmenting and assessing risk.
Attackers are interested in gaining access to corporate IT systems because of the financial and commercial data they hold. The WannaCry attack targeted and impacted corporate IT systems. It had a severe impact with, for example, 48 NHS trusts in England and 11 NHS Boards in Scotland affected, resulting in procedures being cancelled due to inability to access IT.
A significant attraction of the corporate IT environment for cyber criminals is personal data. Companies, including water companies, hold a large number of customer records and personal and banking details which are attractive to cyber criminals as they facilitate the subsequent targeting of customers primarily for financial fraud, with details often sold onto criminal third parties through underground data markets. The Talk Talk incident of 2015 resulted in the compromise of personal data for over 150,000 customers, caused huge reputational damage and incurred an unprecedented fine of £400k. With the impending changes to privacy legislation, a future fine could be much greater.
While the threat to corporate IT and personal data is clear, for water companies (and other network based industries) the challenge goes deeper, given the extensive infrastructure such companies manage through OT. One of the first malicious OT cyber security incidents was the oft cited sophisticated attack against Maroochy Water Services, Australia in 2000. This led to the release of 800,000 litres of raw sewerage, over 46 spill incidents.
Attackers are increasingly interested in targeting OT. The challenge for water companies is that these systems are often not as easy to secure as traditional IT, because of their diverse locations and age, as many were built before security was a concern for these systems, and because the use of cyber security technology is severely constrained at the lower OT network levels. These threats are exacerbated by the on-site practice of allowing staff and third parties to connect devices to local hardware, for example for diagnosis of issues. Such devices, particularly laptops which may be used to view email and surf the internet, represent a potential source of malware to the plant environment. Even the use of a local USB point to charge a member of staff’s phone represents a malware risk.
It is also important to consider supply chain impacts, where partners and providers have access to a company’s IT. In 2013, there was an attack against the US Target supermarket chain, where over 70 million customer payment card details were stolen. In this case, instead of attacking Target directly, the attackers compromised a remote maintenance company looking after the heating and ventilation systems. They attacked the HVAC systems through a remote support connection and jumped over to the corporate network. The attack led to the exit of the CEO.
The question that water companies need to consider is whether the threat is increasing? The Cyber Security Breaches Survey, April 2017, states that in the last year, one in five UK businesses has experienced a breach resulting in a material impact. Water companies should note that: the utilities sector, alongside information and communications, is the most common sector for breaches; that large companies are more susceptible and businesses that hold customer data are more likely to have had breaches than those who do not (51% to 37%). All these suggest the water industry is a ripe target.
Advice and guidance
There are a number of areas where work is progressing to improve cyber security, but these can be difficult to navigate through. We have hence set out below the key elements in this work by source and type. The sources are the EU, the UK Government and national security bodies and water industry specific organisations. The type of work can be divided into strategy, provision of best practice guidance or formal compliance requirements.
Water companies need to ensure their plans are aligned with this overall national strategic intent. In November 2016 the new NCSC, which is charged with protection of critical national infrastructure, published the UK government’s National Cyber Security Strategy for 2016 to 2021. This sets out the UK’s five-year plan to enhance resilience against a range of cyber related threats. It identifies three key elements: elevating the importance of cyber risk; driving collective innovation; and, embedding cultural change.
This national strategy helped inform Defra’s Water Sector Cyber Security Strategy, published in March this year which lays out a government vision that tasks the water sector to be “a secure, effective, and confident water sector, resilient to the ever evolving cyber threat”. To help achieve this vision it sets out a number of focus areas, including: separation of IT and OT; common security management for IT and OT; awareness training; incident response planning and risk from third parties.
While both these documents currently represent strategy, they could well result in specific future regulatory requirements with which companies will need to comply.
Best practice guidance
The NCSC provides a host of good practice, guidance and other services that can help water utilities improve cyber resilience. Water UK has drawn on this in their document “Cyber Security Principles for the Water Industry”, which relates the principles more directly to water companies.
Most urgently for water companies, there are several new and planned compliance requirements, which could incur significant fines for breaches. It is now less than a year until the EU’s General Data Protection Regulation (GDPR) becomes enforceable. Key aspects of GDPR include a strengthening of individual rights, an unambiguous need for consent to process an individual’s data and a requirement for organisations to report data breaches within 72 hours. GDPR allows for fines of up to 4% of a company’s global revenue.
The NIS Directive aims to improve the cyber resilience of critical services and systems and to ensure effective information exchange and cooperation. The directive will be transposed into UK law in 2017/18. The impact on water utilities is not currently clear but it is likely to result in a legal requirement to “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and information systems which they use in their operations” and to “report cyber security incidents to a national computer security incident response organisation”.
Within England and Wales, the Drinking Water Inspectorate (DWI) Water Industry (Suppliers’ Information) Direction 2017 came into force on April 1st. This requires water companies to report “any significant occurrence, apprehended or otherwise of where the company has identified interference with electronic systems caused by external interference (‘cyber-attack’) that has or could impact quality or sufficiency of water”. The notification requirements are extensive.
In addition, it is likely that Ofwat’s duty on resilience will result in some form of requirements on water companies with regard to cyber security.
Given the rising cyber threats, together with the impending legislation and national and sector strategies, water utilities should take action now to address their cyber risks. This should commence with a re-assessment of cyber security vulnerability. Ten ‘killer questions’ can help companies establish this:
Secondly, based on the results of this, companies need to create or update their cyber security strategy. As noted earlier, the NCSC provides guidance and frameworks for managing cyber security in UK critical national infrastructure organisations. These frameworks and guidance draw upon other standards and frameworks around the world such as the US NIST Cybersecurity Framework (NIST CSF). Organisations should take account of this guidance and relevant regulatory requirements, for example the need to separate IT and OT and should also address governance and staff matters. A strong governance approach built on clearly communicated security polices, supervisory oversight and ongoing awareness activities, leading to security conscious operators and supervisors is one the best protections.
Thirdly, companies need to ensure they are prepared for the three key compliance areas: GDPR, NIS and the DWI Supplier’s Information Direction and also reconsider these in the light of Ofwat’s developing position on resilience.
The WannaCry ransomware cyber-attack was an untargeted attack, using traditional, unsophisticated mechanisms, but still infiltrated and impacted many leading organisations. A targeted attack, which the water industry may well be subject to, would be far more difficult to detect and remove and potentially far more damaging. It has never been more important for the water industry to ensure its cyber security is best in class.
Justin Lowe and Sydney Grenzebach are cyber security specialists at PA Consulting Group.