|
October 2023 Special Edition - Cybersecurity
The Pennsylvania Department of Environmental Protection (DEP) Bureau of Safe Drinking Water is proud to provide updates, information, explanations and reminders to you with this edition of the Drinking Water News. In this issue:
- Did you know? …October is Cybersecurity Awareness Month!
- Four Basic Goals to Achieve Better Cybersecurity in your PWS
- What is the difference between IT and OT?
- Remote Access and Cybersecurity Threats
- Withdrawal of Memo RE: Cybersecurity and Sanitary Surveys
- Cybersecurity Tools and Resources
| |
This special edition of the Drinking Water News contains useful information about cybersecurity and provides links to useful tools to improve your cybersecurity efforts.
| |
|
| Did you know? …October is Cybersecurity Awareness Month!
Jill Anderson, Technical Support Section Manager, DEP Central Office
| |
October 2023 marks the 20th anniversary of Cybersecurity Awareness Month. This initiative is a collaboration between the Cybersecurity and Infrastructure Agency (CISA) and the National Cybersecurity Alliance to raise awareness about the critical importance of cybersecurity and staying safe online. The overall goal is to remind everyone that taking small steps and implementing even the most basic cybersecurity practices can go a long way toward keeping your data safe and protecting your system from data breaches.
Cybersecurity Awareness Month 2023 focuses on four key behaviors to protect yourself and your data online. These four key behaviors are an example of basic cybersecurity practices that can help guard your system against an online attack. The four key behaviors are:
- Use strong passwords and a password manager
- Turn on multifactor authentication
- Recognize and report phishing
- Update software
You should review these previous articles in the DWN on cybersecurity:
| |
| Four Basic Goals to Achieve Better Cybersecurity in your PWS
Scott Alderfer, Water Program Specialist, DEP Central Office
| |
Anyone who has experienced identity theft can likely tell a few horror stories about unauthorized charges on their credit cards. If you’re lucky, your bank will cancel the fraudulent charges on your account. On a much larger scale, cyber criminals and cyber terrorists pose numerous risks to nations, utilities, medical facilities, manufacturing enterprises, and financial institutions. These risks include blackouts, failure of military equipment, breaches of national security secrets, theft of valuable and sensitive data, computer and phone and internet network disruptions.
Cyber-attacks on a public water system (PWS) can have dire effects for the PWS and for customers of the breached system. Attacks could affect your PWS’s Operations Technology (OT) system as well as the Information Technology (IT) system. An IT breach could expose employee data like social security numbers or payroll direct-deposit information. Customer data could be exposed as well. Hacking into the OT system could cause serious problems ranging from hijacking chemical dosing pump operation to shutting down intake pumps or well pumps, effectively disabling your PWS’s entire operation.
To address cyber threats to PWSs, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been working with industry and interagency partners to develop a set of voluntary Cross-Sector Cybersecurity Performance Goals (CPGs). These goals were first introduced in December 2022 and updated in March 2023. The goals include a combination of recommended practices for IT and OT owners, including a prioritized set of security practices.
The CPGs are intended to provide PWSs with a five-pronged approach to addressing cybersecurity threats:
- Identify - Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. A single leader is responsible and accountable for cybersecurity within an organization.
- Protect - Develop and implement the appropriate safeguards to ensure delivery of services. Organizations should prohibit connecting unauthorized media and hardware to IT and OT assets, such as by limiting use of USB devices and removable media or disabling AutoRun.
- Detect - Develop and implement the appropriate procedures to identify the occurrence of a cybersecurity event. Without the knowledge of relevant threats and ability to detect them, organizations risk that threat actors may exist undetected in their networks for long periods.
- Respond - Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. All cybersecurity incidents should be reported promptly to the FBI and CISA.
- Recover - Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
While the full range of cybersecurity measures recommended by CISA would likely be implemented by many PWSs as funding allows for hardware and software upgrades, PWSs can achieve some peace of mind by implementing four actions that CISA has prioritized to provide organizations with a basic level of cybersecurity. These four actions, all of which are part of the CPG goal framework, are:
- Change default passwords. Default passwords are risky, because they typically do not get changed regularly and they can often be guessed by employees who are not authorized to access certain networks or by former employees. Users’ passwords should be as strong as possible and changed on a regular basis, such as every few months. IT and OT assets should never have the same passwords.
- Implement phishing-resistant multifactor authentication (MFA) for log-ins. MFAs involve sending a unique one-time code to the user that must be promptly entered to complete the log-in process immediately after the user enters their password. MFAs are generally considered to be phishing-resistant.
- Have separate user and privileged accounts. An example of a privileged account would be an administrator account that has privileges to add or delete users on a network and to install and delete files from a secure server. These are privileges that only key users should have and only if necessary.
- Create, maintain, and exercise Incident Response Plans. In the event of a cyber security breach, having a solid Incident Response Plan already in place is crucial for mitigating damage from the cyber intrusion.
| |
| What is the difference between IT and OT?
Jill Anderson, Technical Support Section Manager, DEP Central Office
| |
Most people are familiar with the term IT, which stands for Information Technology. It is a term that has been used for several decades to refer to computers and related equipment. But many of us are not as familiar with the term OT, or Operational Technology, and how it differs from IT. Understanding these two terms, and the differences between them as they relate to the water sector, are an important part of an effective cybersecurity program.
IT systems are informational infrastructure, or systems that manage and process data and communications. IT systems are generally data oriented. The U.S. Environmental Protection Agency (EPA) defines IT as “systems that collect, store, and process data.” Some examples of IT systems include personal computers, computer networks, mobile phones, cloud computing, and the internet.
OT systems are industrial controls, or systems that control machines and industrial operations and processes. OT systems are generally process oriented. EPA defines OT as “hardware or software that detects or causes a change, through direct monitoring of industrial equipment.” Examples of OT systems include Supervisory Control and Data Acquisition (SCADA), Industrial Control System (ICS) that support physical processes, Programmable Logic Controllers (PLC), Computer Numerical Control (CNC), and robots.
Additional differences between IT and OT are listed in Table 1.
Table 1. Differences between IT and OT
| |
One of the differences between IT and OT is the vulnerability of OT systems. OT systems traditionally were kept separate from public networks, so accessibility was limited to select individuals. They were not as vulnerable to remote attacks if they were not connected to the public internet because there were fewer ports of entry. However, there are increasingly more pathways for remote attacks due to increased connectivity, by having systems such as SCADA online for increased accessibility. Many OT systems are designed with accessibility in mind, not security, making them vulnerable to cyber-attacks. OT systems generally have longer equipment lifespans, leading to legacy equipment and outdated technology, which is vulnerable. It is also not common for OT systems to have security capabilities like encryption and authentication, and they are not routinely patched, making them more vulnerable than IT systems. Because they use proprietary operating systems, there is typically a significant impact that results from a cyber-attack on an OT system.
Cybersecurity for IT systems is focused on securing the data and information, protecting confidentiality, and protecting common devices like computers and smartphones. It uses standard tools like antivirus software and firewalls. Generally, IT system security is designed to protect the information first before allowing accessibility. For OT systems, cybersecurity protects critical infrastructure and industrial equipment including machinery and PLCs; this is especially critical if connected to the internet for accessibility or remote operation. OT systems lack traditional security tools and are designed more for accessibility and functionality first, with security secondary. This increased accessibility has made OT more challenging to secure.
You can learn more about cybersecurity basics, including securing IT and OT networks, on the EPA’s website at Cybersecurity Training.
| |
| Remote Access and Cybersecurity Threats
Scott Alderfer, Water Program Specialist, DEP Central Office
| |
Remote access software and tools allow public water system (PWS) personnel or their vendors to remotely access networks, computers, and other devices from locations other than their PWS offices or plants. Remote access software, including remote administration solutions and remote monitoring and management (RMM), enables Information Technology (IT) personnel, IT help desks, software providers, and other network administrators to remotely perform functions such as gathering data on network and device health, automating maintenance, PC setup and configuration, remote recovery and backup, and patch management.
Some organizations may use managed IT service providers (MSPs) rather than using in-house IT personnel, or a combination of in-house personnel and an outside MSP. MSPs are third-party service providers that proactively monitor and manage a customer's server / network infrastructure, cybersecurity and end-user systems. Remote access software allows MSPs to access their PWS client’s IT assets, Operational Technology (OT) assets, and industrial control systems (ICS) to ensure continuous operation of PWS facilities.
Remote access allows MSPs, IT help desks, and other providers to maintain multiple networks or devices from a distance. Remote access also allows many business environments, both small and large, to have access to third-party IT, OT, and ICS professionals to troubleshoot issues, monitor for suspicious network activity, and to play a significant role in disaster recovery strategies. However, many of the beneficial features of remote access software also make it an attractive target and powerful tool for malicious actors to avail themselves, ironically sometimes making these same businesses further vulnerable to cyber-attacks.
Remote access software provides IT/OT teams with the ability to detect anomalous network or device issues so they can promptly initiate monitoring of the systems or device showing the unusual activity. Cyber threat actors can hijack the same remote access tools to illegitimately access their victims’ systems. Unfortunately, access of remote access software by a cyber-criminal is sometimes not flagged by security tools or processes as malicious access. Malicious actors can then exploit this breach while evading detection by using the remote access software to establish network connections through cloud-hosted infrastructure.
RMM software is another type of software targeted by cyber threat actors, because the software is able to attain elevated levels of permissions to monitor or operate devices and systems. Once cyber criminals have accessed RMM software, it is relatively easy for them to move laterally on compromised networks and maintain their presence within the system. Although MSPs or IT help desks can monitor multiple devices and networks at once, the ability for cyber threat actors to move laterally through a compromised system makes it more difficult for MSPs and IT help desks to manage multiple intrusions concurrently. Small- and mid-sized businesses rely on MSPs and the use of various types of remote access software to supplement their own IT, OT, and ICS infrastructures without having to develop those capabilities in-house. While using an MSP to monitor networks and devices for suspicious activities can be a savvy move for small and medium sized PWSs, the MSP’s use of remote access software can make a PWS that much more vulnerable to service provider supply chain compromises, exploitation, or malicious use of remote capabilities.
We hope this information will provide PWS personnel with enough information about remote access software to have a conversation with your IT teams with the goal of tightening your cybersecurity vulnerabilities.
| |
| Withdrawal of Memo RE: Cybersecurity and Sanitary Surveys
Scott Alderfer, Water Program Specialist, DEP Central Office
| |
On March 3 of this year, the Environmental Protection Agency (EPA) issued a memorandum to State Drinking Water Administrators and Water Division Directors explaining the EPA’s expectations for state drinking water regulators to evaluate Public Water Systems’ (PWS’s) cybersecurity preparedness as part of routine sanitary surveys at PWS facilities.
The mandate for PWSs to evaluate their cybersecurity preparedness originated in America’s Water Infrastructure Act of 2018 (AWIA). AWIA amended the Safe Drinking Water Act to require community water systems serving over 3,300 people to, among other actions, assess the risk and resilience of “electronic, computer, or other automated systems (including the security of such systems).” (SDWA Section 1433(a)(1)(A)(i).) AWIA further requires each system to “prepare or revise, where necessary, an emergency response plan,” which must “include strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the system” (SDWA Section 1433(b)(1)).
In response to the March 2023 cybersecurity mandate from the EPA, the states of Missouri, Arkansas, and Iowa filed a legal challenge to the EPA’s interpretation that state regulators must verify the cybersecurity preparedness of PWSs in their respective states. The American Water Works Association (AWWA) and the National Rural Water Association (NRWA) joined the states’ legal challenge to the EPA’s cybersecurity mandate. AWWA, NRWA, and the three states filing the challenge to EPA’s mandate questioned the legality of the requirement. Additionally, the parties to the challenge had concerns that state primacy agencies do not have the necessary resources, laws, rules or procedures in place to meet the requirements of the mandate.
In July of this year, the U.S. Court of Appeals for the Eighth Circuit granted a request from the three states involved, the AWWA and the NRWA to pause the EPA’s interpretive action that required including cybersecurity assessments as part of the existing sanitary survey program. Due to the pending litigation, the EPA subsequently reexamined their requirement for cybersecurity assessments during sanitary surveys. On October 11, 2023, the EPA published a memorandum entitled Addressing Public Water System Cybersecurity in Sanitary Surveys or an Alternate Process, withdrawing their original cybersecurity memorandum of March 3, 3023.
Despite the EPA’s cybersecurity memo having now been officially withdrawn, one of EPA’s highest priorities is improving cybersecurity across the water sector. The cybersecurity threat to drinking water and wastewater utilities is critical and ongoing.
| |
| Cybersecurity Tools and Resources
| |
The Department of Environmental Protection (DEP) is committed to informing and educating water systems about all the available tools and resources to help protect communities from the growing number of serious cyber-threats facing our nation’s water systems.
These are some of the many resources available for increasing cybersecurity awareness.
PWSs themselves can take a number of steps to ensure that their cybersecurity response plans can effectively protect their assets. PWSs are encouraged to review cybersecurity guidance found at the CISA and WaterISAC websites. Here are some quick links to get started:
Look for additional tools and tips in future editions of the Drinking Water News!
| |
Pennsylvania Department of Environmental Protection, 400 Market Street, Harrisburg, PA 17101
| |
|
|
|
|
|