A criminal cyber-attack on a UK water company in August 2022, which saw hackers gain access to customer banking details, led utilities to urgently reassess cybersecurity strategies. In this Q&A, Philippe Willems, engineering manager at Ovarro, discusses the enduring challenge for the water sector and what it means for suppliers.
What are the biggest cybersecurity threats facing the water sector today?
The biggest cybersecurity hazard for water companies, and for all critical infrastructure companies, is an attacker taking control of their IT or OT [operational technology] systems to steal data and block or disrupt operations. Risks stem from water companies still using legacy systems which were installed many years, if not decades, ago.
These systems have minimal, if any, cybersecurity features and present a huge digital attack surface – this means there are many pathways an attacker can take to gain unauthorised access to a computer or network.
Protecting insecure legacy infrastructure can seem like a daunting challenge. The main task for water companies is to update or protect their existing systems. This requires a detailed analysis of their OT network vulnerabilities, before establishing an initial plan to protect the most vulnerable entry points for attackers.
Who is behind water sector threats and attacks, and what are their motives?
There are three main attacker types. Hackers who do it for the sake of doing it – they are perhaps the least concerning. Then there are the attackers who want to block access to computer systems using malicious software, such as ransomware, until a sum of money is paid. The most dangerous and under-the-radar, unnoticed threat comes from state-backed attackers trying to gain access to water companies, and other critical infrastructure, in what is called cyber-warfare.
What steps should water companies take to protect their systems from attacks?
First and foremost, companies must undertake a full assessment of their security systems. The correct steps can then be taken to protect these systems. Actions may include replacing existing unsecured devices with cyber-secure devices, by using firewalls, or by segregating IT and OT networks, to ensure any access routes to critical operational networks are blocked to unauthorised users.
How does Ovarro, as a supplier, maintain awareness of emerging threats to your own systems?
As a supplier, we are in the process of obtaining IEC 62443, an international series of standards published by the International Electrotechnical Commission (IEC) that address cybersecurity for operational technology in automation and control systems. This includes not only the certification of our devices but also of our processes and procedures.
We receive security advisories from the Cybersecurity & Infrastructure Security Agency (CISA) about the software components we use in our devices and if we are affected, we publish a security advisory with a description of the fix or workaround we have implemented.
In the UK, Ovarro has joined the Industrial Control System Community of Interest (ICS COI), hosted by the National Cyber Security Centre, to further drive compliance and cutting-edge cyber security into products and practices.
How important is collaboration between water companies and their supply chain partners on this issue?
Water companies and the supplier community must use the same standards:
• IEC 62443-4 for devices
• IEC 62443-3 for integrators
• IEC 62443-2 for owners of systems
This is a key concept of IEC 62443 – companies like Ovarro can provide certified devices, but these devices must be correctly installed and configured by the system integrator. Then the owner, in this case the water companies, must enforce best practices from their employees and other authorised users. If any of these practices are not implemented correctly, the cybersecurity of the whole system will be vulnerable to attacks.
In 2021, industrial cybersecurity platform Claroty performed testing on Ovarro’s TBox remote telemetry unit (RTU) and detected vulnerabilities. How does Ovarro manage vulnerabilities such as this when they are detected?
Any vulnerabilities found by cybersecurity companies are corrected and new versions of our software are released. If there is no correction possible, we establish a workaround. On very rare occasions, we may recommend our customers do not use the affected feature to eliminate risk.
If vulnerabilities are detected, we publish detailed security advisories to inform our customers of technical details and mitigation information and direct them to software updates and workarounds.
For Ovarro, how important is external product testing?
Thorough testing, including by external specialists, is vital. Ovarro carries out multiple stages of testing. The systems are tested in-house first, by engineers in charge of the development, then by a dedicated team assigned to software tests. We also provide beta versions to selected customers who help us to test the systems in real-world situations. Finally, we work with cybersecurity specialists for penetration testing.
Looking forward, is the scale and complexity of cyberattacks against the water sector likely to increase?
Unfortunately, yes, it is a never-ending game. Attackers will always find new ways to penetrate systems and companies are continually assessing how difficult it be to attack their system and how much money it will cost to protect them to an acceptable level.
However, alongside this, the technology to tackle threats is developing at a fast pace and is moving towards being fully automated, driven by artificial intelligence, including machine learning. Of course, robust security cannot be achieved through hardware or software alone, but through a joined-up strategy, comprising people, policies, products and procedures.
Ovarro ensures its products are protected from threats through a continuous process of learning, monitoring and updating. The TBox RTU, for example includes a firewall and can be used to protect downstream devices in the field and to forbid unauthorised accesses and protocols from upstream.
In addition, a VPN [virtual private network] is available to add a cybersecure layer of protection.