Smart Water Networks and Cyber Security

Industrial control systems (ICS) are prone to cyber attacks, with water/wastewater infrastructure no exception. This is evident in several real-world incidents such as the Pennsylvania Water Company hack in 2006, as well as Florida’s Key Largo Wastewater Treatment District hack, and the Tijuana River sewage spill in 2012 (Security Incidents Organization 2015).

Evolution of municipal infrastructure has led to an expanded attack surface with new, exploitable, cyber security vulnerabilities to systems and their users. Intensified risk to, and severity of attacks directed at, national critical infrastructure are brought about with a rise in sophistication of adversary motives, capabilities, and resources. This has resulted in a heightened sense of urgency for water cyber security.

The triad comprising confidentiality-integrity-availability (CIA) has long been a fundamental model in guiding information security implementations, especially in information technology (IT) environments. Applications and services, commercial or enterprise, place a high value on system confidentiality—and ergo privacy. Use of encryption techniques (e.g., HTTPS, SSL, SFTP) is a prominent sign of the priority status confidentiality enjoys, while also ensuring system and communication integrity. Availability, important in fulfilling contractual obligations (e.g., service-level agreements) and providing end-user satisfaction, is typically the more flexible element in constrained environments (e.g., budget and schedule) especially when its complementary elements require ongoing efforts in order to be effective. Examples are prevalent across technologies, wherein system administrators periodically schedule maintenance windows for implementing security patches/fixes—be it an organization’s enterprise resource planning system or a popular online shopping platform.

Contrary to IT, the CIA priority morphs into availability-integrity-confidentiality (AIC) for ICS environments. Lifeline infrastructure sectors ranging from oil and gas to smart water and energy grids emphasize provision of critical products and services to large, diverse, and pervasive consumer bases. An outage to core services such as oil distribution, water distribution and sewage disposal, and electricity provision has severe, transcendent impacts on entire cities, their populations, and day-to-day operations. The unavailability of safe potable water for public consumption or critical services such as firefighting, contrasted with the outage of an e-commerce site, has vastly different qualitative and quantitative impacts—and serves to illustrate the CIA–AIC interchange.

Requirements of incredibly high uptimes and resiliency, however, come at a cost. Sparse maintenance windows, use of proprietary technology, emphasis on lengthy operational system-life, relative inefficacy of traditional IT-based CIA-focused security practices, and a reactive posture are characteristic of most ICS environments. These characteristics, coupled with the severe impact arising from unavailability, create lucrative targets for attackers to advance their agendas.

Attackers are broadly classified as terrorists, state-sponsored actors, hacktivists, cyber criminals, and insiders. In the case of terrorists who seek to harm people and economies and instill fear of continuous threats, targeting of ICS-provided services to achieve their end goals is consistent with their modus operandi. Cyber wars orchestrated by nation states operate in similar fashion, and although not focused on harming individuals, they seek to cripple economies or national initiatives (e.g., STUXNET, which caused severe damage to nuclear plants in Iran) without the need for overt, traditional combat. Hacktivists comprise groups such as LulzSec, and typically target organizations (e.g., Sony Pictures) based on their political ideology, whereas criminals target vulnerable organizations or groups of individuals for monetary gain (e.g., identity theft in the Aetna compromise). Given the proprietary and potentially hazardous nature of many ICS environments, insider threats also pose a serious concern—with the Maroochy Shire incident in Queensland, Australia, a prime example of an event in the water sector, leading to 800,000 L (264,000 gal.) of raw sewage being released into nearby rivers and parks. Over 500 m of open drain were polluted, and the pollution flowed into a tidal canal, resulted in the death of marine life, and caused an unbearable stench arising from the black water formed (Abrams and Weiss 2008).

Previously, relative isolation and segregation of cyber and physical environments served to mitigate many of the above-mentioned threat actors despite inherent security vulnerabilities and weaknesses in water systems. With a growing number of ICS environments being inextricably connected (to each other and intellectual property– (IP-) based IT systems via HTTP, SNMP, Telnet, etc.), the attack surface in water sectors has expanded tremendously. The maxim of security via obscurity has failed miserably, as websites like SHODAN (Matherly 2009), dubbed “the Google for hackers,” serve as a surveillance and search engine for numerous IP-enabled, publicly accessible devices. SHODAN and subsequent projects, such as SHodan INtelligence Extraction (SHINE) (Rashid 2014), were created to increase awareness of publicly accessible systems, the need to improve security, prevent unauthorized access, and initiate action, but are at best a double-edged sword. As an example, SHINE discovered more than 2.2 million publicly accessible supervisory control and data acquisition (SCADA) devices by 182 manufacturers in just one month; however, most ICS owners, operators, and vendors continue to ignore security risks (Glorioso and Stulberger 2015). Adversaries, on the contrary, have swiftly leveraged these reconnaissance tools, leading to increasingly frequent, complex attacks. SHODAN has been recently used to locate and intrude into a water utility control system in the United States (WaterISAC 2015). The ubiquitous availability of numerous water SCADA and business system manuals and scripts further contributes to adversarial risk and underscores the failure of security via obscurity.

As IT and operation technology (OT) converge, traditional best practices of creating air-gaps between corporate and OT networks are difficult to implement and impossible to maintain. The ever-expanding attack surface allows new attack vectors to leverage these networks to gain a foothold and then traverse to the OT infrastructure. Extremely sophisticated attacks (e.g., STUXNET and BlackEnergy campaign) have demonstrated the extent to which cyber security events can originate in IT environments and significantly impact OT. Industrial communication protocols did not envision a connected world when designed. Many protocols were conceived as serial protocols operating in isolated environments and therefore unable to enforce foundational security controls like authentication and encryption. Increased use of commoditized operating systems in ICS (e.g., Windows) renders them susceptible to newly discovered vulnerabilities and zero-day attacks.

Unprecedented interconnectivity of, and interdependency in, modern urban systems results in water-related cyber security attacks having far-reaching, potentially escalatory, adverse consequences across numerous critical infrastructure deployments and operations, and vice versa. Sharing of resources, a consequence of increased interconnectivity and conservation needs, also complicates response mechanisms, as communication systems cannot simply be suspended because of implications involving cascaded outages.

The transition to smart water networks provides invaluable opportunities for enhancing operational efficiency in utility sectors. However, it results in increased risks posed by adversaries and threat actors too. Tremendous benefits are accompanied by requirements for stringent security mechanisms and regulations in order to enable and realize business and functional goals.

A fundamental shift in approach toward system security, both its design and implementation, is needed. Advanced threats often include “low and slow” malware intended to remain undetected for long periods of time and avoid traditional signature detection techniques. Detection requires improved situational awareness and surveillance capabilities that use security infrastructure, operational systems data, and controls system data, whereas prevention relies on predictive analytics. Accordingly, the emphasis should be on orchestrating data collection from various infrastructure components via appropriate connectors and harnessing data processing platforms and learning algorithms to provide advanced security analytics.

In addition to being cognizant of the exponential increase in data generated and processed by smart water systems, operators must account for integrity to generate reliable actionable insights. This requires establishing data provenance and governance frameworks, engineering trust across devices and protocols, and deploying robust, end-to-end security controls to ensure data confidentiality and integrity from edge (devices) to cloud (platforms).

To realize the benefits of proactive asset maintenance and real-time optimization, smart water systems must enable varying levels of autonomous decision-making capabilities. This in turn drives edge security requirements as a result of the inherent trust placed in devices and their data to govern the actions of other devices. Migrating decision making toward the edge, and further enabling machine-to-machine (M2M) communication will need to be carefully considered and administered based on infrastructure security capability limitations.

With ICS security now at the forefront of various industry sectors, approaches toward secure, standardized solutions have surfaced. Although this appears promising, utilities must ensure these approaches are applicable to their vastly dispersed ecosystem, unlike centralized refineries, plants, or mines.

Last but not least, the ongoing infrastructure evolution and cyber security paradigm shift urge revisiting the existing policies and regulations forged around traditional water infrastructure and threats. In light of this urgency, the President’s Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” called on Executive Branch agencies to investigate whether and how existing cyber security regulations should be streamlined and reformed. Citing three resilience factors, the Environmental Protection Agency supports the existing voluntary approach to address cyber risk. The resilience factors are (1) should systems be compromised, manual overrides can be employed; (2) water facilities are generally standalone systems with little or no cyber connections; and (3) a cyber attack may not result in offsite release of onsite chemicals (EPA 2014). The ongoing evolutions and paradigm shifts may nevertheless subvert the sufficiency of such factors. As for the first factor, for instance, as the smart water technologies become ubiquitous, automation will make it more and more unlikely that operators will ever face a situation that requires a manual override—but also more and more unlikely that they will be able to respond in such a manner if a crisis occurs. The Air France Flight 447 tragedy is an archetypal example of this paradoxical phenomenon in which the automated control systems presume preexisting manual control competency and intelligibility. The cyber threat to the nation’s water infrastructure is dynamic and rapidly evolving; outdated policies molded to the isolated, naïve infrastructure of the past should be receptively streamlined and reformed to oblige, incentivize, and create equally agile defense capabilities against today’s threats.