Digital attacks targeting water facilities are on the rise.
In its 2016 Data Breach Investigations Report, for instance, Verizon Enterprise disclosed an incident in which bad actors breached a water treatment plant and altered the levels of chemicals used to treat tap water at that facility.
News of this incident came approximately two years after the ONWASA water facility revealed it had suffered a ransomware attack that had disrupted its internal computer system in the wake of Hurricane Florence.
Less than a year after that, the Coloradoan reported how INTERPOL had found and released a decryption key that in turn helped the Fort Collins Loveland Water District and South Fort Collins Sanitation District recover from a ransomware attack.
Acknowledging these attacks, it’s no wonder that industry leaders are coming up with new guidelines designed to help water facilities better defend themselves against digital attacks.
Most recently, WaterISAC published 15 guidelines which water and wastewater utilities can use to protect against digital threats. These security fundamentals include the following:
Asset Inventory Database
You can’t protect what you don’t know you have. It’s therefore imperative that water facilities create an inventory of assets that are on their networks and the types of information those assets provide.
This effort should consist not only of network scanning but also of physical inspection, as the former can uncover only so much. In the process, these utilities will reveal blind spots by identifying what shouldn’t belong on the network.
Water facilities need to identify security gaps and vulnerabilities in their environments. The best way they can accomplish both of these tasks is with the help of risk assessments.
In order to effectively prioritize risks on key assets, these utilities should conduct such evaluations on a regular basis. This isn’t always easy to do, but (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/ics-security/waterisac-security-fundamentals/