Water & Wastewater Asia Sep/Oct 2020

September / October 2020 • waterwastewaterasia.com HOTSEAT 49 For water utilities and operators, the digital landscape is fraught with potential hazards. Water and Wastewater Asia speaks to Claroty’s Eddie Stefanescu to learn more about what industry players can do to even the playing field. From IT to OT, and navigating the in-between I n 2015, the USA’s Department of Homeland Security (DHS) released a report detailing how the nation’s water grid was vulnerable to attacks by hackers. This is, of course, no surprise to water utilities today, which have in recent years become ever-increasingly reliant on modern technology and the Internet to operate their networks. These digital, virtual tools can help to increase reliability and lower labour costs, but provide one more thing for utilities to worry about - potential cyberattacks. According to Claroty’s regional vice president of Business (Asia Pacific & Japan), Eddie Stefanescu, water utilities are especially vulnerable during global crises such at the current COVID-19 pandemic. “At the start of the pandemic, organisations found themselves rapidly pivoting to a largely remote workforce, which can make it difficult to keep track of remote access activity,” he commented. “Over the past decade, we have seen a proliferation of internet-connected operational technology (OT), especially industrial control systems (ICS), as part of a broader trend of digital transformation in the water utilities sector and beyond. While this trend brings important benefits such as automation, monitoring and analytics, it is also increasing the possibility of cyberattacks, since breaches in an IT system can spread to the OT systems, and vice versa. Threat actors may take advantage of such periods of uncertainty to launch cyberattacks, which compounds the need to be vigilant, and to safeguard our water and wastewater networks.” In one such example, Israel’s Water Authority and National Cyber-Directorate (INCD) reported a cyberattack in April this year, which attempted to target the Water Authority’s command and control systems. These systems manage wastewater treatment plants, pumping stations and sewage infrastructure. A Financial Times report later claimed that the hackers had gained access to some of Israel’s water treatment systems and tried altering water chlorine levels before being detected and stopped. If the attack had been successful and water chlorine levels had been adjusted, attackers could have caused mild poisoning to the local population served by the affected treatment facility. Stefanescu said, “The Israeli authorities later reported that the incident appeared to be coordinated, but fortunately no damage had occurred other than limited disruptions in local water distribution systems. If, for example, the attackers had successfully tampered with the control systems and say, had added too much chlorine to the national water supply, it may have led to devastating consequences. The recency of this attack, and its potential for widespread harm, serves as an important reminder to us to keep water and wastewater infrastructure cyber-safe.” More recently, officials from the Water Authority have reported two more cyberattacks on Israel’s water management facilities in June, which were unsuccessful in causing damage to the targeted organisations. IT VS. OT One important factor in properly securing water utilities is in differentiating IT and OT assets. Stefanescu explained, “IT assets, such as computers and communication devices, are designed for interconnection. Correspondingly, IT security is a mature field, with several decades of development to protect devices from digital threats. On the other hand, OT assets, which include sensors and control systems for pumping stations, water treatment plants and more, were not designed to be connected, but rather to work in isolation, thus remote attacks on such assets are not a concern. Furthermore, while IT networks use standardised protocols, OT networks typically use proprietary protocols, which are largely unrecognisable by IT security tools.” Eddie Stefanescu, Regional VP Business – Asia Pacific & Japan, Claroty By Natalie Chew