&EPA United States Environmental Protection Agency Cyber Security 101 for Water Utilities Many drinking water and wastewater utilities today depend on com- puter networks and automated control systems to operate and monitor processes such as treatment, testing and movement of water. These industrial control systems (ICSs) have improved drinking water and wastewater service and increased their reliability. However, this reliance on ICSs, such as Supervisory Control and Data Acquisition (SCADA), has left the Water Sector and other interdependent critical infrastruc- tures, including energy, transportation and food and agriculture, poten- tially vulnerable to targeted cyber attacks or accidental cyber events. A cyber attack causing an interruption to drinking water and wastewater services could erode public confidence, or worse, produce significant public health and economic consequences.1 Establishing facility and information access controls, which includes cyber security, is one of the Key Features of an Active and Effective Protective Program. The U.S. Environmental Protection Agency (EPA), in collaboration with the Water Sector, developed the Key Features to strengthen the security and resiliency of water systems in the face of all hazards. THE KEY FEATURES 1 Integrate protective concepts into organizational culture, leadership and daily operations 2. Identify and support protective program priorities, resources and utility- specific measures 3. Employ protocols for detection of contamination 4. Assess risks and review vulnerability assessments (VAs) 5. Establish facility and information access control 6. Incorporate resiliency concepts into physical infrastructure 7. Prepare, test, and update emergency response and business continuity plans 8. Develop partnerships with first responders, managers of critical interdependent infrastructure, other utilities and response organizations Develop and implement internal and external communication strategies Monitor incidents and threat-level information 9. 10. Types of Cyber Attacks on Water Systems A cyber attack is an attempt to undermine or compromise the function of ICSs, or attempt to track the online movements of individuals without their permission. Attacks of this type may be undetectable to the water utility or SCADA system administrator but can lead to a total disruption of a water utility's network. Examples of these attacks include: • Denial of Service: Flooding a resource (a network or Web server) with thousands of false requests so as to crash or make the resource unavailable to its intended users • Spyware: Monitors user activity • Trojan Horse: Malicious file or program that disguises itself as a legitimate file or program • Virus: Attaches to existing programs, then replicates and spreads from one computer to another • Worm: Malicious file that replicates itself and spreads to other computers • Sniffer: Monitors information traveling over a network • Key Loggers: Records and transmits keystrokes and transmits to the originator • Phishing: Fake websites or e-mail messages that look genuine and ask users for confidential personal data 1 "Water Security Roadmap to Secure Control Systems in the Water Sector," developed by the Water Sector Coordinating Council Cyber Security Working Group, March 2008. ------- Cyber Security 101 for Water Utilities page 2 Highlighting Real-World Cyber Attacks The following are actual cyber incidents that impacted water utilities and illustrate the types of damages and impacts these attacks can cause:1 Queensland, Australia, 2001: Former employee of software development company hacked 46 times into the SCADA sys- tem that controlled a sewage treatment plant, releasing over 264,000 gallons of raw sewage into nearby rivers and parks. Harrisburg, PA, 2006: Foreign hacker penetrated security of a water filtering plant through the Internet. The intruder planted malicious software that was capable of affecting the plant's water treatment operations. How Can Cyber Attacks Affect Water Systems? Cyber incidents can affect water system operations in a variety of ways, some with potentially significant adverse effects to public health and the environment. Examples of potential impacts include:1 • Interference with operation of water treatment equipment, causing chemical over- or under-dosing • Unauthorized changes to programmed instructions in local processors which enable individuals to take control of drinking water distribution or wastewater collection systems potentially resulting in disabled service, reduced pressure flows of water into fire hydrants, or overflow of untreated sewage into public waterways • Changing or disabling alarm threshold, which could delay detection of intrusion or water contamination Preventing Cyber Attacks Water utilities can reduce vulnerabilities from cyber attacks or events by: (1) iden- tifying systems that need to be protected, (2) separating systems into functional groups, (3) implementing layered or tiered defenses around each system, and (4) controlling access into, and between, each group. Utilities should also: • Institute procedures to limit number of individuals with authorized access to networks • Update software on a regular basis • Require strong passwords • Install and maintain anti-virus software • Employ intrusion detection systems and firewalls To be most effective, water utility cyber security programs should build on strong organizational security policies, utility- wide security awareness, and effective personnel and physical security practices. Where to go for additional information on Cyber Security — Additional resources and guidance documents on cyber security applicable to the Water Sector include: • Water Security Roadmap to Secure Control Systems in the Water Sector: De- veloped by Water Sector Coordinating Council Cyber Security Working Group, in accordance with the Department of Homeland Security's National Infrastructure Protection Plan partnership model: http://www.awwa.org/files/GovtPublicAffairs/ PDF/WaterSecuritvRoadmap031908.pdf • Water Information Sharing and Analysis Center (WaterlSAC): Secure, Web-based clearinghouse that helps water utilities, state and federal agencies, first responders, law enforcement, and public health officials prepare for water service interruptions: https://portal. waterisac.org • U.S. Department of Homeland Security, Control Systems Security Programs (CSSP): Coordinates activities to reduce likelihood of success, and severity of im- pact, of cyber attacks against critical ICSs: http://www.us-cert.gov/control_svstems • CSSP's Cyber Security Evaluation Tool (CSET): Desktop software tool that guides users through step-by-step process to assess their control systems and IT network security practices: http://us-cert.gov/control_systems/satool.html FOR MORE INFORMATION: EPA is committed to ensuring the Water Sector can access information and tools that enable utilities to enhance the security of their cyber systems. For more information on EPA's support for the Key Features of an Active and Effective Protective Program, visit http://water.epa.gov/infrastructure/watersecuritv/features or email WSD-OutreachOepa.gov. Office of Water (4608-T) EPA 817-K-12-004 www.epa.gov/watersecurity July 2012 ------- |