Vulnerability Management in the Water Sector

The water sector is one of the critical infrastructures (CRITIS). A successful attack on the sector can lead to significant hygiene and health problems and, in the worst case, threaten human lives. At the 6th VDI conference on “Optimizing Industrial Wastewater Treatment Plants”, Greenbone will provide information on vulnerability management in the water sector and how the attack surface of IT infrastructures can be reduced by early detection and elimination of vulnerabilities.

Everything Fine Thanks to Digitization?

Digitization is seen as the savior of the hour. Even if this may be viewed critically at times, this development cannot be stopped. There are simply too many reasons in favor of digitization. But there are also many reasons that we need to take a critical look at, especially where our security is concerned. The more information technology we put in place, the more digitized attack surfaces we offer.
Malicious users of these attack surfaces can operate globally, and likewise digitized currencies like Bitcoin allow them to profit from vulnerabilities globally as well.

Unlike a bank robbery, an attack on an industrial wastewater facility is more of a a means to an end. The attacker does not want the contents of a safe, but rather targets the vulnerability as such in order to gain advantages, usually through blackmail. Not only technical systems themselves are attacked, but often also the technical and organizational environment from networks to administration. These attackers are not hackers with hoodies and matrix screen savers who just happen to have emergency on their account, but criminal organizations that are industrially and professionally organized. We must arm ourselves against them with resilient organizations, processes and solutions. This brings the topic of cyber resilience more and more to our attention.

Cyber resilience is the ability of a company or organization to maintain its business processes despite adverse cyber circumstances. These can be cyber attacks, but also unintentional obstacles such as a failed software update or human error. Cyber resilience is a comprehensive concept that goes beyond IT security. It combines the areas of information security, business continuity, and organizational resilience. To achieve a state of cyber resilience, it is important to identify vulnerabilities early, prioritize them economically, and eliminate them.

Why Cyber Resilience Is Particularly Important for Critical Infrastructures

Sustainable cyber resilience is important for companies in all industries. But it is indispensable in the area of critical infrastructure (CRITIS). As defined by the German government, this includes “organizations or facilities of critical importance to the state community, the failure or impairment of which would result in sustained supply shortages, significant disruptions to public safety, or other dramatic consequences.”

CRITIS organizations must therefore protect themselves particularly well against cyber attacks – this is required by law. The EU launched the European Programme for Critical Infrastructure Protection (EPCIP) back in 2006 and expanded and supplemented it in subsequent years. Member states are implementing the EU NIS directive in national law, Germany for instance with the IT Security Act (IT-SIG). Large economic nations have already developed regulatory bodies. In the U.S., for example, this is the National Institute of Standards and Technology (NIST) and in Germany the Federal Office for Information Security (BSI).

In Germany, the critical infrastructures are divided into 9 sectors. One of these is the water sector with the divisions of public water supply and wastewater disposal. It includes, for example, waterworks, pumping stations, water pipelines and networks, wastewater treatment plants, the sewerage system, and dam and flood protection facilities. They all play a critical role in our society.

Attacks on the water supply could therefore hit a society to the core and, in the worst case, threaten human lives. Attacks on the wastewater disposal system are just as dangerous. If it no longer functions, the result would be considerable hygienic and health problems. Since the water infrastructure uses many IT systems and electronic control systems (ICS) nowadays, it becomes an attractive target for hackers.

Incidents Show the Vulnerability of the Water Sector

In recent years, there have been numerous attacks on water infrastructures worldwide. Fortunately, there have been no serious consequences so far. However, the attacks show that hackers are exploring how to take control of control systems and prepare further attacks. In 2013, for example, Iranian hackers attempted to penetrate the systems of the Bowman Avenue Dam near the town of Rye Brooke, near New York. The dam is used to control the flow of water after heavy rains and prevent flooding of the town. The hackers managed to gain control over the flood gates’ control system. However, as these were currently offline due to maintenance, the cyber criminals were fortunately unable to cause any damage.

In March 2016, security specialist Verizon reported a cyber attack on a U.S. water utility known by the pseudonym Kemuri Water Company in its monthly Security Breach Report. Hackers had penetrated the SCADA platform. This allowed them to manipulate programmable logic controllers. They changed settings on the water flow and the amount of chemicals added for water treatment. Fortunately, the water utility quickly discovered the incident and was able to correct the settings without causing any major damage. For their attack, the hackers exploited an unpatched vulnerability in the customer payment portal.

Between November 2016 and January 2017, cyber criminals hacked several wireless routers at a U.S. water agency. The routers were used to provide secure wireless access for pump station monitoring. Fortunately, however, the attackers were not looking to sabotage, but were targeting the agency’s Internet resources. Their bill rose from an average of $ 300 per month to a whopping $ 45,000 in December and $ 53,000 in January. For their attack, the hackers exploited a vulnerability in the routers of the manufacturer Sixnet. According to its own information, Sixnet had already made a patch available in May, but the authority had not installed it.

Over the past year, Israel has been the victim of multiple cyber attacks on water supply and treatment facilities. In April, hackers undertook a major cyber attack on control and monitoring systems at wastewater treatment plants, pumping stations and sewers, the Israeli National Cyber Directorate (INCD) said in a statement. The INCD then demanded companies in the water sector to change passwords for all systems connected to the Internet-connected systems and to ensure that control system software is up-to-date. The hackers attempted to change the chlorine content of water at a water treatment plant. The attack was not successful. Had it been, it could have resulted in mild intoxication of the population served by the treatment plant. Back in June, there were two more attacks on Israel’s water facilities. This time, agricultural water pumps were affected.

Although there has not yet been a comparable incident in Germany, the Federal Office for Information Security (BSI) reports about the implementation of the necessary organizational and technical precautions to prevent disruptions in its current report on the state of IT security in Germany. In the water sector, this reveals deficiencies in the areas of network separation, emergency management and physical security. In the reporting period from June 2019 to May 2020, there were several incidents in the water sector in Germany that were due to faults in control components. Remediation of the malfunctions was very lengthy and costly. Damage was avoided by operators acting prudently and having redundancies in place.

Attack Points in the Water Sector

IT and OT systems support the water cycle. In water production (1), quality control systems and digital pump control are used to manage water inflow from various sources towards water distribution (2). Digital metering and control methods monitor water pressure and quality in the water network and are thus part of the overall IT attack surface. In sewage systems (3), wastewater pumps and pre-treatments by filters, which are monitored at central points, are used. Water treatment (4) is a critical component due to the necessary digitalized control of physical, chemical and biological processes.

Many networked IT systems and industrial control systems are therefore used in drinking water supply and wastewater disposal, enabling largely automated processes. Examples include sensors for temperature, flow rate, or chlorine content, remotely readable meters, and web portals and mobile apps for customers.

Challenges for Cyber Resilience in the Water Sector

To reduce their attack surface for cyber criminals, water sector organizations must consider the full range of networked systems, devices and applications.

But this is not always easy. One problem is that the ICSs used in the water infrastructure come from different generations. Many of the older control systems were developed at a time when little or no consideration was given to cyber security. This leads to a heterogeneous, vulnerable IT landscape. Additionally, the high degree of automation and dependence on industrial controls makes water infrastructure particularly vulnerable to attack. Furthermore, the IT systems in use are becoming increasingly complex. This makes it difficult for companies to achieve a sufficient level of protection. The increasing networking of components within the field and control level as well as the control and process control technology increases the complexity even further.  At the same time, this increases the attack surface for hackers. They have more and more opportunities to penetrate networks, steal data or manipulate industrial controls.

Even Previously Unexploited Vulnerabilities Should Not Be Underestimated

A recent study by Kenna Security found that the total number of vulnerabilities discovered per year has increased from 4,100 in 2011 to 17,500 in 2021. On the other hand, the percentage of vulnerabilities exploited by hackers has not grown at the same rate. What is the reason for this?

Cyber crime follows the same economic rules as any other business model: least investment for maximum result. But cyber crime also suffers from the same problem as the IT industry in general: experts are a limited resource.

Companies cannot change this initial situation, but they can ensure that their attack surface is reduced. Tolerating a large attack surface, even if the vulnerabilities are not yet weaponized, is replacing control with gambling. As soon as it seems cheaper for cyber criminals or the outcome is promising, cyber crime will focus on vulnerabilities that are not yet weaponized, and the conversion of vulnerabilities into weapons will happen quickly.

Even worse is the motivation of cyber terrorists, who have so far been fortunately unsuccessful due to a lack of expertise. It is unclear whether they will gain the necessary skills and if so, when. But they do not follow the rules of economics, which makes them less predictable in selecting targets and suitable weaponized vulnerabilities.

In essence, there are two good general reasons why organizations should establish a process to manage and minimize their entire attack surface and not just focus on current (or likely) weaponizable vulnerabilities:

• Pandemic risk: while it may not be attractive for a single criminal organization to invest in turning a more expensive vulnerability into a weapon, the more organizations choose not to do anything about that vulnerability, the more interesting it becomes. The fewer that are vaccinated, the better the pandemic spreads.
• Automation risk: automating exploits is not only an attractive, cost-effective way to go. It significantly reduces the window of opportunity to respond with countermeasures.

Reduced Attack Surface with Vulnerability Management

Regardless of how many vulnerabilities exist, managing damage and actively countering ongoing attacks becomes exponentially expensive for organizations if not accompanied by an ongoing process that identifies, manages and reduces the attack surface.

Cyber resilience is a continuous process. It strengthens an organization’s ability to withstand an attack and enables it to continue to function during an attack. To achieve this, it is important to reduce the attack surface and thus stabilize the base. This means identifying vulnerabilities that could be exploited by an attacker and thus staying one step ahead of the attacker.

999 out of 1,000 vulnerabilities have been known for over a year. With vulnerability management, this means that these vulnerabilities can be identified and eliminated before they are exploited by an attacker. This greatly reduces the attack surface of the IT infrastructure.

Vulnerability management systems are fully automated and, thanks to features such as schedules and custom scan configurations, offer users the ability to create complete vulnerability management processes that constantly scan for vulnerabilities. As a result, vulnerability management ensures more resilient systems in the long term.