Water Online the Magazine gives Water & Wastewater Engineers and end-users a venue to find project solutions and source valuable product information. We aim to educate the engineering and operations community on important issues and trends.
Issue link: http://wateronline.epubxp.com/i/110987
Cybersecurity constructing an executive order (EO) that would maintain as well as the vulnerabilities that have been exposed by such voluntary best practices, jointly determined by a collection of viruses. Discovered in 2010, the Stuxnet worm ��� called private businesses and the DHS, but would not ��� because it ���the most menacing malware in history��� and ���the world���s legally could not ��� include the compliance incentives that the first real cyberweapon��� by Wired magazine1 ��� targeted bill would have provided. Siemens industrial software and equipment, doing specific Even if the EO is issued ��� at the time of writing it was damage to nuclear facilities in Iran (as was intended, it is under consideration ��� the bottom line remains the same: widely surmised). Stuxnet is notable in that it was the first in the absence of true cybersecurity legislation, much of known malware to spy on and subvert industrial systems, the onus is on utilities and security providers to protect using Microsoft Windows as a pathway to gain access to the water infrastructure and consumers. supervisory control and data acquisition (SCADA) system. For its part, the federal government is taking steps to Patches for Stuxnet were developed, but a larger issue persists, facilitate this task. A recent report by enterprise software and says Nate Kube, CTO at Wurldtech Security Technologies. ���This information solutions provider Deltek, forecasts that federal kind of malware is a threat to all networked systems, not simply spending on vendor-supplied information security tools and because it attacked a control system, but because it combined services will grow from just under $10 billion in 2012 to $14 multiple, state-of-the-art attack techniques to deliver its payload billion in 2017, or 7.6% annually over the next five years. and produce the intended consequences,��� Kube warned. Furthermore, every government proposal put forth ���The delivery mechanism is highly modularized, just like a recommends that a framework professional software application. It be set up to enable information can be easily retooled for a different sharing, which politicians from target using new exploits.��� Security is not part of both parties and security experts While Stuxnet was initially agree is the key to combating delivered through removable portal water expertise, and cyberattacks and mitigating their media such as USB flash drives, there water devices were impact. Such a framework would are multiple points of exposure, or certainly not built with allow for unprecedented knowledge vulnerabilities, when it comes to transfer, whereby the government cyber intrusion. The most egregious security in mind. can issue security clearances for is to have your control system private companies to access classified directly connected to the Internet, information. However, it will also be and according to Kube, this is not incumbent upon the government to provide assurances that uncommon in the water industry. For example, in the wake privacy and civil liberties are protected ��� one of the thornier of Stuxnet a 22-year-old hacker gained full access to a South issues that arose during the legislative process. Houston water treatment plant ��� all because the information Pending the rollout of this information-sharing framework, was readily available on the Internet, found through a search I asked Senator Carper what immediate steps water utilities engine called Shodan that specifically mines IP addresses. can take to better protect themselves from cyber threats. In addition to exposure through portal media and the Web, His response was to practice good ���cyber hygiene,��� which cyber threats can be introduced through support systems would entail, first and foremost, a thorough risk assessment connecting to the local network, already-compromised of your systems and practices. With both the threat and systems connecting over a virtual private network (VPN), or the information technology landscape changing so rapidly, by a trusted insider. there are multiple levels of consideration. How to prepare: Install patches or defenses such as intrusion Taking Action: detection/prevention systems for all known threats, and be Steps To Assessing And Resolving Risk wary of connecting systems directly to the Internet. If your To paraphrase former Secretary of Defense Donald Rumsfeld, equipment is online, the best way to defend against discovery there are known knowns, known unknowns, and unknown tools like Shodan is to ensure that no information is present unknowns. While this quote is infamous for eliciting a on Web pages that aren���t behind a login screen or in banners nationwide ���huh?���, it actually represents valid and logical riskfor terminal services such as Telnet or SSH (Secure Shell). assessment methodology ��� long-used by the military and later adopted by NASA for its space missions. Known Unknowns ��� Here���s how Rumsfeldian risk analysis would apply to the Things That We Know We Don���t Know water sector, with action items to address each type of risk. We know that there are new viruses and malware being developed and that there are malicious entities targeting Known Knowns ��� Things That We Know We Know utilities at an increasing rate, but the nature of the attack This category would include known viruses, such as Stuxnet, ��� the who, how, and where ��� remains unknown. 22 wateronline.com ��� Water Online The Magazine