Critical national infrastructure is a high value target for all types of cyber attacks, from profit-minded criminals to rogue nations wanting to cause major – potentially life threatening – disruption.
Water companies are underpinned by both operational technology (OT) and information technology (IT), and they increasingly use Internet of Things (IoT) devices for analysis and data collection.
The more reliance on technology, the more opportunity for cyber attacks. Cyber defence revolves around protection in strength and depth; each and every technology stack should be as secure as possible, but none more so than communications. Cyber attacks are more impactful, and take longer to resolve, when the communications platform is compromised as part of the attack.
Bad actors weaponize water
The threat landscape constantly evolves; attackers learn from each other and exploit new opportunities. Types of attacks also vary in line with different motivations from those seeking to disrupt. The most sophisticated attacks often involve months or years of planning, and often target a specific company or sector.
Last year saw a rise in attacks on all types of utility companies, partly due to the Russian-Ukrainian conflict. But it’s notable that in the summer of 2022, when water companies were already facing the pressure of water shortages and introducing hosepipe bans, a UK water supplier which serves 1.5 million people disclosed it was hit by a cyberattack. This incident led to a rethink on the national infrastructure of the UK, with security experts claiming the sector had overlooked critical vulnerabilities which were exploited.
Clop, the perpetrator of the attack on South Staffordshire Water, is a for-profit gang that claims not to target critical infrastructure or health organisations. However, it still published evidence of stolen data that includes passports, usernames and passwords, and screenshots from water treatment SCADA systems. In our increasingly volatile world, it doesn’t take much imagination to picture what a rogue nation or cyber terrorist organisation might aim to achieve with a similar attack.
Bad actors flooding insecure apps
For decades organisations have endured a cat and mouse game against attackers. Most high value targets now run a complex estate of cyber security products, seeking to keep bad actors out and contain them should they get in. While email remains the primary attack vector, there’s now a sharper focus on the ubiquitous Microsoft Teams and Slack; both of which saw hurried and widespread adoption as a result of the pandemic.
As seen with attacks on Uber, Rockstar Games and many others, sophisticated attacks look to get inside the communications platform for two main reasons. The first is that it provides a relatively low-barrier entry point for ‘Living off the Land’ or ‘Lateral Movement’ attacks; especially as – like email – there’s no end-to-end encryption to protect data once an attacker is inside the platform. The second is that an organisation’s ability to respond to a breach is severely diminished if its communications are compromised as part of a larger attack.
Traditional centralised communication platforms, such as Microsoft Teams and Slack, are susceptible to such compromise. They operate on the same network as the rest of the IT infrastructure, meaning if the primary network is compromised then the communications platform is not safe to use.
Secure communications = decentralisation and encryption
Water companies, and other utility firms, need to use end-to-end encrypted communication systems that operate over a separate and decentralised network to maximise both security and resilience – even when the organisation is under direct attack. A decentralised network is important for two main reasons.
With a centralised platform – say Microsoft Teams, Slack or WhatsApp – the data sits on the vendors’ servers and uses the vendors network. A decentralised platform gives the freedom to choose where data is stored. So a water company can self-host its data (on-premise or in a private cloud), or choose from a variety of hosting services. This gives genuine ownership and control of communications data, and protects against vendor lock-in.
A decentralised platform is also far more resilient than a centralised network, which is a crucial requirement for mission critical communications. A traditional centralised network – again, such as Teams, Slack or Signal – has single points of failure; this is why those types of systems suffer from global outages. Conversely a decentralised network offers outstanding resilience as it can utilise the self-healing properties inherent in the protocol to handle any disruptions.
Combined with end-to-end encryption, decentralisation delivers both resilience and security. And if the decentralised network is outside of the standard corporate IT network, it’s an ideal platform for incident response so handling attacks is far faster and more effective.
Secure the supply chain with interoperability
In a perfect world, companies would be able to communicate securely and in real time across their entire supply chain. But in an era of siloed (or ‘walled garden’) applications, that’s not possible. Not every partner is on Teams, Slack, Skype, Webex or whatever else. Indeed it’s pretty much the only reason why email still exists – how else do you communicate with other companies?
An open standard enables interoperability between different platforms, and that’s why there is so much excitement about Matrix; an open standard for secure, decentralised real time communication. When looking to invest in a mission critical communications platform, Matrix provides a rock solid foundation on which numerous vendors are now building solutions.
Taking control of new attack vectors
Cyber attacks are a case of when, not if, especially for utility companies as they are such high value targets. A water provider’s communications platform must be suitably robust to always be available, and to operate safely during a cyber attack. And as part of that end-to-end encryption is a basic table stakes requirement, as is decentralisation.
By taking a lead, water companies can protect themselves and trigger a rising tide that will improve security across the supply chain.
