This would be terrifying. A cyber-attack on water infrastructure could lead to widespread panic and potentially significant illness and loss of life with substantial effects on other critical services, such as firefighting and hospitals. It could shut down our economy. Is the water industry taking cyber security seriously?
By Kirsten Kelly
South Africa has the third highest number of victims of cybercrime in the world, costing us R2.2 billion a year (Source: Accenture State of Cyber Security Report 2021)
. Here are more red flags:
- The Department of Justice and Constitutional Development recovered from a debilitating ransomware attack that unfolded in September last year, affecting all its electronic systems.
- Transnet was also the target of a cyberattack that affected crucial systems and caused our ports to shut down. The attackers encrypted files on Transnet’s computer systems, thereby preventing the company from accessing their own information while leaving instructions on how to start ransom negotiations. The ransomware used in the attack likely originated from Russia or Eastern Europe.
- The National School of Government was targeted in a ransomware attack costing around R2 million.
- Private hospital group, Life Healthcare, was also targeted last year in an attack that affected admissions systems and the email server.
These incidents paint a worrying picture of how vulnerable South Africa is to cyber criminals and even cyber warfare. While digitalisation is reshaping the water sector for the better, it also increases cyber security vulnerabilities. The paper – A Review of Cybersecurity Incidents in the Water Sector –
highlights an increase in the frequency, diversity, and complexity of cyberthreats to the water sector.
Water utilities typically face the following cyber security threats:
Why is the water sector vulnerable?
- Criminals access water systems and flow operations, manipulating water flow and chemical dosages in water treatment works.
- Cyber attackers can gain access to customer data through water companies’ online payment systems.
- Attackers can also gain administrator credentials and work their way laterally through the water network.
“Unlike its critical infrastructure counterparts, the water sector is in the hands of a vast array of organisations, many of which are small and under-resourced. There is some level of data sharing and integration between these organisations and networks. When there is a cyberattack, it is dealt with in isolation, there is no sector wide communication and sharing of the incident. This prevents the water industry from being proactive and learning from each other,” says Professor Annlize Marnewick, University of Johannesburg.
“Furthermore, the water sector relies on a variety of physical infrastructure and operational technology systems (sensors, actuators, logging devices, meters, pumps) that are connected to the internet to gather remote data to support activities like metering and billing or predictive equipment maintenance. There are many entry points for cyber security attacks within our sector,” explains Dr Jeremiah Mutamba, senior manager: Strategic Programmes, TCTA.
Sunitha Venugopal, a director of SecurePalm
adds that an organisation must close hundreds of hypothetical doors (entry points) to avoid a cyberattack, where a hacker only needs to find one open door to conduct a cyberattack. “The odds are stacked against all organisations, but the water industry is extremely vulnerable. Typically, this sector operates a lot of legacy based operational technology with well-known vulnerabilities that cyber criminals that easily exploit. People are opposed to updating or changing these systems because they are expensive and they are still working. These legacy systems often have a default configuration where you cannot change the username and password of the switch dashboard. Furthermore, updating operational technology with cybersecurity can be slow going as services must run 24/7.”
Effective implementation factors of a cyber security system
The main purpose of cybersecurity is to protect all organisational assets from both external and internal threats as well as disruptions caused due to natural disasters. The following factors need to be considered when implementing a cybersecurity system.
This will assist the water industry to reduce risk and promote resilience (quick recovery after an attack).
To successfully implement cyber security, water institutions need to identify and comply with all mandatory cybersecurity requirements and controls.
A cybersecurity culture needs to be embedded in the overall water industry culture. This is done by generating an awareness and knowledge of imminent threats. Globally, most data breaches in the water industry are a result of a human factor, and employees in the water sector must see cybersecurity policies as rules and not just guidelines.
A cybersecurity program is informed by strategy. Programs will allow multiple, timely and full backups of critical systems and data as well as program maintenance. One needs to practise the restoration of the system from backups. There should also be a business continuity plan in the event of a cyberattack.
Recovering from a cybersecurity attack could be expensive for an organisation such as the water industry. Cyber insurance is an important risk management tool considering the sensitive nature of the data being generated in the water sector. Cybersecurity insurance will serve as an effective tool in the resilience toolkit, that will enable expert emergency support.
Cyber intelligence is the knowledge, skills and experience-based information concerning cyber-attacks and threats. It will help the water sector make faster, informed security decisions and change their behaviour from reactive to proactive when combating the attacks. Cyber intelligence tools allow the sector to leverage on IT, joining other stakeholders (universities, CSIR, WRC) to create an environment for the research and review of challenges and causes – ensuring a more proactive security position.
“Like many other nations, South Africa has an overarching national cybersecurity strategy. National policy suggests that the water sector sets up a computer security incident response team (CSIRT) that shares any cyber security incidents with all water industry bodies as well as at a national level,” adds Professor Marnewick.
A cybersecurity worksheet will be used to keep a list of the highest cybersecurity risks, with details on how these will be addressed. The Cybersecurity worksheet normally contain three sections:
From the documentation process, institutions can draw valuable lessons to improve future cybersecurity management and share this information with each other.