Charles Egli, Lead Analyst at Water Information Sharing and Analysis Center (WaterISAC)
Every year brings its own cyber incidents and threats, and with each of these there are lessons for what should be done in terms of cybersecurity. 2020 still has over a couple months to go, but already it’s provided its fair share of crises that we can learn from. And now that it’s Cybersecurity Awareness Month (NCSAM), when everyone is encouraged to take actions to stay safer and more secure online, it’s a fitting time to reflect on and learn from what we’ve experienced.
For me, this year’s greatest lessons so far come from two crises: the threat of malicious cyber activity from Iran – given the escalating geopolitical situation between that country and the U.S. – and the COVID-19 pandemic. There’s much to learn from both incidents, but for me what stands out is the importance of involving everyone you can in cybersecurity, both internal and external to your organization. What led me to these conclusions, and what should organizations, and in this case utilities, do about them?
COVID-19 Pandemic
The COVID-19 pandemic has presented at least two very significant cybersecurity challenges to utilities. For one, it has forced many to quickly deploy large portions of their workforces from offices into remote work environments. In these settings, employees are entrusted to responsibly use their own devices alongside organization equipment and follow security protocols without normal levels of oversight. They are also away from peers and help desk personnel that, in normal times, could easily be consulted when questions or issues arise, such as about the legitimacy of a suspicious email. This situation becomes even more daunting when considering the second challenge, that cyber threat actors have taken advantage of the pandemic to help perpetrate their activities, such as with lures in phishing emails. Many of these phishing emails have specifically targeted employees in remote work environments. In one example, a phishing email claiming to come from the human resource department notifies the recipient they’ve been laid off due to reduced revenues as a result of COVID-19.
Given these challenges, utilities can’t depend solely on just one person or group of persons, such as an IT or cybersecurity department, to protect the entire organization. They need to involve all of their personnel in this effort, understanding that an incident can be initiated by just one employee’s absentminded behavior. WaterISAC has often emphasized the importance of utilities having a “cybersecurity culture,” such as in its 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. Fundamental #8 is “Create a Cybersecurity Culture,” the explanation for which begins with the statement: “Cybersecurity is a shared responsibility among all staff.” Indeed, for utilities to continue to work securely going forward, and especially in the COVID-19 environment, they need to place greater responsibility and expectations on their personnel for the security of the organization.
In addition to looking to WaterISAC’s 15 Cybersecurity Fundamentals for tips on how to create a cybersecurity culture, there was also some insightful advice offered during a webinar WaterISAC hosted with members in early July. Representatives of two utilities joined WaterISAC for a discussion of the efforts they had undertaken at their organizations. One presenter explained how her program features a system of rewards and recognition for good behavior, which helps encourage greater participation. The other presenter discussed how he sparked significant interest among employees with an initial phase he called “Induce Panic and Paranoia!” that involved test phishing emails sent to employees.
The importance of creating a cybersecurity culture within any organization aligns with this year’s NCSAM theme: “Do Your Part. #BeCyberSmart.” The theme is intended to empower everyone to own their role in protecting their part of cyberspace. Via the website for the National Cyber Security Alliance (NCSA), which is one of the sponsors of NCSAM, visitors can access a trove of information and resources to empower themselves and others.
Threat of Potential Malicious Cyber Activity from Iran
Just as it’s important for utilities to have a culture that involves all of its personnel in cybersecurity, so too is it essential that they have a culture that seeks to involve external partners. I remember thinking this as 2020 was just beginning and already we were contending with a serious crisis, the threat of potential malicious cyber activity from Iran. As has been observed by others before me, it simply isn’t going to be a fair fight when a nation state targets a single organization, such as a utility, given the former’s expertise and resources. But the odds look significantly better when that organization taps into the expertise and resources provided by others.
One of the organizations that utilities can look to for assistance is the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA. In addition to providing threat information on the situation with Iran, which included publishing alerts and advisories and convening calls, CISA also took the opportunity to highlight its services that can help organizations improve their cybersecurity postures. These services include free system assessments, surveys, and tests that CISA conducts in person or remotely. WaterISAC has promoted these numerous times in the past, including in July 2018 when it hosted a webinar on the services provided through CISA’s Cybersecurity Advisor (CSA) program (the presentation and recording are available on the WaterISAC portal for members and non-members). But given the threat landscape that was emerging at the start of the year, I recall being especially hopeful that utilities would take advantage of these services if they had not already. These are powerful services, which have proven effective at detecting and addressing vulnerabilities before they are noticed and potentially exploited by nation states and other threat actors. They are in demand, but CISA has never said it doesn’t have the bandwidth to support more requests and has long encouraged its critical infrastructure partners to look into these services.
When it comes to external partners, I encourage utilities to go beyond simply accessing the resources and knowledge that are provided and to also share information, particularly on the incidents and threats they’ve experienced. CISA and other entities that work on behalf of the sector can only be so effective without the input from those who are on the front lines. In addition to helping to inform the sector’s understanding of the threat environment and be better prepared, when organizations report incidents and threats they may receive invaluable assistance with their response. CISA can be contacted by filling out its online reporting form, emailing [email protected], or calling 1-888-282-0870. Of course, I also hope that utilities will report incidents and threats to WaterISAC, such as by using its online reporting form, emailing [email protected], or calling 866-H2O-ISAC (866-426-4722). Ultimately, I urge utilities to report incidents and threats to some entity, whether it’s a government agency or law enforcement organization, or even WaterISAC itself.
Building a cybersecurity culture within an organization and collaborating with external partners – these are the lessons this year’s crises have taught me, or at least reinforced for me. I encourage utilities to take the time now, during NCSAM and with a couple months to go in the year, to reflect on how these might apply to their organizations. I also urge them to consider other lessons that can be captured from their experiences this year. Given all we’ve been through, there’s undoubtedly much that can be learned and used to prepare us for anything else to come.
Charles Egli Chuck Egli is the Lead Analyst at Water Information Sharing and Analysis Center (WaterISAC). In this capacity he works with government and private sector partners to provide security and resilience information and analysis to the water and wastewater sector in the United States, Australia, and Canada. Prior to his time with WaterISAC, he worked for Battelle Memorial Institute where he supported contracts for the U.S. Department of Homeland Security (DHS). Chuck is also a veteran of the U.S. Navy and continues to serve in the U.S. Navy Reserve.
My Profile
