A hacker’s recent attempted sabotage of an Oldsmar, Florida city water treatment plant and the breakdown this week of the Texas power grid in the face of brutal winter weather offer a stark reminder of vulnerabilities that face this nation's critical infrastructure.
Padraic O'Reilly, co-founder of cyber risk firm CyberSaint, shared insights with SC Media, having worked directly with water systems, electric providers, energy companies and other utilities to assess cyber risk and prevent cyberattacks.
We’re speaking just as the Texas power grid bends under the weight of winter storm weather, with reports that top board members of the Electric Reliability Council of Texas don’t even live in the state. What parallel can cybersecurity pros draw from what’s happening in Texas?
It goes to governance. In cyber, governance is part of the equation in the most forward looking organizations. So if you've got a governance structure that's not even in the state, it just stands to reason that when upgrades or improvements are being costed out, they might not be as interested. Understanding your risk is something that you have to do. Looking forward, you have to understand what sorts of scenarios might be in play. That's where there's been failure; there has not been enough buy in.
Is the approach by utilities different than at private sector companies?
I think it's a little more subtle than that. The Fortune 100 are progressive and forward thinking, but they're extremely budget conscious. They try to get innovation on the cheap. But what you see [among critical infrastructure] companies is almost bureaucratic fatigue. 'We've done it like this in the past.' Everyone's half asleep, and bosses just don't want trouble.
Is there any progress toward more sophisticated cybersecurity solutions to help protect critical infrastructure?
They want to see a clear business case for improvement. This is relevant to the water treatment hack and to energy in general. A lot of teams in energy are very progressive, very forward looking, very good at what they do, because they're protecting against cyberattacks that could go kinetic. They are targeted, and they're aware of a lot of what's going on. They're just getting more savvy around making the business proposition with respect to hardening and making systems more resilient. But the budget has been spent on the red team stuff, reacting to attacks. Nobody's been able to get out ahead. That's where the real tension is right now. Florida now signals to other attackers – maybe the nation states or just script kitties – that you might be able to land on a remote access application and be able to change some sodium hydrochloride levels.
Who's the most secure among the utilities?
We work with oil and gas, electricity, nuclear to some extent, water. I would say they're all really quite good. That said, what they have to deal with is a very large task, a massive task. And at times, their challenges are to get the resources they need to get everything done.
The site based approach to a cyber evaluation is something that we're involved in with one of the largest energy concerns in the country. And they're trying to make it all cloud based. Over the last year in particular, with respect to oil and gas and electric, they've gotten out of the mindset of “it's in a file cabinet” and there’s been some transformation. But it's underway at the leaders level. In these industries there's a tendency to look to the big guy; [other, smaller companies] won't make a move until they know what the big guys are doing. Sometimes it's the consultancies that go from company to company, sharing that tribal knowledge.
Also, in utilities, oil and gas, there's a real cultural disconnect between the day-to-day operational types, and the senior leadership. It’s like the managers dwell in this realm of metrics that are all their own and nobody can understand what's going on in their minds. And the day-to-day operational people have to get it done.
Where’s the opportunity to get the factions on the same page?
We're trying to be as risk agnostic as possible and have as many risk models in system as possible, gaming out impact and likelihood in a way that's transparent and clear. Cyber has created a Tower of Babel, to some extent. I think that we're at a unique moment right now. We're understanding risk as it relates to cyber, but there's still a lot of work to be done. There's all this skepticism around cyber. It virtualized and therefore invisible. But a lot of it is measurable, a lot of it is quantifiable.
In the wake of the Florida attack, what are water systems going to do?
I think it's unique to water what happened here, and I think water is going to step up and describe whether their mitigations or their redundancy checks are sufficient, and whether or not they're going to be using remote applications for chemical mixtures. They have to come out and say that the latter’s probably not a good idea. I see the water attack as analogous to the ransomware attacks that have been happening to HMOs and smaller medical providers. They may not have huge budgets, but that's no excuse not to game out what could happen and at least do some initial hardening of your systems.