Interview: Digital Danger
Cyber attacks are becoming an increasing threat but, while the UK water industry could be vulnerable, Anglian Water security chief Steve Trippier says there is no cause to panic
The National Cyber Security Centre’s ‘10 Steps to Cyber Security’, which can be downloaded from www.ncsc.gov.uk, encourages companies to focus on the following areas:
1. Set up your Risk Management Regime
2. Network Security
3. User education and awareness
4. Malware prevention
5. Removable media controls
6. Secure configuration
7. Managing user privileges
8. Incident management
10. Home and mobile working
by Robin Hackett
At a time when the head of the UK’s National Cyber Security Centre (NCSC) has said a top-level cyber-attack on the UK is a question of “when, not if”, the water industry has cause to reflect.
After the category two WannaCry ransomware attack hit the NHS in 2017, NCSC head Ciaran Martin’s warning in January that “we will be fortunate to come to the end of the decade without having to trigger a category one attack” suggests the UK water sector should be on guard.
Alarmingly, it was reported in 2016 that hackers had infiltrated a water treatment plant in an unidentified country and changed levels of chemicals being used to treat tap water four times. The U.S. Justice Department then confirmed in an indictment that hackers had repeatedly gained unauthorised access to the computer that controlled the supervisory control and data acquisition (SCADA) system for the Bowman Dam in New York in 2013.
Even so, Anglian Water’s Group Chief Information Security Officer, Steve Trippier, stresses that – while the potential for an attack is real – it is important to keep a sense of perspective.
“One of the key things that we would take into account is the specific guidance we get from the National Cyber Security Centre, who tell us that the threat profile to the water industry is considered to be low/very low,” he says. “More complex tools, which previously were only in the hands of nation states, are becoming available to criminals – but what I think’s really important to look at is the motivation of why somebody would attack the water industry.
“The NCSC is very clear that the people who have the motivation don’t have the capability and the people who have the capability don’t have the motivation.”
Nonetheless, Trippier – who became Anglian’s first cyber-security chief in 2012 – says there are good reasons for the growing publicity around cyber-attacks.
“Partly that’s because people are aware of them and reporting them more; partly that’s because they’re becoming a lot more common,” he says.
As in all sectors, the most common relate to IT systems, with phishing emails offering the most straightforward route.
“Almost universally, email to staff is the most common factor, which is why most of us, and particularly Anglian Water, are really heavily investing in staff awareness to try to reduce the propensity of staff to click on links,” he says. “It started in the 1990s with the Nigerian Prince 419 scams where a prince offered to send you lots of money if you transfer them an advance payment to launder their money, and they’ve now become very much more sophisticated. Those attacks can be very difficult to identify and can look very credible.”
The consequences of a successful IT attack can be significant, including access to the customer database, loss of money through fraud and disruption to the way in which the corporate and IT infrastructure works.
As the reported 2016 incident indicated, though, an attack on operational technology (OT) could feasibly be far worse.
“The worst-case scenario would be access to control systems – somebody who isn’t supposed to access control systems having access to them,” Trippier says. “Those kinds of attacks are very, very rare and not very easy to do.
“I would say that, on the whole, most people’s OT systems are not currently directly connected to the internet – for a very good reason, because that makes it harder to perform those attacks remotely. Whilst not infallible, that historically has been the best protection – not to connect those control systems or to minimise the connections to spaces where they could be compromised externally.
“In all cases, safety-critical systems are always completely isolated from the other control systems, so that prevents issues with water quality.”
However, the growing reliance on the Internet of Things (IoT), if not well managed, could ultimately weaken that protection as IT and OT converge.
“People are looking at how to exploit efficiency from the Internet of Things, and of course you would do because the potential benefits are huge, whether that’s around leakage or around optimisation or around better monitoring and better status reporting,” he says. “The IoT devices are potentially significantly cheaper and easier to install.
“As with all innovation, that comes with a need to conduct assessment of what risk that provides – that’s risk to operability as well as security. Organisations will need to ensure they understand the full security impact of all their innovation, including IoT. We look at things like WITS [Worldwide Industrial Telemetry Standards] for the technology standards, telemetry, and that’s already seeing security built in as standard, trying to build consistency and starting to build security into the fundamentals of how things are operating.”
Companies across the water industry already share information relating to threats, while Water UK’s Strategic Security Board facilitates assistance between companies and works to establish best practice.
“Security isn’t something that’s used as competitive advantage between us,” he says. “Security managers share threat intelligence very frequently with each other. We collaborate very widely both in terms of reactive threat intelligence but also proactively in terms of understanding what the challenges are that people are facing and how we are addressing them.”
On that point, Trippier says user education within companies is “absolutely critical – the number one thing you can do to reduce risk across the network”. On the technological side, he references the NCSC’s 10 Steps to Cyber Security. “It contains 10 really quite basic things to do across an organisation’s IT landscape,” he says. “Those 10 things mitigate probably over 90% of most attacks. By getting those basic counter measures and controls right, you put your organisation in a space where it’s at significantly less risk of an attack.”
He expects all water companies to focus on cyber security in AMP7.
“‘When, not if’ is becoming common parlance and certainly something that I use with my management board frequently,” he says. “The days of building metaphorical fences and hoping no one would get through that fence don’t exist anymore, and incident response is a really important element.
“You can’t ever really be 100% secure because, if someone has enough money and enough motivation, they can keep going until they find vulnerabilities.”
Steve Trippier will be discussing cyber security at WWT’s Smart Water Networks Conference in Birmingham on 20 March. Info at: events.wwtonline.co.uk/smart
- Comment: Shining a light on dark data Water companies already have the data to solve many of their most problematic issues - they just have to know where to... Read More >
- Will open data inspire UK water companies to the next level of engagement? Releasing data sets to the public could provide a fascinating new way for water companies to engage with customers, writes... Read More >
- Comment: Waterworks fit for the 21st century In recent years, the focus of the UK's water industry has shifted from building new sophisticated water works to upgrading... Read More >
- Opinion: Protecting our water assets against cyber threats It's vital that engineers start to lead the conversation on cyber security for operational technology in the water... Read More >
- Capital's infrastructure needs integrated water approach The concerns of Londoners about the capital city's resilience highlight the need for integrated planning across water,... Read More >
- Ready for anything: Resilience in the Round Resilience is one of the four priorities that Ofwat wants to see water companies adopt in their plans for PR19. But what... Read More >
- Mind the step: manholes, steps and ladders Manhole steps, ladders and associated access systems perform a safety critical function. Here, Chris Cawte, managing... Read More >
- Comment: Creating a resilient response to extreme events Becoming more resilient to extreme events such as the Beast from the East will require a mix of long-term and medium-term... Read More >