SINGAPORE – Water treatment is important to societies globally but glaring leaks in the cyber defences of systems controlling water plants have been in the spotlight in recent months.
In January, a hacker gained access to a water plant in San Francisco and deleted programs linked to water treatment. This came to light only in June.
Another water plant in a Florida town was hacked in February and the intruder tried to poison the drinking water by raising the concentration of a chemical to dangerous levels.
In both cases, workers undid the hackers’ actions in time. But the incidents highlighted some perils.
Workers were using a popular software to access the plants’ systems from locations other than the facilities, and hackers had taken over their accounts to break in.
One cyber-security firm believes a software it has developed, funded by a Cyber Security Agency of Singapore (CSA) innovation initiative, could help operators of critical infrastructure detect and plug security issues, even without expertise.
Called X.act, the software can simulate new and known cyber attacks and tactics, as well as create a fix that can be used immediately.
The Singapore company that made it, SkillSpar, which also has offices in the United States, Vietnam and Thailand, said its software recreates a virtual copy of the critical system controlling an infrastructure facility.
The infrastructure operator chooses a breach scenario to test, such as a computer compromised by a worker who uses a malware-infected USB drive.
The operator can use X.act to run hacking simulations on the virtual control system with the press of a button to find out what happens next.
This could show how far the malware spreads, and if there are unusual activities, such as the system being accessed at odd hours.
Unlike other products in the market, SkillSpar said X.act automatically generates data that can be used to configure the system quickly as a fix to thwart hackers’ techniques when operators are alerted to potential malicious activities.
By curbing the damage arising from potential breaches, systems can be protected even if security flaws have not been patched by equipment vendors.
“Patching in the operational technology world doesn’t work,” said Mr Phuong Nguyen, SkillSpar’s co-founder and offensive security consultant, referring to systems that run critical infrastructure like those in water and power plants.
He said vendor patching happens once every three months as time is needed to test patches and the systems need to be up as much as possible.
Another patch issue is that many legacy control systems work only on old operating systems like Windows 7. The latter is no longer supported with official security patches, making it open to cyber attacks. Overhauling all these systems would be costly, said Mr Nguyen.
With X.act’s fix, infrastructure operators can quickly test it on the virtual system against another similar attack by pressing a button.
The operator can then contact vendors to further test the fix before deciding if it can be applied to the real system.
X.act is being used in the oil and gas sector here, and SkillSpar has received inquiries from the United Arab Emirates and Vietnam.
The software was developed after SkillSpar took part in CSA’s Cybersecurity Industry Call for Innovation programme in 2018. It would have received funding of up to $500,000 from the agency.
Since the start of the call for innovation in 2018, CSA has awarded funding for 21 projects, eight of which are already in use or undergoing trials. Over $10 million has been committed to the projects so far.
Past cyber-security projects include those for Internet-connected devices, ransomware protection, autonomous vehicles and operational technology security across the energy, maritime, healthcare and government sectors, said CSA.
Mr Joel Langill, managing member of the Industrial Control System Cyber Security Institute based in Wisconsin in the US, said SkillSpar’s simulation software is good in theory as it is used on a model of a real system, and could be applied on different systems too, be they simple or complex.
He is a member of CSA’s Operational Technology Cybersecurity Expert Panel that is meeting in Singapore this week. Among other things, the panel seeks to identify challenges and gaps in the cyber-security capabilities of the operational technology sector here, and recommends how to address them.
Mr Langill was, however, concerned about how sensitive X.act was at detecting suspicious activities that might fly under the radar because they look like commands executed by a legitimate user.
Another issue: the cost of using the software. He said many public utilities, like in the US, have limited budgets, so they may not be able to spend as much on cyber security, and face challenges hiring talent in this area.
“Working for municipalities probably isn’t as high (on the list for people) as working for an integrator or a larger contractor, where their salaries could be significantly more, and job satisfaction could be much higher,” he added.
Mr Langill said ramping up cyber-security in the water sector is also difficult in countries like the US, because water and waste water treatment are not regulated centrally and there is lack of enforcement.
“The cyber awareness and maturity of the bulk of (US water) authorities are very low,” he said.
One way to address some of these challenges is to make cyber security a procurement requirement at every point in building a water plant, said Mr Langill.
He added that it is “not expensive” if done right from the get go.
He cited a large South American oil and gas facility he worked on that needed cyber-security features installed after a breach. About 200 control devices at the facility did not have firewall software, as it appeared a financial decision was made earlier against the installations.
“To install what they should have installed in the first place cost about 2.5 times what it would have cost if they’d done it the first time,” said Mr Langill.