Until recent times, water supply security was based largely on the principle of isolation. Process control systems were a series of disconnected systems and applications over decades, air-gapped by virtue of not being connected to other computers or to the internet and making infiltration by external cybercriminals unlikely.
In the last 20 years, Critical Infrastructure providers - including water and wastewater facilities - have modernized their plants and distribution networks, integrating IT assets with operational technology (OT) and industrial control systems (ICS). The converged domains have unified information and control networks, delivering advantages such as centralized management and visibility into OT production and performance.
On the downside, it didn’t take long for cybercriminals to discover they could access OT and ICS networks by gaining a foothold on internet-facing IT systems and moving laterally into adjacent connected OT assets. With that, a new era of cyber threats was born.
In the water and wastewater industries, threat actors have infiltrated IT assets to disrupt business systems. More alarmingly, attackers have damaged equipment, discharged wastewater into environmentally sensitive areas, and implanted ransomware that disrupted operations.
Then came COVID-19. When the pandemic forced nonessential businesses to close and employees began working from home, organizations had to quickly, and often haphazardly, deploy remote access environments. The new remote access setups often lacked basic protections such as multi-factor authentication or identity and access management (IAM). Cybercriminals quickly flooded unsuspecting remote workers with phishing and ransomware attacks, often using COVID-19 lures.