Good digital hygiene: Keeping utility services safe
Last month, hackers gained control of a Florida water treatment plant in an attempt to poison the water supply and threaten the health of thousands of Floridians. That attack was stopped before the intended damage could be done, but what can we learn from the event and how can we stop incidents like it from happening again?
Want to know how you can improve your digital hygiene? Scroll down for four easy steps to improve digital security for you and your organisation
On 5th February, 2021, a cyber attacker was able to raise the levels of sodium hydroxide used to clean water at a treatment plant in Florida by a potentially lethal 11,000%. The hack was noticed and stopped by a vigilant plant operator before any real damage could be done, but the message was clear:
The infrastructure we rely on for water and other basic services is potentially vulnerable to digital attacks. If breaches go unnoticed, even for a few hours, the financial and human costs can be catastrophic.
The Florida attack is just the latest high-profile example of an industrial control system (ICS) being targeted in this way, and it may be the first reaction of many to point to ‘an inherent vulnerability in digital systems’.
The truth behind the attack is potentially more troubling. The problem was not only or even predominantly with the computer control system or its connectivity — it was due largely to human error.
The human component is the hardest part of any digital system to secure. Bad habits are easy to form and even easier to exploit.
In Florida, remote access credentials for the plant’s control system were being shared between employees over insecure platforms. Coupled with the facility allowing remote access to its ICS through a software package that had not been securely configured, and continuing to run a version of Microsoft Windows that no longer enjoys security support, the relative availability of the sensitive access credentials made the attack comparatively trivial to coordinate.
How can we stop attacks like this from happening?
Luckily, if the human aspect of a system is the primary fault, we each have the power to be part of the solution.
There are two main areas that have the most impact on good digital hygiene:
- Training and encouraging work forces to follow best practice guidelines for cyber security.
- Having the most appropriate cyber security support products in place. If maintained correctly, these services can identify weaknesses in digital procedures and provide alerts when a system is vulnerable to attack.
Four steps to better digital hygiene
There are some basic things organisations and individuals can do to maximise digital security, keep their services safe, and enable the benefits technological advances can bring while minimising risk.
- Change your passwords regularly
- Use different passwords for each application
- Use a password manager to generate and store secure passwords
- Enable multi-factor authentication
According to US-based business reporting platform, Cox Blue, as many as 63% of all cyber breaches are due to lost, stolen, or weak passwords.
Password discipline lies at the heart of cyber security, and with password managers now available that generate and store unique credentials for all your accounts, the excuses for having insecure passwords are running out.
Here are some easy to apply tips:
- Update your passwords regularly
- Use different passwords for every new account or application. Google recently reported more than 60% of internet users reuse passwords. It may be easier to remember one password for everything, but if a hacker cracks it, all your accounts — personal and professional — are vulnerable.
- Use disassociated character combinations in your passwords. This might be harder to remember, but password managers are here to help. Mix it up. Use CAPITALS, characters that aren’t !etter$, and avoid numbers sequences that’re easy to guess. ‘Password1234’ is not a secure password.
Bonus step: Enable multi-factor authentication (MFA)
MFA is an additional level of security above that offered by the standard username and password login. It requires users to enter a code or acknowledge a login attempt alert sent to their email inbox or smartphone. It’s a simple step that makes your security very difficult to breach.
2. Use up to date software… and keep updating it
- Identify and use the security software that best meets your needs
- Keep your software updated, including your operating system
- Use multiple layers of security software
Firewalls, antivirus software, encryption services, and endpoint detection and response solutions work together to keep networks safe, but they’re only as secure as their most recent updates.
Regular updates can seem like an annoyance, but at the cost of only a few minutes every couple of weeks, you can keep your system one step ahead of potential hackers. Old software may contain weaknesses or ‘vulnerabilities’ that, even if they’re not apparent at first, given enough time can provide an easy point of access for attacks. Software providers’ updates close these vulnerabilities before they can be exploited and keep your network secure.
Once security support for old software runs out, it needs to be updated. It has been reported that February’s Florida hack exploited the plant’s control system’s use of an old, 32-bit version of Windows 7, an operating system released in 2009, and for which Microsoft ended support in January 2020.
Bonus step: Use multiple layers of security
All the software types listed above have specific applications and protect networks in different ways. A firewall alone is not as effective as a firewall with a powerful antivirus solution, or an antivirus solution with a firewall and an intrusion detection system (IDS).
3. Data discipline
- Delete data you don’t need anymore
- Keep track of all your data storage
- Audit your off-boarding processes to minimise security gaps
Data can be stored locally or on remote servers, so it’s harder than ever to keep track of where it all is and whether your security is up to date in each location. Keeping old data and storage open when it’s no longer needed provides hackers with more opportunities to steal your information or break into your network. Ensuring your stored data is limited to necessary information only makes it easier for you to manage and monitor, and harder for others to infiltrate.
Bonus step: Audit your ‘off-boarding’ processes
An extension of cleaning up old data is keeping track of and controlling who has access to your data and control systems.
If an employee’s role changes or they leave your organisation and they no longer need access to your network, adapting their permissions or making sure to remove them will limit points of entry and make them easier to manage.
Many security systems need regular maintenance, and if someone forgets they have access or doesn’t use it often, and so doesn’t keep up the necessary best practices, they could become a security risk without knowing it.
4. Security awareness
- Training users to be aware of threats can reduce risk significantly
- If in doubt, when asked for sensitive information, check that the request is legitimate
Human error is often what allows hackers to gain access to a system. We’ve already seen that a significant proportion of hacks exploit poor password discipline, but ‘phishing’ attempts are becoming more and more common. When Russian hackers tried to gain access to the voting systems used in the 2016 US election, this was the method they used.
It is a common occurrence in nearly every professional’s inbox: a seemingly trustworthy request, supposedly from a trusted source, asking users follow a link to ‘reset’ their login details, or providing them with access to a shared file.
If the user follows the instructions, they will provide the hackers with everything they need to access their accounts.
The solution is awareness. MFA (discussed in point 1) can help prevent access to an account even if the user does inadvertently give away their details, but the surest way of avoiding this trap is to recognise when the request is fake.
Check the email address. Is it legitimate?
Are the elements of the email as they should be? Do the logos look correct? Is the small print in order?
Phishing attacks are getting more and more sophisticated, so it can be very difficult to tell when an attack is underway. If there is any doubt as to the legitimacy of a request, contact the purported originator for confirmation before acting.
Bonus step: Training staff to recognise threats
Staff training is an important element of ‘best practice’. This can be done internally, or by bringing in IT management services that provide training as part of their packages. They can also keep you informed about new tactics being used to trip up unsuspecting users and make sure you’re always up to date on developments, both in malicious attacks and preventative best practice.
While this may seem trivial, much like password discipline, it’s about building good habits. Once staff know what to look for and check for the tell-tale signs of a phishing attack as a matter of course, your network will be much less susceptible to hacks, and your data and control systems will be significantly more secure.