"Hacker Penetrates, Controls, Water Utility." The headline says it all. A recent article by cyber crime expert David McNeil, details the dangers that can occur when a water system is left unguarded and vulnerable to a cyber attack. For a utility that's vulnerable, a cyber attack can result in manipulation of the water system. An example of this was a water utility going by the pseudonym “Kemuri Water Company,”  a system that was infiltrated by hackers with Syrian-ties (the real name is not revealed to prevent further threats to similar systems). The hackers managed to gain control of the valves that manage the system's chemical treatment.

To read the full article, click here.

What You Can Do to Protect Your Water System?
David McNeil, who educates operators on how to protect their water systems from cyber attacks, advises water managers to take precautions by taking the following steps.

1) Get Familiar with the Risks!
The first step in protecting your operations is to take notice of the various cyber risks. Hackers, attackers, and intruders, seek to exploit weaknesses in software and computer systems for their personal gain. Although their intentions are sometimes benign, their actions are typically in violation of the intended use of the systems that they are exploiting. Malicious code better known as viruses, worms, and trojan horses are among the methods hackers utilize.
Types of Malicious Code:

• Viruses infiltrate your system through an email attachment, download, file, or by visiting a website.
• Worms is a code that reproduces and spreads through computer systems on its own, exposed through software flaw.
• Trojan Horse is disguised as a program that claims to do something to help your computer use (e.g. speed up processing) but instead, sends confidential information to a remote intruder.  

2) Develop a risk management plan.
IT Risk Management Plans utilize industry standards and best practices to evaluate hazards at your organization. A plan will help your organization asses your exposure from unauthorized access, use, disclosure, disruption, modification or destruction of information. Consider the following when implementing risk management strategies at your organization:

• Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, the data stored, processed, and importance to the organization.
• Review the cyber risk plan on an annual basis and update it when significant changes occur.

3) Take Precautionary Measures When Selecting Your Internet Service Provider (ISP)
Almost all ISPs offer Web browsing capabilities with a varying degree of user support and Web hosting capabilities. To select an ISP that will reduce your cyber risks, consider the following:

• Security - How concerned with security is the ISP provider?

• Privacy – Does the ISP have a published privacy policy.
• Services – Does your ISP offer the services that you want and do they meet your organization’s needs?
• Cost - Are the ISP’s cost affordable and are they reasonable for the number of services that you receive?
• Reliability – Are the services provided by the ISP reliable, or are they frequently unavailable due to maintenance, security problems and high volume of users?
• User support – Are there any published methods for contacting customer service, and do you receive prompt and friendly service?
• Speed – How fast is your ISP’s connection, and is it sufficient for accessing your email and navigating the Web?
• Recommendations – What have you heard from industry peers about the ISP?

To learn more about other ways to reduce your potential risks, click here.
Source: David McNeil, ARM 877.328.4390/714.856.4221

---

FREE Small Systems Workshop