Cyber Security
Assessment, Testing, and Planning
Cyber Preparedness for the Modern Utility
Cyber security attacks on US water and wastewater systems is an increasing threat to our safety and security. Specifically, cyber attacks against utilities across the country are becoming more frequent and more severe.
%
Nearly 70% of utilities are suspected to be operating below industry standards for prevention of breaches, hacks, and attack.
*MSN.com 2024
What is Cyber Security?
Cyber security is the practice of protecting individuals, systems, networks, and processes from digital attacks. These attacks can include attempts to access, change, or destroy sensitive information, extort money, or disrupt business processes. For utilities, physical consequences often result from these attacks such as infrastructure shut down and/or damage.
Water, Wastewater & Other Municipal Systems – Then vs. Now
- Increased connectivity and responsiveness
- Real-time monitoring and remote control equipment
- E-billing for municipal services and tax payments
- Cloud based file storage and information systems
- GIS, Auditor, Health Records, Customer data
These added benefits come with increased cyber security risks.
Cyber Security Breaches – What is the threat?
An increase in the adoption of digital controls means increased vulnerability. Successful hackers could (and have) hijacked control of a community’s water supply, an entire region’s oil & gas supply, the electrical grid after penetrating the provider’s control systems.
In the event of a coordinated attack:
- No gas/diesel for vehicles, no heat for homes
- No running water for drinking and sanitation
- No electricity, no lights
- No phone calls, no internet
Most households only have a three-day supply of food and water.
American Housing Survey, 2017
Recent Cyberattacks in the News:
Clay County Indiana suffers Cyberattack; Emergency Declared
Brazil, Indiana -- Clay County EMA officials report that the Clay County Courthouse, Community Corrections, and Clay County Probation offices have suffered a ransomware cyberattack that has significantly disrupted services of those departments. As a result, a state of...
Protective Action Steps
The EPA and CISA mandate cities, towns and other municipalities take action to protect infrastructure from the threat of cyber attacks, per the Federal Info Security Modernization Act (FISMA). BCS’ GovWeb group, in coordination with our trusted partners, is offering the following cyber security testing programs in 2024:
Vulnerability Assessment
Regular (annual basis or quarterly basis) vulnerability scans provide a real time view of weaknesses that could easily be exploited by malicious intenders like hackers. This is where 3rd party IT providers can be exposed for what they aren’t doing.
Penetration Testing 1001
External pen test (includes vulnerability assessment) Both pen tests we “attack the human firewall”, employees use their work email and password on 3rd party sites like Home Depot, fishing, password reset emails, Teams, texting, social engineering, etc.
Penetration Testing 1002
Full internal/ external pen test (includes vulnerability assessment) Internal pen test, they send a device to plug in and try to hack from the inside
Risk Assessment (processes)
Identifying potential issues in your administrative, managerial and technical environment. Having meetings with department heads, administrative people. People, process, and technology. Looking for risk within the daily process, what are the ‘crown jewels’ of the town i.e. information on residents that the town has from tax bills, water bills, etc. How the data comes in, where it’s being stored, who has it?
Incident Response Planning
Required from a regulatory perspective for a lot of industries, HIPPA, DoD. Enables the town to have an incident response plan but more importantly, an incident response Team. Anyone who is on the incident response team can go to the plan and find remediation even in the event of absence of “main IT person”
Each of these services may be procured a la carte or in various combinations. A comprehensive assessment and plan consists of the following high level elements:
- Conduct a Risk Assessment of your operations
- Conduct Penetration Testing
- Develop a Written Information Security Program (WISP)
- Train your employees
- Have a Plan – build an Incident Response Team within your organization
Pricing varies based on security testing items selected, number of systems impacted, number of employees, buildings and other infrastructure groups. An introductory call is required to define the scope of work and fee for each client.
Contact us using the form below, or call (260) 227-7572 for your initial scoping assessment.
Contact Us
Our Work
