Public Safety Canada (PSC) recently released a new version of its cyber security tool for owners and operators of water and other critical infrastructure.
The Canadian Cyber Security Tool Version 2.0 (CCST 2.0) is a virtual self-assessment tool that gives users an overview of their organization’s ability to resist cyber attacks.
CCST 2.0 is a short self-assessment that also gives owners and operators comparative results in critical infrastructure.
The original CCST performs a basic virtual assessment of an organization’s cyber security resiliency.
It consists of 38 questions and provides an assessment of an organization’s technical and program approach to cyber security. Approximate time to complete it is one hour.
CCST 2.0 is more detailed.
It contains just over 100 questions and provides direct mapping to the National Institute for Standards and Technology (NIST) cyber security framework, with additional ratings for each NIST function. Approximate time to complete CCST 2.0 is two hours.
Interested individuals are asked to contact PSC to obtain a user name and password or to receive additional information.
Water utilities make attractive targets for hackers.
In 2021, someone hacked into the water system of a small city in Florida and boosted the level of sodium hydroxide or lye in the water supply to 100 times higher than normal.
Sodium hydroxide, the main ingredient in liquid drain cleaners, is used to control water acidity and remove metals from drinking water in treatment plants.
Lye poisoning can cause burns, vomiting, severe pain and bleeding.
According to reports from digital security organizations, there have been more cybersecurity incidents involving large organizations since the arrival of the COVID-19 pandemic.
One of the reasons is that more people have been working remotely and many of them behave differently at home than in the office.
Employees court cyber trouble if they visit unsafe websites on a work device, allow others in the household to use a work device, or use work devices for personal reasons.
All of this is risky business that puts an organization’s network and data in jeopardy.
Victor Wong, director of electrical, SCADA (Supervisory Control and Data Acquisition Systems) and facilities in the Vancouver office of international consultants WSP, said a good hacker with persistence and a little knowledge of control systems can infiltrate a system easily.
“They can do a lot of damage,” said Wong. “For example, they can disrupt operations, over-chlorinate the water system, overflow the reservoirs and turn equipment on and off so that it fails.”
Larger municipalities that have put considerable effort into building cyber security into their control systems, such as Metro Vancouver, don’t face as great a risk as smaller municipalities.
Nevertheless, water infrastructure owners and operators of all sizes should perform a system vulnerability assessment to find out how safe they are.
“Keep a close eye on your system,” said Wong. “Watch for inconsistencies in system performance and develop a cyber security plan for your control system.”
Vlad Mayzel, founder and owner of 604-GET-HELP Computer Services in Vancouver, said hacking administrative systems and the industrial controls of water infrastructure is “certainly doable.”
“There are tools available for free or on the black market if someone knows where to look,” said Mayzel. “A script kiddie (young amateur) is unlikely to do it unless the kid has already gained access to the systems. It could be the child of an employee or a disgruntled employee who has the passwords or physical access.”
Machinery that is not connected to the Internet can also be exploited by a determined hacker if it’s a high-value target, which is what happened to an offline centrifuge in Iran a few years ago.
“There’s also another aspect called social engineering, or phishing” said Mayzel. “A perpetrator can trick the rightful owners into giving the keys to the castle, so to speak.
“There’s no need to break into anything, just design a well-executed phishing attack, to make the password holders disclose their passwords. Many people are still getting tricked that way.”
Mayzel said cellphones are also vulnerable.
“The weakest link might not be the phone itself,” he said. “The source of the problem might be your provider not doing enough to protect your account.”
Cellphones are often used to send text messages with confirmation codes for two-way authentication.
“We have witnessed too many times when a customer’s entire phone account was hijacked and from there, hackers got access to everything else,” Mayzel said. “We’ve seen users losing their crypto currency, we’ve seen hackers withdrawing funds from chequing accounts and credit cards, and we’ve seen people locked out of their accounts and their login to the computers with all their data.”