Own IT. Secure IT. Protect IT

Resource Recovery, Technology and Innovation

Upcoming training opportunity – CWEA’s free skills building webinar 10/17 at 11am – The Phishing Epedemic w/ David Malm, Deputy Manager of IT for IEUA

Make Yourself Accountable for Your Utility’s Cybersecurity

The theme for this year’s National Cybersecurity Awareness Month (NCSAM) is “Own IT. Secure IT. Protect IT,” which was selected, in part, to encourage personal accountability by the actual users of information technology (IT) systems. Recent successful attacks demonstrate the relevance of this year’s message. Take for example the ransomware attacks against three Florida cities over the summer. According to reporting, each of these incidents occurred as a result of a single employee clicking on an email attachment. In a ransomware attack, malware encrypts an organization’s files until a ransom payment is made. With this year’s NCSAM theme and recent incidents in mind, here are some tips for utility employees, including executive management.

Own IT >> Staying Safe on Social Media

Social networking sites serve as a means for colleagues and friends to connect and even collaborate with one another. But the information employees share with one another can be used by attackers for malicious purposes. If a social media connection is an attacker, unbeknown to an employee, the connection may be able to collect information about the employee and his or her utility that can be used to facilitate business email compromise (BEC) scams. In such scams, an attacker can appear to be a supervisor, directing others in the utility to execute wire transfers or disclose employees’ personal information.

To protect themselves and their utilities, employees should keep in mind that the internet is a public resource, available to people who may have bad intentions. Employees should ask themselves whether they are comfortable with just anyone seeing the information in their profiles and posts. If the answer is no, it is best to omit certain details. Employees should also be wary of strangers asking to become connections.

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has tips on Staying Safe on Social Media Sites and Avoiding Social Engineering and Phishing Attacks.

Secure IT >> How to Spot and Avoid a Phishing Email

Phishing occurs when a cyber attacker sends a user an email designed to look like a legitimate email, such as from a bank or online service, but which instead contains malicious links or attachments. These links and attachments expose the user’s computer to malware, including ransomware. It can take just one cleverly crafted phishing email to undermine all of a utility’s efforts to protect itself, including those intended to prevent phishing emails from actually reaching employees. Using technology to protect employees is only half the solution – it is also vital to implement security awareness programs that educate them.

To help a utility mount the best defense against pervasive and increasingly sophisticated phishing threats, its security awareness program should include phishing tests that expose employees to simulated versions of these attacks. To start, utilities can have their employees take free, online tests, such as Google’s phishing quiz. More advanced phishing tests, available for a fee, allow utilities to run simulated and customizable phishing campaigns against employees. They help utilities identify the employees who are most susceptible to acting on phishing emails. Those employees then can receive tailored training.

Protect IT >> WiFi Safety

Another way in which employees may expose their utilities to threats is through their use of public WiFi, which typically is an unsecured network that can allow attackers to view everything the user is seeing and sending. Even public WiFi networks with passwords are not considered secure, as someone else who knows the password can conduct the same malicious activity as he or she would on a network without password protection.

While employees using public WiFi is an inevitable reality, there are several things they can do to make their activities more secure. For one, a Virtual Private Network (VPN), which allows an employee to encrypt his or her web traffic from external parties, should always be used when accessing public WiFi. Employees should accessing and transmitting sensitive information; they should only visit webpages that use HTTPs as opposed to HTTP; and they should update software and apps whose unpatched vulnerabilities could be exploited to conduct cyber attacks.

These are just some of the many cybersecurity best practices employees should follow to help thwart attacks against their utilities. Based on recent incidents and what is known about how cyber attackers operate, employees who adopt these measures will do much to keep themselves from being the conduit for an attack on their utilities.

For further cybersecurity resources for the water sector, visit the Water Information Sharing and Analysis Center (WaterISAC). Created by and for the water sector, WaterISAC provides a rich clearinghouse of information about cybersecurity, as well as physical security and emergency response. Among these resources is WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. Published this year, the guide describes best practices that utilities should implement to improve their cybersecurity. In addition, WaterISAC conducts monthly online Water Sector Cyber Threat Briefings, discussing emerging threats and tools and resources to reduce vulnerabilities.

CWEA is a proud member association of WaterISAC.