Staying Secure in the Digital Age
Catastrophic earthquakes, extreme weather events, cyberattacks by foreign nations, active shooters, domestic sabotage: these are just some of the threats the PUD reviewed in a pair of studies concluded this winter.
The first study was undertaken in response to federal Safe Drinking Water Act rules requiring community water systems to complete a Risk and Resilience Assessment (RRA) and Emergency Response Plan (ERP). The study began in early 2021 and was broadened to include electric and computer network assets as well as water systems.
The study documented PUD assets, possible threats, vulnerability to those threats, likelihood of occurrence, and impact on the utility in a spreadsheet matrix. The likelihood that a nefarious actor would contaminate a particular PUD water source with a biotoxin was calculated at .00001, or one event per year per 100,000 utilities. The likelihood of a cyberattack on our employee computer network is 0.3. Quite a bit higher. And not surprising given the PUD is subject to various forms of attempted cyberattacks nearly every day.
According to IT Manager Kris Lott, the vast majority of attacks aren’t the kind depicted in movies, where a hacker taps furiously at a keyboard for hours on end until they break through multiple layers of network defenses and take control. Known as brute force attacks, these kind of hacks are rare. The kind the PUD is subject to are simpler hacks like phishing or spoofing.
“We easily see a dozen phishing attempts a week,” said Lott. “These are fake emails that pretend to be from a reputable sender and try to encourage the recipient to open an attachment or log into a fraudulent site. Some of them are laughable,” said Lott. “Others are pretty sophisticated, duplicating contacts and information from sources specific to the utility or employee.”
Though Lott took pains not to downplay risk, he said PUD firewalls catch many phishing attempts, and can isolate the threat even if an employee opens a nefarious attachment. He also noted that the PUD’s networks are isolated from each other, limiting the spread if one network is breached.
The PUD’s employee network is separate from the network that is used to operate water and electric systems, and both are separate from the PUD’s wholesale and soon to be retail broadband network. The PUD’s website is not hosted on any of its networks, nor is its billing system. No customer financial payment data is stored on PUD owned networks.
According to General Manager Kevin Streett, isolating networks is essential against brute force hacks, but less effective against post-it notes. Streett learned this firsthand after completing a Cybersecurity Incident Response Training in December. The training was provided by Energy Northwest, the non-profit formed by PUDs that operates WA state’s nuclear plant.
“Some of the things we learned we need to do are standard security issues: improving our gates, adding cameras, changing locks,” said Streett. “But the change we needed to make first was getting rid of post-it notes with passwords. Hard to stop somebody breaking into your computers if the passwords are on a note stuck to the desk.”
Overall, Streett said the results of the training were eye-opening. “The Energy Northwest team uncovered a lot of issues. But that is why we called them. We had to see where we were vulnerable so we could improve.”