Basic warnings and precautions for water utilities to follow in the dangerous world of computing

1. Hack Attack: Computer Safety 101 for Utilities
Brian Gongol
DJ Gongol & Associates, Inc.
November 3, 2021
Nebraska Section AWWA Fall Conference
Kearney, Nebraska

2. Survey of cyber threats to the water sector

3. Trojan horses

4. Payloads

5. DOS/DDOS attacks

6. Ransomware

7. Impostors and social engineering

8. Phishing

9. Spearphishing
An actual spearphishing attempt against Nebraska AWWA:

10. Spearphishing (again)
Oh, and it
happened again
this year:

11. Catphishing

12. Practical steps you can take

13. "Use antivirus" used to be enough

14. Use antivirus, but that alone is far from enough

15. Step 1: Watch what enters the castle

16. Don't pick up stray memory devices

SD cards

Flash drives

DVDs

17. Attachments: When in doubt, call first

18. Isolate mission-critical devices
Mission-critical devices

SCADA

Accounting

Payment processing

Sensitive customer data
At-risk devices

Internet browsing

Email

Social media

Videos

General computing

19. Physically guard all your devices
This is how Microsoft guards a data center:

20. Install firewalls wherever possible

21. Step 2: Secure the gates

22. Always replace default passwords

23. Complex passwords

Pick a song, poem, or sentence

Use the first letter of each word (with case) and all
numbers and punctuation

24. Complex passwords

"Oh, say can you see? By the dawn's early light."

25. Complex passwords

"Oh, say can you see? By the dawn's early light."

"Oh, say can you see? By the dawn's early light."

26. Complex passwords

"Oh, say can you see? By the dawn's early light."

"Oh, say can you see? By the dawn's early light."

Password: O,scys?Btdel.

27. Two-factor authentication

28. Use public WiFi only with a VPN

29. Don't fall for screen-sharing requests

30. Look out for near-miss URLs

31. Step 3: Don't broadcast your information

32. Avoid photos of desks and work spaces

33. Avoid photos of desks and work spaces

Passwords

Calendars

Client data

Photos

Other clues

34. Scrub documents before sharing online

35. Keep your whereabouts quiet

36. Step 4: Don't be shy about "who goes there?"

37. Role-dependent emails

superintendent@springfieldmonorail.gov

billing@springfieldmonorail.gov

bidding@springfieldmonorail.gov

38. Don't send suspicious-looking materials

39. Use TO:, CC:, and BCC: fields judiciously

40. Step 5: Only venture out if prepared for battle

41. Double-check every link before you click

42. Never pay without HTTPS

43. Consider buying cybersecurity insurance

44. Train employees in cybersecurity hygiene

Doesn't mean getting an
IT degree

Better to get small but
frequent doses of
instruction

Develop habits

Show that cybersecurity
is taken seriously "from
the top"

45. Step 6: Keep an eye on the foundation

46. Keep up on OS updates

47. Keep your apps updated

48. Encrypt customer data

49. Keep vital backups in untouchable spots

50. Maintain an inventory of devices
Utility-owned devices
BYOD (Bring Your Own Devices)
Permission levels for all devices
Accounts permitted on each device
Where each device is allowed to go

51. Know your first call if something goes wrong

52. Social media: What to do about it safely

53. Capture (and use) authentic usernames

54. Use management teams, not shared passwords

55. Don't ask for sensitive information

56. Resources

57. EPA technical assistance
https://horsleywitten.com/cybersecurityutilities
(Contractor)

58. EPA incident checklist for water utilities
https://www.epa.gov/sites/default/files/2017-11/
documents/171013-incidentactionchecklist-
cybersecurity_form_508c.pdf

59. WaterISAC fundamentals guide
https://www.waterisac.org/fundamentals

60. CERT updates
https://us-cert.cisa.gov/

61. National Cyber Awareness System
https://us-cert.cisa.gov/ncas

62. CERT advisories
https://us-cert.cisa.gov/ics/advisories

63. CERT resources for local governments
https://us-cert.cisa.gov/resources/sltt

64. AWWA cybersecurity resources
https://www.awwa.org/Resources-Tools/Resource-
Topics/Risk-Resilience/Cybersecurity-Guidance

65. Questions?

Thank you for your time
and attention!

This presentation will be
available online at
gongol.net/presentations

Brian Gongol
DJ Gongol & Associates

515-223-4144

brian@gongol.net

@djgongol on Facebook,
LinkedIn, and Twitter

66. Credits

Screenshots depicting particular threats taken from US-
CERT and from the author's own encounters

Photographs are all the original work of the author