RESNO, Calif. (FOX26) — It’s bad enough there isn’t much water this year for local farmers.
Now, they’re dealing with another threat: ransomware.
“You are the breadbasket of the world and you’re in the middle of a drought. What thing would I hit to really hit you hard? Water,” says Michael Hamilton, Founder of Seattle-based Critical Insight Security.“Food and ag and water, I think, are your big exposures out there.”
“I would say they’re more prepared now. Historically, no,” says Brian Horton, with Fresno-based Breadcrumb Cybersecurity.
He says his company has helped 12-14 agricultural organizations who have been compromised.
Most reached out after an attack.
“It’s not a small compromise, it’s pretty complex. And these ag operations suffer quite a loss,” Horton said.
Partly because most are dealing with perishable products.
And, “a lot of this critical infrastructure is managed by very outdated technology.”
The same could be said for water operations.
In January, cybercriminals broke into the systems of a water treatment plant in Oldsmar, Florida and tried to poison the supply.
“They were running some old software. This desktop sharing software wasn’t even being used anymore, but it was still accessible,” says Kevin Morley, Manager of Federal Relations for the American Water Works Association (AWWA).
The non-profit group provides guidance and standards for 53,000 members, including water utilities, municipal and irrigation districts across the U.S.
“It’s a dynamic and escalating threat,” Morley says. “I’ve been advocating for people to think about this. It’s like you’re almost guaranteed to be touched by this in some way. The question is, are you prepared?”
He pointed to a recent advisory sent by The White House, calling on executives and business leaders to take measures to protect themselves from a cyberattack.
White House memo by Liz González
“Water treatment experts need to understand the equipment and we look at it through the lens of, ‘How do you use the technology?’,” Morley says. “There’s certain controls that you should have in place.”
AWWA has been in the process of offering cybersecurity webinars and workshops to smaller water systems.
He says the experience has been eye-opening for members.
“I think the issue is a little intimidating, right? ‘It’s cyber security, so it’s it must cost millions of dollars to fix.’ What we’ve been trying to do is remove some of the mythology about this,” Morley says. “Some of these things are are quite simple.”
AWWA recommends measures including implementing multi-factor authentication and strong password encryption.
Bottom line: the key is to be proactive.
“What we’re really trying to do is help organizations now to build a posture so they know when they’ve been breached. If they can detect a breach and stop it, that’s still a huge win,” Horton says.
Horton says often, cybercriminals will have infiltrated a company’s computer system six months before they strike with a Ransomware attack.
If you would like more information about AWWA’s cybersecurity webinars for smaller water system providers, click here.