Author: Don Wells

6 Things The Water Industry Should Know About Cybersecurity

Posted on by Don Wells

1. Cybersecurity Guidelines Exist for the Water Industry

Recognizing that public water sector companies often have limited financial and human resources, American Water Works Association (AWWA) has outlined specific guidelines that provide a prescriptive approach to cybersecurity for Water, Wastewater, and Water Management Systems. 

 

2. Online Risk Assessments are a Good Place to Start

To build a secure infrastructure, you must understand where you are vulnerable, and AWWA offers a Cybersecurity Risk Management Tool to help you do that. Through a series of multiple choice questions, you’ll be asked to consider the different access points to your network. 

This tool is a high-level assessment that doesn’t take into account the intricacies of your organization, but provides great value in gaining an awareness of the areas your organization may be at risk. 

 

3. Cyberthreats Come From Many Departments 

When assessing risks to water utilities, the tendency is to focus on OT systems. While securing your control system is essential, it is important to realize that your network could be infiltrated through unrelated systems, such as accounting software or a document storage system. 

When performing your risk assessment, it’s important to look at the entire organization, not just your PCS environment.

 

4. Secure Remote Devices

As OT systems allow for greater remote access, the risk of a breach increases. It may be convenient to check on the control system while you’re in Starbucks, but that one action can undermine an entire cybersecurity program. In fact, one study found that unsecured networks accounted for 72% of security breaches

Any remote device used to access the control system should always be protected by a VPN, especially if public WiFi networks will be used. 

 

5. Every Network is Vulnerable

A lack of direct internet connectivity does not automatically guarantee a network’s security. The reality is, every network comes with its own set of vulnerabilities. The key is to assess the severity of these vulnerabilities, and develop a comprehensive plan to mitigate associated risks.

Water utilities should establish a robust network security infrastructure, which includes:

  • deploying firewalls
  • intrusion detection and prevention systems
  • network segmentation to separate critical systems from non-critical ones
  • regular network traffic monitoring and analysis to identify potential threats and vulnerabilities

 

6. Secure By Design

Cybersecurity and Infrastructure Security Agency (CISA) promotes the concept of Secure By Design, in which every technology provider ensures that their products are secure by default. Keep this concept in mind when you source new technology to ensure security features are built in without the need for extra configuration or cost. <   Having tools that are secure by design will help organizations avoid some risk exposure, but it is important to realize that a cybersecurity program is not just about security features. You must also account for the human element and build a culture of security. 

If creating a strong cybersecurity program is a challenge for your organization, please get in touch. Luminary A.C.E. specializes in helping water utilities create efficient and secure OT systems.

Cybersecurity Is Not About Investing In Tools, It’s About Changing Culture

Posted on by Don Wells

Our water infrastructure is one of the most important aspects of our daily lives. National security, economic stability, public health, and safety all rely on access to clean water. 

That makes cybersecurity a critical safety issue for water utilities. Outdated automation systems, networks, and applications are vulnerable to cybersecurity attacks. In addition, many utilities lack the proper policies and procedures for mitigating these types of threats.

Protecting a critical resource, such as water, requires more than just implementing tools to comply with a set of standards. It’s about creating a culture of awareness of threats that exist and developing resiliency in infrastructure by implementing the right set of tools that enables productivity and minimizes adoption risks.

Many water and wastewater utilities understand the importance of cybersecurity but fail to act. Many either lack the expertise or investment to address cybersecurity risks or fear that implementing security measures will impede productivity. 

A Gartner 2022 study found that spending on security products and services is forecast to grow 11.3% in 2023. According to the study, spending will reach $188.3 billion because more companies are willing to  invest in security and risk management. However, if not implemented correctly, these tools can do more harm than good. 

The Threat to Water 

In OT environments, cybersecurity risks are no different than occupational safety or health risks. Tools can create more vulnerability for organizations. They can become an attack vector if they aren’t actively managed, patched, and maintained. 

Numerous recent examples of attempts to damage infrastructure, contaminate or disrupt the supply of drinking water and wastewater treatment services by exploiting weaknesses in water utilities’ infrastructure. 

An example of consequences due to lack of planning is the attack at the Georgia Drinking Water Plant back in 2013. In this attack, an individual tampered with the chemical settings at the water treatment plant which resulted in over 400 customers losing access to drinking water. If appropriate security measures were in place, such as proper monitoring, this issue could have been avoided. 

The water facilities in Maine, California, and Nevada all experienced ransomware attacks in the past few years. These hacks went beyond disabling computers, and paralyzed the specialized supervisory control and data acquisition (SCADA) devices that send commands to equipment.

In Florida, hackers were able to gain access to the computer system and increase the amount of sodium hydroxide being distributed into the water supply. 

Why Tools Fail

Verizon Wireless released its 2022 data breach findings and found that 82% of breaches involved the human element. On top of that, ransomware breaches were up 13% from previous years, more than in the last five years combined. 

In most water and wastewater organizations, cybersecurity is identified as important, but seen as an afterthought. This thinking often leads companies to implement tools that address gaps in compliance without fully understanding the risks or potential threats that are present. Implementing controls should align with the broader organizational strategy and with end-user behavior in mind.  

If not done correctly, tools are a burden for the end users and operators alike, who then seek ways to work around them, creating more risks for utilities.

What Steps Can an Organization Take to Change Company Culture Around Cybersecurity?

Organizations need to change their cultures to become more cybersecurity aware. 

Like all company policies, building a culture of operational resilience and cyber readiness starts at the top. Cybersecurity must be discussed, prioritized, and championed by leadership in order for it to flow down to employees. 

Here are some internal shifts to make:

  • Include cybersecurity as part of your overall business strategy
  • Focus on leadership buy-in 
  • Develop awareness training for employees
  • Prioritize usability when selecting and implementing new tools

The Importance of Leadership 

In order to enact any internal changes, leaders must lead the charge. It’s important for Utility board members and executive leaders to champion cybersecurity initiatives. 

When leaders make it a point to create a culture around security and safety, it becomes part of every day instead of an afterthought. 

Communicating these practices regularly also builds customer trust. When customers see how ingrained cybersecurity is in the culture of an organization, it shows how their data is valued and protected.

Awareness Training

Once leadership has introduced security practices, continued training is necessary. 

Adoption is key. 

The best way to ensure adoption is to make cybersecurity a priority that aligns with the utilities’ overall strategy. This includes making sure the right people in each department buy into the new tools and see their value. 

Implement the Right Tools

Tools are designed to help enhance security, but organizations run into challenges when these tools are not used to their full capabilities. Some common mistakes we see when it comes to cybersecurity tools:

  • They don’t get properly or fully configured
  • Organizations don’t have the resources to manage the tool over its useful lifecycle
  • Tools can negatively impact productivity

The Future of Water Security

The Biden administration recently announced a new initiative to secure U.S. water systems from cyberattacks. The plan includes new technology recommendations for water utilities to help detect cyber threats. On top of that, water utility operators and federal officials will be encouraged to share more information with one another when it comes to potential threats. 

In order to keep control of our drinking water and wastewater, it’s important to adopt and change as threats get more sophisticated. This includes bringing in new technologies when necessary, but factoring in human buy-in is the most valuable part of the process to ensure the effectiveness of any new technologies. People are our most critical asset. 

Newly Formed Partnership Provides Secure Automation Services to Utilities

Posted on by Don Wells

February 1, 2022 – The leaders of Luminary Automation and Engineering and Wells Mason Cyber Group announced today that they have formed a partnership to bring their offerings together. The newly formed Luminary Automation, Cybersecurity and Engineering will focus on providing a full scope of services to deliver secure, innovative ICS / SCADA solutions.

“The increasing incidents of cyber attacks are putting our nation’s economy  at risk, as ransomware and malware attacks against critical infrastructure, and supply chain have  the potential to disrupt millions of Americans. By creating this new partnership, we aim to help companies operate efficiently, and securely,” stated Wells Mason President, Don Wells.

“Providing our clients with innovative solutions that incorporate risk planning and mitigation sets Luminary apart from others.  We want to ensure our client’s success through the appropriate application of technology while ensuring the people have the processes they need to be successful,” says Dean Ford, CAP PE, COO and Managing Principal Engineer.

Luminary will maintain headquarters in Baltimore, with satellite locations in Pennsylvania, Alabama, and California.

 

About Luminary Automation, Cybersecurity and Engineering:  Luminary is a provider of professional control system engineering, automation and cybersecurity services. As a premier engineering and consulting firm, Luminary helps develop reliable solutions for industries including water and wastewater, food & beverage, manufacturing, energy, construction, and the military. 

How Security Impacts Company Value

Posted on by Don Wells

It’s widely known that recovering from a cyber-attack can be costly to small businesses, but many entrepreneurs do not realize that their security measures can actually impact their company’s valuation.

It’s understood that if two companies are discussing a merger or acquisition, the potential buyer will perform due diligence from a financial and legal standpoint. However, integrating cybersecurity due diligence into the M&A process is essential for identifying risks that could inform decision-making and negotiation.

Why Security Impacts Company Value

For many startups, especially in the tech space, IT Infrastructure is a core component of the business. If that core is not secure, it raises a red flag for a potential buyer, as it indicates they will need to make investments beyond the acquisition cost.

You might think of it as inspecting a house before making a purchase. If the inspection reveals cracks in the foundation, a buyer is likely to walk away from the deal. 

The same is true in business. If an assessment uncovers weak points that could be exploited by a hacker, it may cause the deal to fall through.

What to Expect from Cybersecurity Due Diligence

When a potential buyer performs a cybersecurity due diligence assessment, they will likely explore the following areas:

Data Inventory

An evaluation of:

  • all the data a company has
  • where data is stored
  • how data is transferred

This provides insights into data security and privacy risks, as well as identifies gaps. 

Prospective buyers do this to understand their risk exposure, especially as it relates to regulatory compliance standards and privacy legislation.

Cybersecurity Risk Assessment

Understanding an organization’s cybersecurity tools and practices has become a standard practice of the M&A process. 

These assessments:

  • inform decision makers on gaps in compliance 
  • identify threats and vulnerabilities to information assets 
  • develop a mitigation plan to prioritize and remediate each risk

Third-party Risk Assessment

The way a company interacts with vendors, suppliers and service providers impacts the overall security of a business. 

Penetration Testing

Professional penetration testing teams carry out simulated attacks to examine systems for exploitable vulnerabilities, as well as social engineering exercises to gauge employees’ security awareness. 

These tests provide measurable insight into the real-world risks an organization faces.  

 

Digital Transformation

Posted on by Don Wells

Digital transformation is the latest buzzword in the corporate lexicon, which means that many people may not actually understand the real goal behind it. 

Simply put, digital transformation is the process of adopting new technology to improve business processes and evolving business practices to unlock new operating models, increasing customer value.

Once a company has digitally transformed, both consumers and employees gain the ability to utilize multiple platforms to interact with the company.  Regardless of the time of day, or device they are on, each user will have the same experience. 

 

Digital Transformation v. Cloud Computing

Cloud computing leverages online resources to make certain computing processes accessible anytime, anywhere. When a business moves to the cloud, that may include changing how employees store files, and access business software or databases.

While cloud computing plays a role in digital transformation, the overall process goes beyond just migrating to the cloud.  

Digital transformation is the process of evaluating the entire business landscape and finding ways to use technology in order to enhance everything you do. This ranges from operations to customer engagement and can help: 

  • drive efficiencies
  • improve customer experience 
  • adapt to change  

Digital Transformation and Company Culture

Covid has accelerated the need for digital transformation, and has made it an absolute necessity to survive the pandemic period. The shift to remote work has forced many companies to update policies, streamline processes, and enhance data security controls to enable employees to work from anywhere. 

As we’ve seen recently many companies have gone fully remote and, in many cases, remote work has now become table stakes to attract and retain top talent.  

This means that traditional network boundaries, such as requiring employees to be in the office to access information, are a thing of the past.  

 

Cybersecurity is a Part of Digital Transformation 

Cybersecurity goes hand-in-hand with digital transformation efforts. As companies transform their infrastructure to support work from any device, integrating zero trust principles into business processes is imperative to securing its data, people, and assets.  

It’s worth noting that employees may be resistant to the changes this brings. Working in a zero trust environment requires employees to continuously authenticate their identity as they work with different software and systems. 

This can feel like a hassle for some people, and it may be viewed as a barrier for speed and efficiency. That’s why it’s important for company leadership to buy into the process, lead by example, and promote the message that security is everyone’s responsibility. 

Luminary ACE can help businesses be mindful of security as they evaluate ways that technology can help improve their business model. Contact us today to discuss your options.

Impacts of a data breach

Posted on by Don Wells

The costs of a data breach are rising. 

According to IBM’s 2021 report:, the average cost of a data breach has risen to $4.24 million – the highest average ever. They also found that compromised credentials were the most common way hackers gained access, and that remote work has been a large factor in both the frequency, and the costs of an attack.

If you’re struggling to understand how these numbers add up, let’s break down what actually happens when a business’s security is compromised. 

What really happens during a data breach?

When a business is identified as a potential target by a cybercriminal, they start with  reconnaissance on the employees and systems, and launch an attack using any weaknesses they find. 

Once inside the network, their goal is to keep their activity hidden while avoiding detection. The longer a hacker has access to a network, the more havok they may cause, which results in more costs for the business.

It’s terrifying to think that on average, it takes a company on average 197 days to detect a data breach

Imagine the impact to your business when a criminal is hiding inside your network for 8 months, without being detected, modifying, destroying, or stealing sensitive information about your company and customers.

Breaking down the costs of a data breach

Once a breach is discovered, there are both short-term and long-term cost impacts that you may or may not have considered.

Short-term costs

Professional Services

Dealing with a data breach will require cybersecurity professionals to perform a technical investigation to understand the full extent of the hackers activity, as well as guide the organization on a recovery plan, and security measures to protect against future attacks.

A public relations and legal team will also need to be engaged to help manage the fallout.

For businesses that don’t have employees able to perform these duties, outside contractors will need to be brought in at a substantial cost.

Loss of productivity

When a data breach happens, it requires all hands on deck to recover:

 

  • C Suite
  • Communications
  • Finance
  • Legal
  • IT / Security
  • Customer service
  • Business units

When a team has to concentrate on the fallout from an attack, they are unable to focus on their regular activities, and the things that make the company money.

Also worth noting is that many companies react to a data breach by essentially pulling the plug on their servers, in order to stop the inflation. If there are no system backups, or employees have not followed procedures to save their files on the cloud, they may struggle to recover their work (presentations, past records, strategic plans, etc.) and have to redo many tasks. 

Loss of sales 

The news of a data breach can erode trust in a company, which often results in a loss of customers, and quickly dries up a sales pipeline.

Perhaps worse, is losing customers who leave because of non-performance (employees are dealing with the data breach instead of supporting customers).

Long-term costs

The long-term impacts from a breach could linger for years and include:

  • Operations disruption or loss of business
  • Litigation, fines, fees or liability claims
  • Loss of customer trust relationship
  • Loss contract revenue
  • Deficit spending

On average it takes 69 days to contain a breach, but it often takes years to recover revenue, and return to normal growth levels.

It’s clear that the recovery process is costly in both time and resources.  The good news is organizations can prevent many cyber attacks by taking proactive and preventative measures such as:

  • risk assessments
  • vulnerability management
  • least privilege practices
  • awareness training and tabletop exercises

These cost-effective measures can mitigate security risks and save an organization from many problems.  If you’d like to discuss how to leverage them for your business, please contact us for a free consultation.  

 

5 Steps to a Cybersecurity Risk Assessment

Posted on by Don Wells

It’s no secret that cybersecurity breaches are increasing in both frequency and complexity. Ransomware attacks are regularly in the news, and the 2020 Thales Data Threat Report found that:

49% of US companies have experienced a data breach

26% of US companies have experienced a data breach within the last year

Despite these sobering numbers, most of us still believe that it won’t actually happen to us. This false sense of confidence means that many of us haven’t done our homework and performed a cyber security risk assessment, and so we may not be aware of an attack when it’s happening.

Consider this: on average, there are 4,800 websites compromised every month with form-jacking code, which allows a hacker to capture credit card information as it’s entered on your website. 

While this attack allows criminals to steal millions of dollars, your website continues to function without any problem. Unless you actively perform vulnerability scans on your site for malware, test code updates and monitor activity you might not even realize your business has been compromised.

The Value of a Cybersecurity Risk Assessment

Performing a cybersecurity risk assessment will give you greater knowledge and understanding of the potential threats that exist, and how they can harm your business. 

Risk assessments can also help you:

  • Reduce costs
  • Avoid financial loss 
  • Strengthen your reputation with clients, vendors and business partners

Step 1: Take Inventory of your information systems

Start by making a list of all the systems your organization uses, including:

  • CRMs
  • Accounting software
  • Payroll systems
  • Website hosting and management
  • Credit card processors
  • Email systems
  • File / document storage
  • Cloud storage
  • SaaS apps or systems

Note: Small businesses should examine their entire operation, but larger organizations may need to narrow their scope and focus on specific business units, or functions (i.e. payment processing). 

Step 2: Assess the risk to each system

Now that you’ve identified your information systems, it’s time to think through how they are accessed, and where a threat exists.

Ask yourself the following questions for each item on your list:

  • How is the system accessed?
    • Is it available online, or software that must be accessed through a company portal?
    • Is it connected to other third party apps? (i.e. your credit card processor is likely connected to your website)
  • Who has access?
    • Are there multiple users, or do several people share access through a single login?
    • Do any outside vendors have access to the system?
    • Can anyone in the company access the information/files, or do different users have different permission levels?
  • How are passwords stored or shared?
  • Do any security measures exist, such as a VPN, firewall or double authentication?
  • Are there backups of the information? 
    • If so, where are they stored, and who has access?
  • What type of information is stored that could present a risk?
    Do any systems store personal information such as:

    • Social security numbers of employees or clients
    • Birthdays of employees or clients
    • Credit card information
    • Bank account information for ACH transfers/payroll

Step 3: Consider the threats

Now it’s time to consider the threats to each of your systems. Many companies tend to focus on external threats, but a study by Verizon found that a third of data breaches are caused by internal actors. 

Internal threats, whether accidental or intentional, may have the same devastating impact on a business.  A comprehensive risk assessment should identify all risks to a business, both internal and external.

External threats include:

  • Ransomware
  • Malware
  • Viruses
  • Phishing

Internal threats include:

  • Human error
  • Employees accessing information through insecure devices (i.e. personal computers or mobile phones)
  • Data theft

Don’t forget the risk of a natural disaster or structural failure – if your building burned down, could you continue to operate? 

Step 4: Prioritize your response

By now you should have a comprehensive picture of your information systems, and the threats that exist. This allows you to take steps to protect yourself. 

In an ideal world, you would secure everything immediately, but the reality is your budget may require a phased approach, so it’s important to prioritize the biggest threat. 

  1. What is the likelihood of the threat?
    An attack on your website could be very likely, while a natural disaster is less likely.
  2. Determine the severity of the threat, its impact and cost.
    If your clients’ credit card information is compromised, what will it cost you to address the breach? Be sure to include the impact to your reputation, as well as potential fines or lawsuits.
  3. What is the effectiveness of the control?
    If you require employees to use a VPN to access company systems, will that contain the risk?

Step 5: Review annually

As your business evolves, it’s highly likely that you’ll add, or upgrade, the systems you use. Your team will change, and as we’ve found with the COVID pandemic, work habits will change. 

All of these factors make it important to document your risk assessment, and review it annually to adapt to changes in your organization.

At Luminary ACE, we believe every business – no matter how big or small – should be protected against cyber threats. That’s why we offer cost-effective strategies to operate in a secure, and efficient manner. Contact us today for a free consultation to find out if we’re the right choice for you.  

Cybersecurity: A Problem too Big for Small Businesses to Ignore

Posted on by Don Wells

It seems like every day there is a new story of a data breach or cyber-attack reported in the news.. As more and more of our activities take place online the threat of cybersecurity increases.

Despite this, few small businesses take steps to protect their systems and information from cyber-attacks. In fact, studies show that 54% of small businesses believe hackers aren’t interested in their company because it’s “too small.  If you happen to fall into that category, consider these facts:

  • 43% of cyber-attacks target small businesses
  • 60% of those companies don’t recover and go out of business.

Yes, you read that correctly. More than half of small businesses that suffer from a cyber-attack will close.

If that’s not enough to spur you into action, chew on this: the risks of insecure information include:

  • Loss of revenue
  • Loss of customers
  • Loss of productivity
  • Loss of contracts
  • Financial penalties
  • Lawsuits

So what can you do?

The first step is gaining an awareness of the cyber-threats you face, in order to protect against them.

Top 3 Cyber Threats to Small Businesses

#1 Ransomware

I am sure by now everyone is familiar with Ransomware.  It is a specific type of malware that encrypts a victim’s files and makes the device where they are stored inoperable.  Once the malware is on your system, the attacker demands to be paid a ransom from the victim to restore access to the encrypted files.  The most recent and largest-known attack occurred just last week on U.S. energy infrastructure, Colonial Pipeline.

Anyone with a computer connected to the internet. As is anyone with important data stored on their computer or network. 

Ransomware can be disastrous for a small business. Without access to systems and data, business operations will be severely limited.  Paying the ransom does not always guarantee that the files will be restored.  Recovery can be both timely and costly

#2 Phishing attacks

The most common method of attack, phishing, is the fraudulent attempt to steal sensitive information, such as passwords, credit card numbers, or other personal details by pretending to be a trusted source. Since the onset of the pandemic, there has been a 600% increase in phishing. 

There are several types of phishing, but the most common is email phishing, which can be either random or targeted on certain people, or divisions within an organization. .    

An attacker will send a spoofed email, designed to be from a legitimate source, such as a supplier or someone from inside your organization.  The email will request that the intended target disclose sensitive information, such as credentials, bank account information, etc. 

#3 Remote Workers

The increase in remote workers has also increased the threat of cyber-attacks, as workers use home networks and personal devices that may be vulnerable.

This is a sneaky threat, because even if you have taken steps to secure your systems, if one of your employees uses an unsecured cell phone to access company information, it could compromise your company.

Why Small Businesses are Targeted

Cyber criminals have learned that small businesses are less likely to have strong security measures implemented.  Criminals go after weaker targets because it will yield results with minimal effort. 

Hackers may also use small businesses as an attack vector to target a much larger company.  While large companies have the resources to defend against a cyber-attack, they may inadvertently be compromised because of an attack on an insecure small business in its supply chain. This is just one of the reasons for the DoD’s new CMMC requirement for federal contractors. 

At Luminary ACE, we understand that cybersecurity is a challenge for small businesses. Beyond the expense of implementing security measures, it may feel onerous to go through the steps required to keep information secure. Yet, when done right, cybersecurity can increase productivity, enhance product integrity, and improve the customer’s experience. 

If you’d like to understand what a cybersecurity plan would look like for your business, contact us today for a free consultation.