The rise of automation in operations poses high-security risks to organizations in the water sector. A large number of cyber-attacks towards water sector companies involved both outsider and insider threats. Outsider threats are external attacks towards internal systems through misconfigurations, unauthorized access, and vulnerabilities on devices that are caused by unpatched, outdated or unsupported software, especially towards SCADA systems. Meanwhile, insider threats happened frequently, not just through negligence such as accidental data breaches, but also ones with malicious intent. For example, a disgruntled ex-employee or bribed current employee plugged in an unauthorized USB and infect the machinery with ransomware, or install malicious software in a trusted host, creating a backdoor that allows external threats to connect to the internal network.
INDUSTRY
Water Sector
Risks
- Vulnerable SCADA systems
- Misconfigurations
- Unauthorized access
- Insider threats
The Study
OUR
CUSTOMER CHALLENGE
Organizations handling water treatment plant facilities in Malaysia and Singapore are aware of the increasing cyber security risks and decided to enlist the help of YNY Technology industrial cyber security experts to assess their security posture. As the clients are experts in the water sector, yet being new to industrial cybersecurity, YNY Technology is trusted to assist them in understanding and adhering to security standards, such as the ISO 27001 standard in Malaysia and the CSA Cyber Security Code of Practice (CCoP) in Singapore.
OUR
SOLUTION
YNY Technology provided a comprehensive security assessment on the assets and systems to ensure an appropriate, security-by-design management system with optimum maintenance and protection implemented as per ICS security standards to enhance current ICS protection. The operational technology and processes are also assessed for OT security according to the latest standards, and improvements were suggested where needed. Lastly, a customized security programme with approach and training were formed specifically for the client to ensure the correct approach for continuous protection, inclusive of prevention and mitigation from all possible incidents, and also ensuring the effectiveness of the cyber security controls that are put in place.
THE
RESULT
These result in the clients passing their security audits successfully, proving they are capable of adhering to the industrial security standards, making them more secure in return and ensuring their credibility to their consumers. They were able to identify ICS security risks and vulnerable OT devices, remediate the situation at once and test the effectiveness of the security standards implementation. The security engineers were also trained and now are able to respond to ICS threats and incidents immediately. Their success in hardening their security posture proved both their awareness of the need for security in their operations and for YNY Technology, that our consultation had helped, and will continue so, in making organizations more secure.