Case Study: Small Town Light & Water Department

Background

A public utility in a small municipality, found itself in a unique and potentially compromising situation. The Internet Service Provider (ISP) that served the entire community also played a pivotal role in the utility's operations. This case study explores how our team addressed the cybersecurity challenges of the utility, balancing the technical and political complexities through a thorough security assessment.

The Challenge

The primary challenge was twofold:

  1. Assess and improve the overall cybersecurity posture of the small town Light & Water Department.
  2. Navigate a political landscape where the utility’s ISP had significant influence over its infrastructure, creating unique dependencies and security concerns.

Our Approach

Our team conducted a thorough security assessment, which included:

  • Internal and External Network Scanning: We examined vulnerabilities and open ports on both the internal network and public-facing network.
  • Firewall Assessment: Due to limited access to the firewall configuration, this part of the assessment required creative problem-solving and alternative methods
  • Email Security Review: We analyzed their email systems, including subdomains, checking for best practices, multi-factor authentication (MFA) implementation and password policies.
  • Endpoint Review: We validated their End Point Detection and Response (EDR) solution and reviewed patch management lifecycles.
  • Access Control Audit: A review of user access revealed the use of shared credentials, which posed significant security risks.
  • SCADA and ICS Review: Given the critical role of SCADA (Supervisory Control and Data Acquisition) systems in utility operations, we ensured these systems were isolated and secured from potential threats.
  • On-site Deployment: We visited the location and deployed Cylance, a security tool, on key workstations to monitor for any ongoing or potential threats

Key Findings

The security assessment revealed several areas for improvement:

  1. Email Security Gaps: The absence of MFA, insufficient password complexity, and the lack of email security protocols such as DMARC, SPF, and DKIM posed vulnerabilities.
  2. Firewall Control Issues: The utility did not have access to its firewall configuration, relying solely on the ISP for adjustments, which limited their ability to respond quickly to threats. 
  3. Shared Credentials: The use of a single username and password across multiple users increased the risk of unauthorized access.
  4. Wi-Fi Concerns: Although the Wi-Fi network was separate from critical systems, there were questions about whether it was sufficiently segmented from the main office network.
  5. SCADA Security: Encouragingly, the SCADA system was well-secured, with no public access and individualized device accounts.

Solutions

The security assessment identified several key areas for improvement, and we implemented the following solutions

  1. Email Security Gaps: We addressed the vulnerabilities by enabling Multi-Factor Authentication (MFA), enforcing stronger password complexity, and configuring DMARC, SPF, and DKIM to protect against phishing and spoofing.
  2. Firewall Control Issues: To allow for better control, we worked with the utility to regain access to the firewall configuration, enabling them to make real-time adjustments and respond quickly to potential threats.
  3. Shared Credentials: We eliminated the use of shared usernames and passwords, replacing them with individual accounts secured by unique, complex passwords, significantly reducing the risk of unauthorized access.
  4. Wi-Fi Concerns: We ensured proper segmentation between the Wi-Fi and the main office network, securing the Wi-Fi with encryption protocols to prevent unauthorized cross-network communication.
  5. SCADA Security: While the SCADA system was already well-secured, we reinforced the security by confirming isolated accounts for each device and maintaining strong access controls.

Recommendations

Utilities like the Small Town Light & Water Department often face unique cybersecurity challenges due to their critical infrastructure and limited resources. Here are a few takeaways from this case that can benefit similar organizations:

  1. The Importance of Email Security: Utilities, like all organizations, are vulnerable to phishing attacks and credential theft. Implementing MFA, strong password policies, and email security protocols (such as DMARC, SPF, and DKIM) can mitigate these risks.
  2. Control Over Critical Infrastructure: Utilities must have direct access and control over their network devices, including firewalls, to ensure fast response to security threats. Delegating this control to third parties can introduce delays and vulnerabilities.
  3. Minimizing Shared Credentials: Shared logins expose an organization to higher risks. Each user should have a unique, complex password to prevent unauthorized access.
  4. Segmentation of Networks: Separating less secure systems (e.g., guest Wi-Fi) from critical infrastructure networks is crucial to avoid inadvertent cross-communication that could expose vulnerabilities.
  5. Ongoing Security Assessments: Regular reviews of cybersecurity practices and policies are essential to maintain a strong security posture and adapt to evolving threats.

Challenges and Outcomes

The project faced several unique challenges:

  • Political Sensitivity: The complex relationship between the utility and its ISP required careful and diplomatic navigation.
  • Limited Access: Inability to access the firewall configuration hindered a complete assessment of the network’s security.

Despite these challenges, our team successfully completed the security assessment, providing the Small Town Light & Water Department with a clear picture of their cybersecurity posture and actionable recommendations for improvement.

Conclusion

This case study highlights the complex interplay between technology, politics, and security in small-town utilities. The case underscores the importance of ongoing cybersecurity vigilance in utilities of all sizes.

Jason Miller

Jason Miller, Founder and CEO of BitLyft Cybersecurity, has dedicated his 20-year IT career, including co-founding SaaS pioneer Reviora, to removing cybersecurity barriers for mid-sized enterprises. Establishing BitLyft in 2016, Jason set out to unburden security teams with innovative, approachable, and affordable solutions, a vision which has made BitLyft a respected managed detection and response provider. Outside his cybersecurity pursuits, Jason is an avid tree farmer and outdoor enthusiast, planting nearly 300 trees on his ten-acre plot and finding joy in hiking, and hunting. His diverse passions mirror the balanced blend of expertise, dedication, and joy he brings to BitLyft.

More Reading

Public Utility Cybersecurity: Best Practices for 2024
Public Utility Cybersecurity: Best Practices for 2024
Public Utility Cybersecurity: Best Practices for 2024 As public utilities continue to face evolving cybersecurity threats, it is essential for them to adopt best practices to protect critical...
Top Cybersecurity Threats Facing Public Utilities in 2024
Top Cybersecurity Threats Facing Public Utilities in 2024 Public utilities are increasingly vulnerable to cyberattacks as they manage critical infrastructure that provides essential services like...
Case Study: Public Utility Cybersecurity Enhancement
Background In 2018, a public utility company faced a critical cybersecurity threat that required immediate attention. The company reached out to BitLyft for assistance in addressing potential foreign...