Imagine being a manager responsible for delivering the most basic necessities of life to an entire town or village full of people, many of whom you know personally. Now imagine that you have not been given the funds nor the mandate required to ensure that very capable criminals or state-sponsored adversaries can’t break in over the Internet and disrupt or corrupt those essential services you’re supposed to be providing. It’s a thankless battle that seems futile and frustrating.
This is what seems to be happening in thousands of small utilities all over North America.
Almost half of utilities surveyed had little or no security awareness training for staff
In a recent episode of the Shared Security Show, we highlighted a report by the Water Sector Coordinating Council that was published in June 2021. The report was cited by journalist Brian Krebs in an article called “How safe is your drinking water supply?”, in which he noted that there seems to be a large gap in cyber security maturity among the 52,000 water utilities in the US. In 42% of the organizations surveyed in the report, there was no cyber security awareness training program for the utilities’ staff.
With over 90% of all security breaches now involving employees — most often via phishing or social engineering attacks — there is a very high likelihood that these utilities are at risk of suffering a major security incident. Knowing that a utility has very little visibility into the security controls governing their “operational technology” (OT) networks that directly control the distribution of water, electricity or gas, an attacker that targets one of these utilities will have a range of opportunities to launch a phishing or social engineering attack on employees, with potentially devastating exploits.
What should be done in the long term, and the short term to strengthen these utilities?
The cyber security programs in many of these utilities require a complete, top-down review, which should result in new policies and new security technologies. This will take time to analyze requirements and authorize new controls.
However, the easiest way to begin addressing the critical gaps in their programs is with a foundational awareness training program. The employees in these utilities will need immediate training on how to spot and avoid phishing attacks that may trigger malware infections, and how to recognize a social engineering attack that could disrupt systems and services.
Here’s how Click Armor aims to help small utilities facing cyber threats
We don’t want to let the governments or businesses responsible for oversight of these critical services off the hook for taking immediate action as a result of this alarming report. However, Click Armor does want to help the managers on the front lines who need to shore up their defenses in the short term, until a systematic overhaul of these critical infrastructure service organizations can be done.
Typically, the smallest municipalities will have the hardest time pulling together the resources to do a full security review and taking immediate action. We noted during the Shared Security Show episode that an estimated 40,000 of these utilities serve communities of 3,300 people, or less.
So Click Armor is offering to help utilities who serve communities of less than 10,000 people by providing access to our gamified phishing and social engineering course content. Providing this kind of training to the staff of small utilities may be the most vital defensive measure available in the short term for averting a catastrophe affecting potentially thousands of citizens, when their local community is hit with a cyber attack.
Here is the process for taking advantage of this offer from Click Armor:
1) Submit a request with your organization’s location, size and contact information at: http://www.clickarmor.ca/contact
2) We will be in touch within 1 business day to confirm your information
3) Your team will receive email invitations to our Community Utilities Cyber Awareness Program where they can immediately access our gamified phishing awareness training course, which has been shown to improve employee proficiency in spotting phishing messages by 50%.
4) We will provide options for you to obtain participation and proficiency reporting for your staff.
If you operate a small utility that urgently needs cyber security awareness training, please submit a request now for your staff to access our Community Utilities Cyber Awareness Program at: http://www.clickarmor.ca/contact