It is interesting how you can sometimes observe random things that was created as a way to entertain a person and quickly discover that it can also be very relevant to the events of the world. Take movies, for example. Movies are made to entertain by transporting us temporarily from the mundane events of our lives and allows us to laugh, cry, or scare until the credits roll and it is back to the real world. It is at these moments after the curtain falls that you get a chance to reflect on what you just watched and realize sometimes art can imitate life, even when, on the surface, it may not appear to.

One movie that comes to mind that reflects this idea is from the late 70’s, When a Stranger Calls. If you are not familiar with the film, it’s a horror movie about a girl, played by Carole Kane, who is babysitting a couple of kids who you ironically never see because they are supposed to be in their rooms, asleep. Five minutes into the film she starts getting very haunting phone calls from a man who clearly has ill intentions that says, “Have you checked the children”. Feeling distraught and unnerved by these calls, she eventually dials the police who tell her if she gets another phone call, keep him on the line and they will trace it. Throughout the scene, it is clear the sitter is shaken and nervous but still finds some solace in knowing she is safe and secure inside the house. The big reveal comes after the sitter gets another call from the stranger and after keeping him on phone long enough, she quickly receives a call back from the police who reveal that they traced the call and exclaim with urgency, “the call is from inside the house!”  You can’t help but be glued to the screen with shock, your jaws hanging open as you realize just as the sitters has that the stranger has been inside the house the entire time. It’s then a slow creaking sound of an upstairs door echoes through the house as it opens, the door of the children’s bedroom. A dark shadow comes into view as the sitter frantically tries to get out of the house. There’s a tremendous scream as she desperately tries to escape through the front door and then scene ends.

It is these types of scenes that are prime examples of art imitating life, not necessarily in the literal sense but metaphonically. If you have read the news lately you may have noticed that public utilities’ water systems are being targeted at an alarming rate. Foreign hacker groups from across the globe are relentlessly using every trick at their disposal to launch attacks on unsuspecting utilities, in hopes of taking control of their systems and demand some kind of ransom or to do nothing more than cause chaos. It is a harsh new reality we face in our now heavily connected world. One of the greatest inventions of the 20^th century, the Internet, a medium that has allowed for such tremendous advances in how we live our lives has also opened our world to more threats than ever before.

Malicious hackers are viciously attacking public utilities, searching for that one point of weakness allowing them undetected access to SCADA systems. The most recent incident, as reported by U.S. Cybersecurity and Infrastructure Security Agency or CISA, Iranian hackers targeted a utility in western Pennsylvania, taking full control of a booster station by simply exploiting lax security protocols. More specifically weak passwords and the fact the booster station was accessible from the public internet.

We are a very socially connected society and have become completely dependent upon the Internet to access data, communicate, and conduct business. It is virtually impossible to thrive without it, especially after the recent pandemic where millions discovered, with the Internet, working remotely was just as efficient as being in an office. Public utilities also discovered the same. If their systems took advantage of the Internet, they could avoid unnecessary truck rolls, saving a tremendous amount of money. They could monitor their systems from anywhere, as long as they had access to the Internet and, today, there are very few places where that is not the case.

Ironically though the downside of making a job easier also allows the same for hackers, especially if improper security measures are in place. Things like weak passwords on all mission critical assets and logins, not requiring a secure VPN to access those systems, or not taking advantage of 2 factor authentication.

Enforcing a strong password standard is one of the simplest security measures to implement. Having a weak or lax passwords is like locking your front door but leaving the keys in the lock. Avoid using common dictionary words like “password” or not changing the default passwords set by OEM’s which is easily discoverable with a simple Internet search. Instead, use random characters with a combination of upper- and lower-case letters, special symbols, and numbers. Also, the longer the password, the more difficult it is to break.

VPNs are another good security standard to enforce for accessing systems connecting to critical infrastructure. The use of a VPN’s or Virtual Private Networks can prevent deciphering any data due to the high levels of encryption used. Also, a VPN will allow technicians to access field assets remotely, preventing those unnecessary truck rolls.

To further secure your systems from unauthorized access, include 2 factor authentication. This is a security measure to add yet another layer of prevention, requiring a randomly generated and time sensitive code sent through text or email which needs to be entered before access is allowed or the approval could come through an app on a user’s cell phone.

The suggestions we talk about here are really meant to inform, not to scare but perhaps they should. Network security needs to be discussed regularly as hackers are constantly coming up with new ways to infiltrate a system every day, requiring nearly constant changes to keep those systems secure. Hackers are not looking for a challenge, preferring those easy targets that have little to no security or feel overly confident that what they already have in place is adequate. It’s like the babysitter in the movie. Despite the threat, she still felt secure inside the house, locking the doors and believing the strange caller was somewhere outside the walls but is later shocked to learn her safety was compromised all along. The stranger was already inside. The same can be said about insecure or inadequate security measures.  Just because you feel safe and secure behind those locked doors, believing you didn’t leave the keys in the lock for whoever might be lurking outside, you may find yourself just as shocked to discover later that the call was always from inside the house.

Matt Crites

Senior Sales Engineer