Ransomware: Paying the Price for Poor Cybersecurity?

Ransomware: Paying the Price for Poor Cyber-Security?

In our extensive series on cybersecurity in the water utility sector, we explored many of the ways that organizations can help harden their infrastructure and computing resources against intrusion. But there are still many threats that have the potential to disrupt critical services. One “prevalent and increasing threat”, according to the FBI, is the use of ransomware to target victims from small businesses up to large organizations.

A Clear and Present Motive

Cyberterrorists might seek to damage utilities for the sake of chaos and to create a human health crisis. A disgruntled ex-employee might want to do harm for simple revenge. But cybercriminals who specialize in using ransomware are much more pragmatic. Their goal is to extract as much money from a target as they can without running a high risk of getting caught or having their demands denied.

Why Are These Criminals Thriving?

There are a number of reasons it is simple for IT “kidnappers” to continue their practice of holding data and systems hostage. First, the technology that makes this possible is easy to come by. There are any number of readily available subscription software packages such as CryptoWall or TorrentLocker that can be deployed to lock authorized users out of their own PCs. Some ransomware is also designed to lock down servers as well, allowing criminals to target entire networks.

The risk of getting caught is fairly low for a savvy cybercriminal. Unfortunately, many of these criminal organizations are located in Eastern Europe and other places that can’t be touched by United States law enforcement. They often demand the ransom to be made in BitCoin so that even tracing where the money goes is difficult.

The Problem Is Growing

The FBI points out that one of the main reasons criminals keep using ransomware is because victims keep paying ransoms. In 2015, targets of such attacks reported $24 million in losses. That’s likely just the tip of the iceberg since many organizations don’t want to report or otherwise publicize security breaches. The attacks are likely to continue or escalate as cybercriminals re-invest their ill-gotten gains in developing better ransomware.

Big Industries Make Tempting Targets

Financial services and healthcare are two sectors that have been targeted recently for specialized ransomware attacks. These victims tend to have deep pockets and can’t afford to have any interruption in their business processes. But criminals are always looking for more victims who have a strong motivation to pay up to prevent disaster. What can organizations do to make themselves an unappetizing target?

First, it’s important to use up-to-date anti-malware software to detect and block suspicious activity. Keeping current data backups on isolated media is another important step in protecting an organization from being held hostage. Finally, the FBI cautions against ever paying a ransom so that criminals will learn that it isn’t worth the time and effort to continue holding computer resources for ransom. For a water utility, the steps taken to isolate critical infrastructure should definitely include a plan to keep things running even if there is an attempted ransomware attack.

Shared Employment Equals Shared Responsibility Under OSHA

Temporary employment agencies have been supplying labor to organizations across California for many decades. In recent years, PEOs (Professional Employer Organizations) have also become popular. While temp agencies focus on meeting short term labor needs, PEOs offer traditional businesses a way to outsource the management of their human capital. However, OSHA compliance requirements are similar for both—and these responsibilities reach farther than most people assume.

Primary Employers and Host Employers Must Ensure Worker Safety

The agency or organization supplying workers to a host employer is considered the primary employer and has a number of significant responsibilities. They must notify employees of their rights regarding workplace safety. This includes letting workers know that they can, without penalty, request to be reassigned if they are asked to perform work that they reasonably believe to be dangerous.

In addition, primary employers are responsible for periodic inspections of the host employer’s work site to evaluate conditions. They should also review the Injury and Illness Prevention Program (IIPP) along with training and PPE to ensure these are adequate. Unfortunately, this mandate from Cal/OSHA assumes that PEOs and temp agencies are equipped to correctly evaluate a variety of worksites that may present an array of complex and changing hazards.

What Can Primary Employers Do?

It is clear that handling workforce administration from a remote office does not release a primary employer from responsibility for what happens on the work site. OSHA has demonstrated that the administration is more than willing to hold co-employers liable for penalties in the event of workplace injury. Cal/OSHA recommends that primary employers work closely with host employers to identify risks, put controls in place, and monitor safety on an ongoing basis. If an accident does occur, both co-employers are responsible for reporting to OSHA, investigating the accident, and ensuring measures are put in place to prevent a similar incident in the future. See the attached educational materials for additional recommendations.

Having More Eyes on Safety Can Be a Good Thing

Don’t let the old saying, “When everyone is responsible, no one is responsible” be true when it comes to co-employment. Instead, let shared responsibility exponentially increase safety for every employee. For PEOs and temp agencies that are concerned with worker well-being, it’s wise to partner with the host employer to bring in a third party to review the IIPP, training program, and PPE. Being proactive in creating a safer workplace demonstrates a good faith effort to comply with OSHA’s requirements and can significantly improve safety of workers on site.


The Daily Grind Turns Tragic without LOTO

Just a few months ago, a California worker suffered a serious injury at a meat processing plant in San Luis Obispo. The employee (a temp worker provided to Vitco Meats by Volt Workforce Solutions) was pulled into a meat grinder while trying to clear a jam in the equipment. When he reached inside to remove beef stuck in the hopper, the machine’s paddles began to rotate, pulling his hand and arm into the grinder. The worker suffered a crushed hand and broken arm. If the machinery had continued to rotate, the outcome would likely have been fatal within seconds.

How Did This Accident Happen?

The equipment was not powered down prior to the attempted cleaning. According to the Cal/OSHA investigation, Vitco Meats did not have protocols in place to ensure that workers disengaged and locked out the machinery before servicing. Employees were apparently untrained in this important safety procedure, and the equipment itself was not equipped with an appropriate interlock device for LOTO.

Consequences Hit Both Co-Employers

The meat processing plant and the employment agency were both found to be at fault by Cal/OSHA for this incident. Vitco Meats was issued with nine citations and penalties totaling almost $64,000. Volt Workforce Solutions has also been cited for serious, regulatory, and general citations for a total of $10,600 in fines. In the eyes of OSHA, the temp staffing agency failed to ensure that their client (Vitco) had an appropriate illness and injury program and safety training in place.

Injury Prevention Requires Attention to All the Details

Lockout procedures are designed to ensure that equipment is completely powered down, moving parts are blocked, stored energy is released, and the equipment can’t be turned back on until it is safe to do so. According to a statement issued by California’s Department of Industrial Relations regarding the meat grinder accident, “Failure to develop and follow lockout / tagout procedures before working on machinery is one of the major causes of serious injury and death in California.”

When cleaning or servicing a piece of equipment has the potential to expose a worker to moving parts or any form of hazardous energy, LOTO should be part of the standard routine. Contact DKF Solutions at dpatzer@dkfsolutions.com to review your LOTO procedures and ensure that all your workers (including temporary staff) are following appropriate safety procedures.

DKF Solutions Group has also developed a mobile app to make creating equipment-specific LOTO procedures easy and affordable. Take a look for at the video below for an overview of the SMART Procedures app. Go to smartprocedures.dkfsolutions.com to sign up for a free trial.

Cybersecurity: Water Utility Security Part 9

In this final post on cybersecurity in the water utilities industry, we’ll look at remaining areas of interest that center around information and communication. It’s evident by this point that lack of knowledge is one of the greatest threats to infrastructure security. The more awareness an organization has, the simpler it is to take the necessary steps to create an environment that is resistant to cyber threats.


Who needs to be educated about security practices, policies, and procedures? Internal employees are at the core of any training program. But clients and service providers shouldn’t be overlooked. Any third party that is involved with PCS systems or other vital technology should be aware of potential risks. SLAs should include relevant certifications. As a whole, the water utility should participate in water sector programs that are designed to identify and implement best practices.

Here are a few of the other actions that the AWWA recommends in terms of education:

  • Regular testing of security procedures to evaluate security awareness and incident response
  • Cross-training for IT and PCS staff so knowledge is shared and potential gaps in security can be more readily found
  • Training for all staff to identify common risks and threats such as social engineering
  • Communications training (network & radio) for PCS technicians to ensure proper, secure communication and crisis response capability

Personnel Security

From hiring through termination—and even after—employees and contractors can hold the keys to cybersecurity for an organization. Ensuring that each worker has only the access level required to accomplish their assigned duties is an important aspect of personnel security. Network and facility access should be set up for immediate, automatic revocation upon termination so that no unauthorized individuals are able to infiltrate the system after leaving the organization.

Vetting prospective workers prior to hiring may help spot red flags and at-risk candidates. A formal (standardized) background check process should be implemented for each level of responsibility within the agency. All new hires should also be required to sign appropriately worded confidentiality and cybersecurity policies. Such policies should be reviewed and signed again annually by all workers.

That’s it for our Water Utility Cybersecurity series. We hope you have found this overview helpful. For more information on keeping your facilities and workers safe, contact DKF Solutions for a consultation.

OSHA’s Six Foot Fall Protection Rule Just Got Teeth

Fall protection continues to be an area of controversy between California’s DIOSH and federal OSHA regulators. When tougher protection rules were initially introduced decades ago, the goal was to reduce the risk of falls (still a common cause of death and severe injury in the construction sector). In 2010, Fed-OSHA got serious about enforcement, and many states began phasing in compliance over the next couple of years. But the changes were far from easy.

Safety Rules Didn’t Always Fit with “Business as Usual”

According to John Caulfield’s article for Builder Magazine: “The new (2010) rule now mandates that all employees working six feet or more above the ground must use ‘acceptable’ fall-protection equipment such as guardrails, safety nets, or personal fall-arrest systems that can include full-body harnesses and deceleration devices. Depending on the job, other forms of fall prevention might also be required, such as warning lines and safety monitor systems for steeper roofs.”

Unfortunately, many companies in the construction sector encountered substantial compliance challenges. The use of slide guards (a ubiquitous safety measure in the roofing industry) did not meet OSHA’s requirements for acceptable fall protection systems. Construction companies were faced with completing more paperwork to request exceptions to the ruling or with spending significant sums on fall protection equipment that might, in some cases, create additional tripping hazards on low-pitched roofs.

California Held Back on Switching to Federal Guidelines

As a leader in workplace safety, California initially stood apart from the controversy with its own well-tested fall-protection program. However, OSHA has now announced that it is taking a hard line approach that no longer recognizes Cal/OSHA’s fall protection rules as ‘at least as effective as’ (ALEA) those at the federal level. Fed-OSHA’s Deputy Director for the Directorate of Construction, Dean McKenzie, is seeking a firm commitment from California to adopt the six foot rule to replace the state’s own regulations.

At this time, California remains the sole holdout on this front among all the states. OSHA has indicated that pressure may be brought to bear to force a change. Proposed actions might include withholding funding and stepping in to enforce the six foot trigger rule on California worksites.

Strong Opinions Can’t Hold Back Change

Opponents of Fed-OSHA’s stance report that the proposed changes could have negative impacts on the construction industry. Compliance could prove both costly and impractical—and OSHA has provided little guidance as to how the rules could be realistically applied on a typical construction site. Dissenters advocate forcing Fed-OSHA to take on full oversight for enforcing these regulations (a massive undertaking given the size of California’s residential and commercial construction sectors).

Yet California’s OSHA board has indicated that the state will indeed move toward compliance. They are hoping for a reasonable amount of time to phase in the regulations, understand the economic impact, and seek room for exceptions. This process may take a couple of years. As always, DKF Solutions will be monitoring the situation to understand when our clients need to make changes to maintain compliance.

Cybersecurity: Water Utility Security Part 8

Our series on cybersecurity for critical water infrastructure now focuses on how to ensure ongoing operation based on vendor agreements, procedures, and workflows. While details like contract negotiation and employee policies might not seem like a strong line of defense, they can make a big difference in whether a utility will remain up and running in a crisis.

Service Level Agreements

Although process control systems should be designed to run independently when necessary, the day-to-day operation of a water utility typically involves quite a bit of third party infrastructure. As with the majority of organizations today, public utilities rely on a range of providers for telecommunications, internet connectivity, power, network capacity, data storage, and other resources. The contracts that govern factors such as availability (uptime), bandwidth, and technical support are referred to as Service Level Agreements (SLAs).

Selecting an appropriate level of support is important for a utility. For critical infrastructure, guaranteed uptime and a fast response time in the event of disruption may be two areas of particular concern. As the AWWA points out, the bandwidth required to run PCS equipment is often not high. But it must meet minimum requirements. SLAs should be negotiated with each contracted vendor based on how emergencies might impact process control systems and related infrastructure. Agreements with third party integrators and companies tasked with servicing the PCS equipment itself should also be reviewed to ensure that the utility is appropriately prioritized as a preferred customer when it comes to response times. Limiting the total number of external vendors involved may help simplify this process.

Operations Security

OPSEC, the formidable acronym for Operations Security, can cover almost any area of procedures and workflows in an organization. Limiting access to information is one important aspect of cybersecurity. For example, a utility might have a social media policy that prohibits workers from posting information about internal procedures online. Such policies should be in writing and the accompanying training might give examples of the types of postings that might seem innocent to employees but that could reveal potential vulnerabilities to hacker or parties interested in doing harm. Cybersecurity training should alert employees to suspicious behaviors—such as people fishing for information about security protocols or other protected information (social engineering).

Within the organization, OPSEC should also cover isolation of PCS functions from other business functions. This includes ensuring that the equipment’s interfaces are blocked from accessing the internet, email, and other remote systems—up to and including removable media. IT staff and other involved personnel should receive ongoing training in cybersecurity for PCS and water utilities in general to ensure best practices are kept up to date. As with all areas of security, change is inevitable.

In next month’s post, we’ll wrap up this series with a look at education and personnel security, since a water utility’s security is only as good as its employees. 

Shift Workers Face Increased Crash Risks

Although OSHA’s guidelines for safety and health don’t cover the commute home, employers would do well to consider ways they can assist workers who are at increased risk for accidents from drowsy driving. Getting behind the wheel while sleepy can impair reaction times and judgement in a way that’s comparable to being intoxicated or under the influence of drugs. Yet six out of ten Americans admit to driving drowsy each year (according to the National Sleep Foundation). More than one out of three admit to falling asleep while driving! Here’s a look at some of the troubling facts about this hidden danger.

How Big Is the Problem?

Car crashes caused by sleepy drivers are a persistent problem of incredible scope. The National Highway Traffic Safety Administration suggests that drowsy driving is the primary cause of more than 100,000 accidents reported to the police each year (the actual number is likely much higher). More than 1,550 people die in such accidents each year, and more than 71,000 are injured. The billions of dollars in losses calculated probably don’t take into account lost productivity for businesses whose employees are involved in these tragic accidents.

Which Workers Are at Risk?

Shift workers are at a six-fold greater risk of accidents from sleepy driving compared to the rest of the population. Night shifts, rotating shifts, and double shifts are all linked to a higher risk of drowsy driving crashes. Commercial drivers covering long distances and young males (18-25) are also at greater than average risk of nodding off at the wheel.

In a recent study, 16 participants were given a two-hour driving test in a real vehicle while an observer rode along. Drivers were also monitored using special glasses to track eye movements and blinking as well as EEG electrodes to measure microsleep episodes. After an eight hour sleep with no shift work, none of the participants had a near crash during the test. But after a night shift (and being awake for about 13 hours), the participants experienced much more lane drifting, slow eye movement, and microsleep. Almost half of the participants had to have their tests halted before completion due to near crashes.

What Can Employers Do to Help?

Encouraging workers to drink caffeine before their commute isn’t necessarily helpful in the long run since it can disrupt the ability of shift workers to get to sleep once they arrive home. However, encouraging workers to take a 15-20 minute nap after they clock out may help them stay alert on the way home. Assisting with access to public transportation may also be a remedy. Finally, employers can provide educational resources to make shift workers aware of the facts about drowsy driving. Each individual should be equipped to recognize the signs and know safe ways to reduce the risk of crashes.

Do you want to learn more about ways to help your workers stay safe every day? Contact DKF Consulting to review your safety training resources.

Cybersecurity: Water Utility Security Part 7

This month, it’s time to take a look at both virtual and physical access for process control systems security. When both of these areas are addressed, infrastructure is better protected from on-site and remote attacks. The American Water Works Association (AWWA) offers guidance on these topics. Here’s a quick overview.

Telecommunications, Network Security, and Architecture

The wired and wireless aspects of network infrastructure come under scrutiny in this phase of cybersecurity. On a physical level, computer rooms, network server closets, and individual cables should be secure from tampering. Port level security can serve as a second layer of protection if physical security is compromised. It shouldn’t be possible for anyone to simply plug a device in to an open port and gain access to (and control over) the system.

In the virtual sphere, data must be secure as it travels from point A to point B. On the network level, using dedicated hardware, separate IP subnets, and virtual local area networks (VLANS) can make systems and processes easier to protect both within the server architecture of the organization and where the network must interface with field equipment and 3rd party systems. It may be wise to create an architecture that allows for critical equipment to continue operating in isolation (in the event that other parts of the network are compromised).

More about Physical and Network Security

In the words of the AWAA “Once physical access to a network device or server is achieved, compromising equipment or systems is usually a trivial matter.” That’s a chilling thought given the percentage of malicious security breaches that are carried out by internal parties (about 25% according to a 2014 Forrester survey). For critical infrastructure, it is vital that only authorized personnel have access to hardware—and only for needed activities. Control rooms, removable media, cabinets, ports, and communication pathways should all be hardened against intrusion.

Physical locks and electronic access control help keep unauthorized personnel away from critical equipment while monitoring systems provide an alert of potential trouble. Security information and event management (SEIM) detection within the network can also report on anomalous activity in real time. In some situations, video surveillance may be beneficial for identifying unauthorized entrants. But bear in mind that prevention is always the primary goal. As with all monitoring programs, having personnel in place to evaluate and swiftly respond to incidents is essential.

Operational Security and Service Level Agreements are up for exploration next month!

Driver Performance Monitoring and Workplace Safety

It’s not just insurance companies that use vehicle monitoring to evaluate the performance of drivers. The technology to track speed, location, G-force, and other aspects of vehicle operation is now used by many employers as well. Since auto accidents remain a leading cause of work-related fatalities, implementing a monitoring program is worth consideration. Here’s a look at some of the pros and cons—along with tips for implementing a smart policy.

On the Plus Side

Examining the behavior of drivers operating workplace vehicles offers several benefits. First, knowing that a vehicle is monitored may give drivers a greater sense of accountability, increasing the likelihood that they will use good judgment on the road. This includes staying on schedule and not making unauthorized side trips or stops.

Second, regular evaluation of recorded data may provide insight into additional safety training (such as defensive driving) that is needed to increase the safety of employees on the road. Finally, if an accident does occur, it’s often hard for the people involved to recall precisely what happened. With monitoring, the events that immediately preceded the accident can be examined to discover the facts.

The Downside of Vehicle Monitoring

An improperly implemented program could violate employees’ right to privacy, leading to legal trouble for employers. A monitoring device that is installed in the wrong location in a vehicle may also create blind spots or other hazards, increasing the likelihood of accident or injury.

In addition, stored data that shows a pattern of unsafe driving on the part of workers might also be used against an employer in litigation. This is especially true if no corrective action was taken to curtail risky behavior.

Tips for Getting It Right

  • Know the purpose of your monitoring program (are you seeking to correct driving behaviors, make safe driving a part of employee evaluation, or have a record in case of an accident?)
  • Create a written driver performance monitoring policy that complies with federal and state law.
  • Disclose your driver monitoring policy to employees and explain its purpose as part of the overall workplace safety program.
  • Make sure the monitoring technology meets state requirements and does not interfere with safe operation of the vehicle (e.g., it should not obscure the driver’s view, obstruct windshield wipers, or be placed in the airbag deployment zone).
  • Follow up on any incidents of unsafe driving to take swift corrective action in accordance with agency policy.
  • Retain records on file as required by law since the monitoring data may be subject to subpoena in the event of litigation or workplace safety inspection.

Do you have questions about using technology to increase employee safety? Contact DKF to talk about health and safety in the modern workplace.

Cal/OSHA Reports a 13-Year Low for Injury and Illness

In the world of occupational safety and health, it’s easy to focus on hazards and disasters. After all, workplace injuries or fatalities affect hundreds of thousands of Californians and their families every year. Preventing and reducing these incidents is very important. But it is also good to know that the efforts of employers and workers across the state have made a significant difference.

This month, the Department of Industrial Relations posted the occupational illness and injury data from 2014. According to the survey results, rates of reportable workplace accidents and illnesses remain at a 13 year low. This holds true across all categories of lost work-time cases (incidents resulting in time lost from work, transfer, or restricted duty).

Quick Statistics for 2014

  • There were 460,000 reportable injury and illness cases
  • 265,000 involved lost work-time
  • 140,000 resulted in days away from work
  • 25,840 involved local government workers including over 3000 in the trade, transportation, and utilities sector.

Risk Factors for Workers

  • Latino workers continue to face disproportionate risks at work, accounting for almost 60% of days away from work. In jobs involving construction activities, 75% of injured workers who lost work days were Latino.
  • Teenagers and new workers (those on the job less than a year) are at particularly high risk for accidents.
  • Sprains, strains, and tears remain the leading causes of lost work-time.
  • Overexertion, adverse reactions to substances at work, slip & falls accidents, and equipment-related injuries are common.

Progress Can Still Be Made

The continuing reduction of workplace illness and injury is cause for hope. It clearly demonstrates that making positive changes in safety programs has a real effect on outcomes. Paying close attention to the factors involved in accidents and illnesses for at-risk groups and activities allows employers to identify hazards and adjust their workplace program accordingly. This is an ongoing process that can and should continue to be refined each year.

With 2016 approaching, it’s a great time for a review of your safety program. With your participation, DKF is dedicated to making each year safer than the one before. If your organization hasn’t yet scheduled a consultation, we encourage you to contact us today.