Water and Wastewater

The Security Risks of Using Shared Credentials in Water and Wastewater Facilities

This is the first in a series of five blog posts about the biggest cybersecurity risks for water and wastewater and how you can address them so you can keep your critical systems protected from cyber threats. Keep an eye on our blog or make sure you follow us on LinkedIn so you don’t miss any posts in the series.

You probably know about the significant risks sharing credentials poses for your water and wastewater facilities. 

But you may not know that over 80% of hacking-related breaches can be attributed to weak or stolen credentials. 

This is especially concerning for water and wastewater facilities. After all, these organizations provide invaluable services that our communities depend on. 

Moreover, these facilities heavily rely on both information technology (IT) and operational technology (OT) systems to ensure smooth operations. If these systems are compromised, it could result in service disruptions or worse, a harmful impact on your organization and the people you serve. 

By eliminating shared credentials, you can avoid these risks and consequences. You’ll be protecting your systems from unauthorized access while significantly reducing the risk of a cyber attack. 

The Risks of Using Shared Credentials in Water and Wastewater Facilities

Shared credentials leave you vulnerable to cyber threats for several reasons: 

Lack of Accountability

When multiple people share the same credentials, it becomes difficult to establish individual accountability for actions performed within the system. If an unauthorized or malicious activity occurs, it becomes challenging to identify the person responsible. This lack of accountability hinders effective incident response and can delay or impede the investigation of security breaches.

Increased Vulnerability to Insider Threats

Insider threats occur when individuals with authorized access to a system misuse their privileges. Shared credentials make it challenging to trace unauthorized activities back to specific individuals. In a water and wastewater facility, insiders could potentially manipulate critical systems, disrupt operations, or cause damage to infrastructure. Shared credentials make it difficult to attribute such actions to a particular person, increasing the risk of insider threats going undetected.

Limited Access Control

Shared credentials often lead to a lack of granular access control. Different users within a water and wastewater facility may have varying roles, responsibilities, and authorization levels. By sharing credentials, there is no way to differentiate between users or enforce fine-grained access restrictions. This means that an individual with shared credentials might have more privileges than necessary, increasing the potential impact of any security breach or unauthorized activity.

Weakened Password Hygiene

Shared credentials typically require passwords to be known by multiple individuals. This often leads to poor password hygiene practices. Passwords may be shared through insecure channels, written down and left in plain sight, or stored in easily accessible files, increasing the risk of password compromise. Weak or easily guessable passwords may also be used, further undermining the security posture of the system.

Difficulty in Revoking Access

When shared credentials are used, revoking access for specific individuals becomes challenging. If one person’s access needs to be revoked due to a change in employment, termination, or any other reason, it requires changing the shared credentials and distributing the new credentials to everyone else. This process is cumbersome, time-consuming, and prone to errors, potentially leaving revoked individuals with continued access to critical systems.

What Not to Do

  • Don’t give out new usernames, IDs, or passwords for each application: Instead, leverage single sign-on using your Microsoft or Google workplace accounts whenever possible so everything is connected to one account, not 20. This also makes it easy to revoke access. 
  • Don’t give out clients and VPNs: Clients and legacy access technologies like VPNs don’t provide sufficient security against modern cyber-attacks. Implementing a VPN-less environment not only protects your systems but also helps you align with EPA cybersecurity recommendations
  • Don’t forget about multi-factor authentication: Multi-Factor Authentication is the strongest protection against phishing, identity theft, and other account-takeover attacks. In the case that credentials are compromised, it can be the failsafe that stops a cyber attack in its tracks.

How Agilicus Eliminates Shared Credentials in Water and Wastewater Facilities

Now that you know why you should eliminate shared credentials, here’s how you can do it with Agilicus. 

For simplicity, let’s use a common scenario of a decade-old application as an example. This particular application doesn’t participate in any of this new mumbo-jumbo cybersecurity stuff and the organization can’t get rid of it because it’s necessary for business operations. 

In this example, Agilicus solves this challenge by putting our platform – which is known as an identity-aware web application firewall – in front of the legacy application. 

This accomplishes a few things. First, it makes it easier for your users to access the resources they need with a one-click single sign-on experience. That means no more memorizing new passwords and a consistent login experience every time. And more importantly, it makes it more difficult for hackers to spear phish you with random forms that ask for your user’s passwords, thereby significantly reducing the risk of compromised credentials. All of this happens without any changes to your existing network or configuration. 

In addition to removing shared credentials, Agilicus’ platform also strengthens the security of your water and wastewater facilities in other ways, including: 

  • Multi-factor authentication, which you can enforce for all your systems, even on legacy applications (like the one in the example mentioned above) or for your third-party vendors.
  • Vendor access management with centralized managed permissions
  • Granular, audible administrator control so you can see who accessed what, when, and from where.

Want to learn more? Check out this on-demand webinar hosted by our CEO, Don Bowman, for a deeper dive into how Agilicus can help you eliminate shared credentials. 

Or, if you want to see specifically how Agilicus can help water and wastewater facilities like yours, read this case study about how we helped a municipality secure its water treatment facility’s operational technology.