Protecting Water Utilities from Cyber Threats
About the author:
Janine Nielsen is business development manager of water and wastewater industry for Rockwell Automation.
Water utilities are just the latest industry to experience high-profile cyber incidents.
Earlier this year, a hacker breached a California water treatment plant and removed programs used to clean water. In another incident that made national headlines, a hacker gained remote access to a Florida treatment plant and increased the amount of lye in the treatment process – a change that a plant employee fortunately noticed and quickly corrected.
Going back to a time when water utilities were less connected is not an option. COVID-19 demanded connected operations so employees could work remotely. Additionally smart water technology capabilities such as real-time monitoring and remote connectivity are increasingly essential to helping water utilities quickly respond to challenges like population changes and more severe weather events.
The best thing water utilities can do is address the challenge head on, with a comprehensive approach to cybersecurity.
Start With a Plan
A cybersecurity plan is not only essential for securing your operations, it is required by the U.S. EPA.
The American Water Infrastructure Act (AWIA) requires that all community water systems serving populations of 3,300 people or more carry out two risk management activities every five years.
First, a utility must complete a risk-and-resilient assessment, formerly known as a vulnerability assessment. Second, the utility must complete an emergency response plan.
It is important to note that, while the AWIA previously only required that physical security considerations be addressed in these activities, it now requires that the activities also address cyber risks to a plant’s process control system.
Know the Assets, Know the Risks
Utilities cannot assess the risks in their operations until they assess their assets. That is because facilities can only secure what they know exists. And unfortunately, most people do not know all the devices that have been placed in their network over the years.
An installed base evaluation (IBE) can provide a complete assessment of all devices connected to a network. If one performs the IBE oneself, make sure the IT and operational technology (OT) teams are collaborating from the start. These teams have different technologies and sometimes competing priorities, so it is crucial that they be on the same page from the start of the IBE.
Many plants choose to hire IT and OT pros to conduct their IBE. If this route is taken, it is again important to make sure to bring in both IT and OT expertise. Cisco and Rockwell Automation, for example, offer a “best of both worlds” approach, bringing IT and OT expertise to an IBE.
The findings of an IBE can be eye-opening. Plant staff may go into the process with a high level of confidence that their operations are secure because they have invested in high-quality devices, only to find that the IBE reveals several vulnerabilities. Some of the risks identified during an IBE include uninstalled security patches, unauthorized remote connections made by subcontractors, decommissioned assets that are still connected and more.
Developing a Plan
An IBE will help inform the development of a cybersecurity plan. But a plan should also address some key objectives.
First, it should be aligned with security standards and regulations, such as the NIST security framework, ISA/IEC 62443 and ISA84/IEC TC65. The plan should also use a defense-in-depth security approach. This involves using multiple layers of protection to mitigate threats.
If this task is overwhelming or there is insecurity in where to start, a number of resources are available to help on one’s journey to more secure water or wastewater operations.
The American Water Works Association (AWWA) tool can help meet the AWIA’s requirements. And the free Converged Plantwide Ethernet (CPwE) design guides from Rockwell Automation and Cisco offer design guidance and best practices for deploying a scalable, robust, secure, and future-ready industrial network architecture.
Additional Resources
Watch the on-demand webinar, “The Critical Role of Network Security in Water Utilities,” to learn more.