Despite the fact that some communities would prefer differently, it is impossible to avoid the use of networked control systems in council and state-owned bulk water provider systems. Having led the technology gamut in a water body, who else will know this better than those experienced in water cyber security?
The disconnecting of council operated and state-owned water systems, from their ability to connect via the internet, is not a viable option. This is due to the fact that most new equipment comes with remote access by default, and the support and maintenance staff use that functionality to connect to those systems remotely.
The challenge lies in determining how to securely authorize remote access to on-premises systems without running the risk of becoming the next target of a nation-state cyberattack. This is comparable to the attack that transformed the Council managed Water Authority of Aliquippa, Pennsylvania, from a standard-issue local utility into a global news headline in January 2024. (For more information, click here https://shorturl.at/xuevJ.)
Water is life and the local-, state- and federal- governments across the globe acknowledge that.
As a result, National Institute of Standards and Technology (NIST) has launched a project that is designed to protect water and wastewater utilities from new cyberthreats. The project is out for Subject Matter Expert (SME) and public consultation.
In spite of the fact that remote connection ports are present, the NIST published a draft reference guide on Wednesday June 12, 2024, for water utilities. (For more information, click here – https://www.nist.gov/) It is intended that the first publication of the draft project will provide solutions for a variety of water and wastewater systems, in addition to cloud-based remote access solutions that are applicable to water systems of varying sizes. This project is aiming to
1. combine items given by vendors that help improve asset management;
2. better data integrity;
3. extend network segmentation capabilities; and
4. allow for remote access to operational technology assets from outside the operational technology environment.
Water utilities often span large geographic regions and depend on supporting operational technology (OT) such as Supervisory Control And Data Acquisition (SCADA) systems. These systems regulate automated operations, carry out monitoring, and offer data transfer throughout the whole organisation.
Top three (3) cybersecurity challenges that are faced in the water and wastewater industry:
1) Establishing a fit-for-purpose OT asset management framework, including
a) adequate inventories of operational technology (OT) equipment and software; and
b) inclusion of offsite or remote devices, which, if not appropriately done, may lead to gaps in the management of security settings for those devices.
2) Lack of Data integrity checks and balances in those OT systems.
3) Lack of a guarantee of sufficient network segmentation between IT and OT environments
If water and wastewater bodies implement controls associated with the top three (3) risks mentioned above, these will restrict the threat actors from gaining access to sensitive systems and jeopardize operational integrity.
In addition to the above, the incorporation of a Multi-Factor Authentication (MFA) solution and using a separate set of credentials in the OT environment (not the same as one’s corporate credentials, especially for those with privileged access) will further strengthen the cyber posture of these water bodies.
Recent research has indicated a number of “alarming cybersecurity vulnerabilities” throughout drinking water systems around the country. It is clear that a great majority of the systems that have been evaluated have poor cyber hygiene in the OT/SCADA environment within the water and wastewater sector. One of the key remediation challenges faced by the water sector is that they do not have sufficient funding and technical resources to comply with new federal security mandates and recommendations made by the government.
These are clearly articulated in Australia’s Security of Critical Infrastructure (SOCI) Act 2018.If you need industry specific knowledge, experience, and skillset, reach out to us at Cyber Ethos through our website https://cyberethos.com.au/contact/ or call us at 1800 CETHOS (1800 238 467) – We can surely help.
Until next time
Stay Cybersafe
