Water utilities are just the latest industry to experience high-profile cyber incidents.
Earlier this year, a hacker breached a California water treatment plant and removed programs used to clean water. In another incident that made national headlines, a hacker gained remote access to a Florida treatment plant and increased the amount of lye in the treatment process – a change that a plant employee fortunately noticed and quickly corrected.
Going back to a time when water utilities were less connected isn’t an option. COVID-19 demanded connected operations so employees could work remotely. And “smart water” capabilities like real-time monitoring and remote connectivity are increasingly essential to helping water utilities quickly respond to challenges like population changes and more severe weather events.
The best thing water utilities can do is address the challenge head on, with a comprehensive approach to cybersecurity.
Start with a plan
A cybersecurity plan isn’t only essential for securing your operations, it’s required by the United States Environmental Protection Agency.
The American Water Infrastructure Act (AWIA) requires that all community water systems serving populations of 3,300 people or more carry out two risk management activities every five years.
First, you must complete a risk-and-resilient assessment, formerly known as a vulnerability assessment. Second, you must complete an emergency response plan.
It’s important to note that, while the AWIA previously only required that physical security considerations be addressed in these activities, it now requires that the activities also address cyber risks to a plant’s process control system.
Know your assets, know your risks
You can’t assess the risks in your operations until you assess the assets in them. That’s because you can only secure what you know exists. And unfortunately, most people don’t know all the devices that have been placed on their network over the years.
An installed base evaluation (IBE) can provide a complete assessment of all devices connected to your network. If you perform the IBE yourself, make sure your IT and operational technology (OT) teams are collaborating from the start. These teams have different technologies and sometimes competing priorities, so it’s crucial that they be on the same page from the start of the IBE.
Many plants choose to hire IT and OT pros to conduct their IBE. If you go this route, it’s again important to make sure you’re bringing in both IT and OT expertise. Cisco and Rockwell Automation, for example, offer a “best of both worlds” approach, bringing unparalleled IT and OT expertise to an IBE.
The findings of an IBE can be eye-opening. Plant staff may go into the process with a high level of confidence that their operations are secure because they’ve invested in high-quality devices, only to find that the IBE reveals several vulnerabilities. Just some of the risks that we’ve identified during an IBE include uninstalled security patches, unauthorized remote connections made by subcontractors, decommissioned assets that are still connected and more.
Developing a plan
An IBE will help inform the development of your cybersecurity plan. But your plan should also address some key objectives.
First, it should be aligned with security standards and regulations, such as the NIST security framework, ISA/IEC 62443 and ISA84/IEC TC65. Your plan should also use a defense-in-depth security approach. This involves using multiple layers of protection to mitigate threats.
If you feel overwhelmed by the task at hand or are unsure where to start, a number of resources are available to help you in your journey to more secure water or wastewater operations.
The American Water Works Association (AWWA) tool can help you meet the AWIA’s requirements. And free Converged Plantwide Ethernet (CPwE) design guides from Rockwell Automation and Cisco offer design guidance and best practices for deploying a scalable, robust, secure, and future-ready industrial network architecture.