Water and wastewater utilities provide critical lifeline services to their communities and regions. Clean water is essential for public health, ecosystem protection, and economic strength. Supporting these important functions requires secure information technology (IT) and operational technology (OT) systems.
IT and OT compromises can have great impact on a utility. Operational disruptions could jeopardize public health and environmental protection. To support water and wastewater utilities and the wider critical infrastructure community in its cybersecurity goals, the Water Information Sharing and Analysis Center, better known as WaterISAC, published a newly updated resource: 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. The original guide, first developed in 2012, has been downloaded thousands of times.
WaterISAC has compiled 15 fundamental cybersecurity practices to reduce exploitable weaknesses, not only for water and wastewater utilities but for critical infrastructure and industry alike. This revamped resource contains dozens of practices and practical advice, grouped into 15 main categories, that organizations can implement to reduce security risks to their IT and OT systems. Each recommendation is accompanied by links to relevant technical resources, providing additional information and tools necessary to take a dive deep into this acutely important initiative.
Here are the topics and what to expect with each fundamental:
Perform Asset Inventories. You cannot protect what you do not know about. Knowing your environment is foundational to a successful cybersecurity program.
Assess Risks. Once assets are accounted for, threats can be more accurately assessed for the risk they pose to the organization and its IT and OT environments. Organizational risk is a function of the likelihood a threat will occur and degree of impact the threat will cause to the organization.
Minimize Control System Exposure. Protect the control system environment from “hostile,” untrusted networks – which is theoretically everything outside the control system network. Network segmentation, traffic restrictions and encrypted communications are just a few methods to minimize the risk posed to OT networks from external communications pathways.
Enforce User Access Controls. Grant no more system access privileges than what is necessary to perform duties. Apply role-based access controls and principle of least privilege, including limited use of administrator rights to prevent users from accessing systems and files they are not authorized to access.
Safeguard from Unauthorized Physical Access. If an adversary can gain physical access to your equipment, they can/will compromise (“own”) it. The implementation of non-technical, physical security controls to regulate physical access to IT and OT environments are just as important to cybersecurity as the use of technology controls.
Install Independent Cyber-Physical Safety Systems. If you can imagine a worst-case cyber threat scenario that could cause physical damage to Industrial Control System (ICS) equipment, so will the bad guys. By installing solutions to limit physical damage that could occur due to a cyber-attack, asset owners can prevent dangerous conditions such as excessive levels of pressure or chemical additions.
Embrace Vulnerability Management. More than patching and antivirus. Largely informed by asset inventory and risk assessments, vulnerability management involves the need to identify and remediate cybersecurity gaps and vulnerabilities before the bad guys exploit them.
Create a Cybersecurity Culture. Cybersecurity is everyone’s responsibility, from the break room to the boardroom. Effective cybersecurity starts at the top; to affect positive behavioral changes, involve every executive, board member and employee in cybersecurity awareness and training.
Develop and Enforce Cybersecurity Policies and Procedures (Governance). Create, disseminate and operationalize clear and actionable organizational policies and procedures regarding cybersecurity expectations. The fundamentals in this guide can be used to begin developing policies that are most relevant to each organization.
Implement Threat Detection and Monitoring. You will not find it if you are not looking. The importance of configuring detailed logging and reviewing system logs to detect active threats in your environment cannot be overstated.
Plan for Incidents, Emergencies and Disasters. To keep the water running, maintain business continuity and resilience. Emergency Response Plans (ERPs) will be required by America’s Water Infrastructure Act (AWIA) beginning in 2020.
Tackle Insider Threats. The insider threat is a people problem, not a technology problem; however, not all insider threats are malicious. Mitigate this organizational-level threat by understanding behavioral indicators that predicate an insider threat and apply appropriate training and technology controls to deter an incident.
Secure the Supply Chain. Unless you manufacture all of your own components, this is another organizational-level threat that affects every industry. From component vulnerabilities to financial transactions, the supply chain/vendor relationship is a common threat vector for cyber-attacks and must be intentionally managed through security and vulnerability testing and risk assessments.
Address All Smart Devices (IoT, IIoT, Mobile, etc.). When these unsecured devices are connected to our networks, they create holes (often to the internet) that may not have previously existed. Cisco’s “2018 Annual Cybersecurity Report” states that few organizations view IoT as an imminent threat, yet adversaries are exploiting weaknesses in connected devices to gain access to industrial control systems that support critical infrastructure.
Participate in Information Sharing and Collaboration Communities. Last but not least, and certainly our favorite – share information with others. Cyber-mature utilities can significantly help the community and sector by sharing their experiences; likewise, less-resourced utilities benefit from sharing communities by gaining access to hundreds of analysts.
Although many water and wastewater utilities have invested necessary time and resources in cybersecurity, more progress is required within the sector to secure IT and OT systems. This guide is intended to show a path toward that goal. The guide will also be helpful for utilities preparing risk and resilience assessments and emergency response plans required by the America’s Water Infrastructure Act (AWIA).
The mission of WaterISAC is to enhance the security of water and wastewater utilities by providing information and tools for preventing, detecting, responding to, and recovering from all hazards, and is the only all-threats security information source for the water and wastewater sector. WaterISAC also provides analysis and resources to support response, mitigation and resilience initiatives.
WaterISAC is a nonprofit organization created in 2002 by and for the water and wastewater sector. It is governed by a board of managers comprising water and wastewater utility managers and a state drinking water agency administrator who are appointed by the American Water Works Association, the Association of Metropolitan Water Agencies, the Association of State Drinking Water Administrators, the National Association of Clean Water Agencies, the National Association of Water Companies, the National Rural Water Association, the Water Environment Association and the Water Research Foundation.
Member organizations include drinking water and wastewater utilities, local, state and federal government agencies, industry organizations and private firms that support water and wastewater utilities.
WaterISAC delivers timely, actionable information you can put to use right away to Supercharge Your Security.
Learn more and join WaterISAC at waterisac.org/membership.