This audio was created using Microsoft Azure Speech Services
Safe drinking water is necessary for human life, and treated wastewater is critical to public health. Unfortunately, water and wastewater systems, like any operational technology (OT) system, are vulnerable to cyberattacks. Agencies in the US, European Union, United Kingdom, Australia, and other countries recognize this threat to critical infrastructure. By and large, we need stronger water security.
For instance, the Cybersecurity and Infrastructure Security Agency (CISA) asserts that there is an advanced persistent threat of “continued malicious cyber activity against operational technology devices” used in water and wastewater applications. To address these growing threats to water security, OT users and regulators are looking to IT for guidance and, ultimately, solutions.
Governments across the world, from Australia to Europe to India and the US, are prioritizing water security. Cyberattacks can originate from hostile actors inside and outside water and wastewater organizations. For example, the group known as “CyberAv3ngers” is understood to have conducted multiple cyberattacks against OT water systems in Israel and the US. Moreover, the same potentially catastrophic effects can be produced by human error when configuring OT devices or networks. For instance, the Oldsmar, Florida water treatment plant incident is believed to have been caused by an employee’s human error.
Improving water security
Fortunately, some of the major vulnerabilities for water systems are understood, if not always addressed beforehand. Vulnerabilities for OT equipment, such as remote terminal units (RTUs), programable logic controls (PLCs), human machine interfaces (HMIs), and SCADA systems, are published by agencies such as CISA and in open forums such as the Common Weakness Enumeration.
OT systems can leverage IT to help water security. The goal of IT is to safeguard data, networks, and systems from unauthorized access, breaches, and cyber threats. To achieve its goals, IT implements security measures such as firewalls, encryption, access controls, and regular system updates. IT also oversees incident responses, security audits, and user training to help ensure a robust security posture. Globally, IT has the resources to go with the expertise, as well as the CAPEX.
Network-facing OT equipment, like RTUs, PLCs, HMIs, can significantly help to secure water and wastewater operations by incorporating the mechanisms to interface with IT systems. This would include using directory services such as Active Directory. It also incorporates the ability to restrict operator access to OT devices and networks to users with OT network accounts. A key extension to this ability is the restriction of user access within the OT device itself.
This way, only the functions needed by a user to do their job are made available when a user is interacting with a device such as a PLC, RTU, or HMI. For example, a technician could be authorized to view the status of a pump station connected to an RTU, but not to modify the logic application being used by the RTU. This is known as role-based access control (RBAC).
Managing OT network accounts with RBAC
Controlling access to authorized users is critical to securing water. Consider: In the Verizon 2023 Data Breach Investigations Report, researchers found a human element in three-fourths of the studied breaches.
Using RBAC to manage accounts at an OT network level has major advantages over managing accounts on a device-by-device basis. Changing access credentials creates significant risk. Updating a password or account device-by-device cannot be sustained on scale. It’s a manual process that requires a user to:
- Access the specific tool for that device
- Login and change the password
- Logout and propagate the new credentials to the operators who work in the field
This results in a risk of devices or operators being missed which, in turn, creates operational and security vulnerabilities. Users may not be able to access the devices, and credentials can be easily disclosed outside the organization. A second challenge is the time required to manually administer password changes device-by-device. This can scale into a fulltime position depending on the number of employees and devices.
The importance of standard IT tools
Using other IT technologies, further enhancements can be easily added to further secure OT devices. Adding multifactor authentication to the RBAC scheme can reduce the impact of a user’s OT network credentials being leaked or misused. The integration of a privileged access management (PAM) tools, such as CyberArk, allow OT network administrators to control access on a device-by-device and service-by-service basis using centrally managed device accounts.
In this case, an operator could request access to a specific site and receive temporary credentials to the smart RTU specific to the site. When the work is complete, the PAM updates the credentials on each device.
A final example of an IT approach that can be leveraged to better secure OT water systems is Syslog. Syslog is a standard approach used to log events on a computing device, like failed login attempts. This enables an OT network administrator to rapidly detect anomalies such as unexpected configuration changes or potential security breaches, allowing for a timely response. Syslog also provides a comprehensive audit trail of activities. This is essential for forensic analysis, compliance with regulations, and understanding the sequence of events leading up to a security incident.
Leveraging IT methods to help water security for OT
Integrating standard IT tools and approaches into RTUs, PLCs, HMIs, and SCADA systems can significantly increase the security of water and wastewater critical infrastructure. IT has the capability to address the most common vulnerabilities: the failure to update devices and the failure to limit access to authorized users.
Incorporating new OT equipment and tools that can support RBAC, PAMs, and Syslog increases cybersecurity in water and wastewater systems. Schneider Electric’s SCADAPack™ 47x and 47xi enable such IT tools to help mitigate major cybersecurity vulnerabilities. Learn more about smart RTUs and how to increase security in water and wastewater systems.
Add a comment