National Association of Water Companies (NAWC) Cyber Security Conference - Observations

NAWC held their first cyber security conference May 21, 2019 in Washington, DC -  (https://www.cvent.com/c/express/da32b208-b6fa-43bd-bf19-6c18b4a2db27).  Similar to many of the industry-specific cyber security conferences I have attended, most of the conference addressed IT-related issues. Additionally, most of the attendees were from the cyber security and IT organizations with a minority from the Engineering/Operations organizations.

I participated on a panel session: “Industrial Control Systems - The soft underbelly of utility business and service operations”. The session was moderated by Nick Santillo from American Water with participation from JT Hand from York Water, Jim Barbato from Aqua America, Michael Salas from Suez North America, Terry Gold from D6 Research, and myself. I focused on the process field devices where there is no security or authentication. I also discussed the differences between IT/OT and Engineering (packets versus process). This is an issue that affects control system cyber security in every industry. I also emphasized it is important to know if there is an unusual operating condition for any reason, not just cyber. In fact, most unusual operating conditions will not be maliciously cyber-related, but they are still important. The D6 Research presentation was more on physical security. There was a discussion about comparing readings on the PLC to determine the validity of the PLC. However, this approach does not address the validity of the sensor input. Just like the two Boeing Max 737 crashes, “bad” sensor input will be processed by the PLC without question potentially leading to catastrophic consequences.

The utility panel members discussed their organization’s internal interactions between Engineering/Operations and Security. Several of the participants stated they were converging SCADA and IT but did not mention the engineering functions. A very important point was brought up by one of the utilities that they need to be able to operate their facilities without networks/technology. This is similar to what occurred in the Ukraine after the grid was hacked and the Ukrainians could no longer trust the network. One of the utilities mentioned they held “Black Sky” drills as to what would happen if electricity was affected and the emergency diesel generator was not available. My response was a Black Sky event can occur and only affect the water utility. Several years ago, Charleston, WV had a tank with coal cleaning chemicals ruptured (not cyber, but could have been) and the chemicals contaminated the water supply to the city of Charleston for several months. All water had to be trucked in. In this case, electricity, natural gas, and telecommunications were all unaffected even though there was a complete loss of water.

Items of interest included:

- Some of the attendees were unaware that most of the 52,000 water utilities, whether big or small, use similar instrumentation and control system equipment from similar vendors with similar communication protocols, whether analog or digital.

- Many of the speakers/attendee questions mentioned the term “OT” referring to networks and didn’t include sensors, pumps, valves, etc.

- The desire to move control systems to the cloud can have unintended consequences, especially if the intent is for control not just data storage.

The mix of control system/Operations experts with network security, regulatory, and risk provided valuable new insights to the attendees. NAWC appeared to be satisfied with the Conference and intends to have follow-on cyber security conferences.

 Joe Weiss