It's simple. To ensure cybersecurity, policy and procedures need to be put into place, defense-in-depth needs to be established, and best practices need to be followed. Indeed, one word should come to mind when it comes to cybersecurity—protect. Protect the integrity of production, the safety of people and the confidentiality of intellectual property. And while not as robustly funded as their counterparts in private enterprise, even small, district-level water treatment plants are part of the nation’s critical infrastructure. As such, cybersecure policies and procedures must be taken seriously.
For example, in the 2016 Assessment Summary Report by the United States’ National Cybersecurity and Communications Integration Center (NCCIC), the water and waste water segment comprised 43% of the assessment, “a significant sample from which to draw conclusions,” said Jeffrey Gray, deputy chief, Control Systems Training Section of the National Cybersecurity Training & Exercise Center of Excellence, during a presentation at this week’s Rockwell Automation TechED event in San Diego.
"For the last three reports, the top cybersecurity weakness was boundary protection between industrial control systems and enterprise networks,” said Gray. “The rapid growth of the Internet of Things will make a much larger attack surface, including internet-connected devices and mobile devices which can complicate detection."
Unnecessary functionality was second on the list of cybersecurity vulnerabilities cited in the report. "Decrease the vectors for malicious access to critical systems," recommended Gray. "Shut down functionality that is not needed. Limit your profile to an attacker. Then you want to understand where all you traffic on your network is going and narrow that traffic lane so nothing is talking to something it doesn't need to, and the traffic is only moving in the direction you want."
Help for those getting started
For smaller water and wastewater utilities—and others that need help getting started on their cybersecurity journeys—the United States Computer Emergency Readiness Team (US-CERT) or Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) have a lot to say about cybersecurity best practices. These CERTs and other teams were brought together to form the NCCIC several years ago.
Per their website, the NCCIC analyzes cybersecurity and communications information, shares timely and actionable information, and coordinates response, mitigation and recovery efforts. The NCCIC can help get you started in cybersecurity beginning with a threat assessment, so get a team together and start with the basics.
"Anyone looking for a magic bullet for cybersecurity—the three or four things you can do to secure everything—the reality is that it is a process," said Gray. "It's risk management which is a process. You can identify what threat actors are doing or have done in the past; what the majority of vectors they have used to get into the systems have been; but it's really about the day-to-day understanding of what those vulnerabilities are and working to close them. The NCCIC encourages working in the risk avoidance area."
The statistics and field work have borne out some very simple results. "We see that the number one vulnerability from year to year is boundary protection between control systems and enterprise networks," said Gray. "The number one way overall for system intrusion is phishing attacks."
Phishing is essentially social engineering—the psychological manipulation of a person to perform a specific action or reveal confidential information. It may take the form of luring a victim to click a link or plug in a USB device, pretexting false information to get at privileged information, or scareware from a legit sounding company alleging that your computer is infected and a download is required. Elicitation techniques, the gathering of requirements through a variety of methods without creating suspicion, may also be used.
"There are many examples of attacks or entry into ICS networks that are stopped at the enterprise level," said Gray. "That's a good thing. The boundary protection works. If you look at the Shamoon virus that was used against Aramco in 2012, it wiped out 30,000 computers on the IT networks, but it didn't get into their control systems. And that was their target. In the final analysis, their defense worked, they held on to the castle using defense in depth."
Cybersecurity is needed everywhere due to cascading effects. For a water utility application, for example, attacking the supply chain can cause problems. If daily additives are not available because the supplier is shut down, it's as effective as taking out the water source.
"There are many different attack vectors and that's why NCCIC and DHS does regional assessments where they look at cascading effects across the region and interdependencies," said Gray. "Your may concentrate on one player, but you must understand everything.
Assessment tools available
There are always cascading effects and interdependencies. "We like to say that if you have a supply chain on which you are dependent, you should hold your suppliers and contractors to the same cybersecurity standards that you hold yourself to," said Gray. "The scale doesn't matter. I have walked into places where the one overworked man or women is the control system engineer, the electrician and the IT guy. The NCCIC can actually do a lot to help them through the products and information we have available. There is information out there that can help everybody, but it's hard when you are out there all alone.
"The Cyber Security Evaluation Tool (CSET) can help to evaluate an organization’s security posture," added Gray. "You and your team sit down and start answering standards-based questions. When you are done, if you were honest, you will have useful results. If you have people who are afraid for their jobs, you may get garbage in, garbage out."
The CSET will create an executive level summary that includes a top twenty list of what should be concentrated on. Stay tuned for a learning path that will be on the NCCIC website later this year. It will point you to the training most useful depending on your position, such as manager or control engineer.