Cybersecurity: Water Utility Security Part 3

The threat to infrastructure from online attackers has become a matter of national security over the past few years. According to the Department of Homeland Security, “The Water and Wastewater Systems Sector is vulnerable to a variety of attacks, including contamination with deadly agents, physical attacks such as the release of toxic gaseous chemicals and cyberattacks. If these attacks were realized, the result could be large numbers of illnesses or casualties and/or a denial of service that would also impact public health and economic vitality.” The DHS points out that critical services and systems such as firefighting and healthcare, energy, food, agriculture, and transportation systems would all face challenges or break down altogether if water service was interrupted.

Process Control Systems Are Already Under Attack

The American Water Works Association offers additional insight into the scope of the problem: “Cybersecurity is an increasingly important issue for water systems for a few reasons. First, water systems have become more automated to improve operational efficiency, including the expanded use of supervisory control and data acquisition systems for treatment plant and distribution system operations. Second, hackers and state-sponsored organizations are increasingly targeting process control systems (PCSs) for malevolent attacks. Discussions with water systems and reported incidents reveal that many systems receive hundreds of attempted attacks and probes on a daily basis.”

It’s evident that, as one of the 16 critical infrastructure sectors in the U.S., water utilities need to do a better job of protecting their process control systems from cyber-threats. But how exactly can this be accomplished?

A Framework for Cybersecurity Has Been Created

The National Institute of Standards and Technology has collaborated with the AWWA to develop guidelines to help water and wastewater utilities better protect their critical systems. As of 2014, this cybersecurity framework covers 12 key areas:

  1. Governance and Risk Management
  2. Business Continuity and Disaster Recovery
  3. Server and Workstation Hardening
  4. Access Control
  5. Application Security
  6. Encryption
  7. Telecom, Network Security, and Architecture
  8. Physical Security of PCS Equipment
  9. Service Level Agreements
  10. Operations Security
  11. Education
  12. Personnel Security

In the ensuing months, we will explore each of these areas of cybersecurity for the water utility sector. Stay tuned next month for a look at Governance & Risk Management—the big picture stuff that needs to be understood at the outset of developing a comprehensive plan for reducing security risks.