Cybersecurity: Water Utility Security Part 5

This month, we’ll take a look at some technical and administrative aspects of cybersecurity for the network systems that keep a water utility going. The goal of these AWWA guidelines is to maintain the confidentiality, integrity, and availability (CIA) properties of the computing resources used by a water agency.

Server and Workstation Hardening

Application, web, and database servers as well as the individual workstations they support offer many potential openings for attack. There are a wide variety of best practices for hardening these resources against intrusion.

Workstation hardening begins with physically securing the client-side devices (for example, ensuring locations where workstations and control consoles reside are protected using an electronic access control system.) On the IT side, here are some more security measures:

  • Patching/upgrading vulnerable apps and services
  • Prohibiting addition of new services without IT review and approval
  • Eliminating unused, unnecessary, and non-secure programs and services

Similarly, it’s important to keep up with hotfixes and patches on the server side. It may be wise to disable unnecessary network services, registries, executables, and test scripts that are known to be insecure. Properly restricting permissions for files, services, end points, and registry entries is also smart. Of course, the specific security measures vary based on operating system and require careful review to ensure functionality isn’t compromised.

Access Control

Here are some basic security steps for access control to water utility networks:

  • Restrict permissions for files and data according to end-user roles
  • Automate user provisioning (and de-provisioning) to standardize and streamline the process, reducing the risk of errors and delays
  • Use dual-factor authentication such as a passcode and a chip-enabled card or fingerprint scanner for critical systems
  • Audit access on a regular basis so you know who is accessing which resources

The most obvious step in access control is ensuring that user passwords throughout the system are strong and difficult to guess. As a next step, implementing Single Sign On (SSN) gives users access to multiple applications without re-entering their information. Making it simple to sign in supports the best practice of signing out whenever a person is away from their workstation. However, the AWWA points out that SSN shouldn’t be used to allow users to access both process control systems and enterprise systems. As always, shielding PCS is the key to safeguarding critical infrastructure.

More to come: Next month, we will explore application security and encryption. 

California Workers Death Prompts Criminal Charges

Late in 2012, a 51 year old San Francisco worker fell to his death at a worksite. Fines in the amount of more than $25,800 have been assessed against Versaggi Construction for serious violations. But the bad news for the construction company doesn’t stop there. As Cal/OSHA’s lengthy criminal investigation progressed, the regulatory agency coordinated with the District Attorney’s office to file felony charges. The two people being held responsible for the death of the construction worker are the foreman at the site (John Fitt) and the owner of the construction company (Salvador William Versaggi). Both men pled not guilty to manslaughter charges and labor code violations last month.

What Happened at the Site?

Jose Plancarte was given the job of working on a window frame opening about 18 feet above ground level. His employer did not provide fall protection, although the working height was more than twice the height at which fall protection measures should have been put in place according to OSHA regulations. Mr. Plancarte created his own makeshift scaffold (with no guardrails) out of some planks, brackets, and nails to access the work area. Predictably, one misstep led to a fatal fall to the concrete floor below.

Cal/OSHA’s investigation determined that the employer failed to provide adequate protection and that the foreman knew of the unsafe scaffold built by the worker. OSHA and the DA’s office are attempting to hold both men accountable for failing to prevent the foreseeable death of an employee.

Current Case Echoes Similar Fatality in 2008

The fatal fall of Plancarte occurred just a few years after another worker, Antonio Martinez, fell 40 feet from an apartment roof to a concrete sidewalk. The employer in this case also failed to institute proper safety measures. The worker was not wearing fall protection and the employer did not provide railings or barriers to protect the employee from venturing too near the edge of the roof.

Shockingly, the Department of Occupational Safety and Health (DOSH) discovered two more employees working in the same location without fall protection the day after their coworker fell to his death. Apparently, the foreman on site told investigators that he believed fall protection was not necessary when working on a flat roof. The owner of California C&R later pled guilty to four felonies including involuntary manslaughter. He was sentenced to a year in jail.

These tragic deaths offer insight into the importance of fall protection for all at-risk workers. These cases also demonstrate that OSHA is serious about jail time for employers who fail to take proactive steps to safeguard their employees.