Cybersecurity: Water Utility Security Part 5

This month, we’ll take a look at some technical and administrative aspects of cybersecurity for the network systems that keep a water utility going. The goal of these AWWA guidelines is to maintain the confidentiality, integrity, and availability (CIA) properties of the computing resources used by a water agency.

Server and Workstation Hardening

Application, web, and database servers as well as the individual workstations they support offer many potential openings for attack. There are a wide variety of best practices for hardening these resources against intrusion.

Workstation hardening begins with physically securing the client-side devices (for example, ensuring locations where workstations and control consoles reside are protected using an electronic access control system.) On the IT side, here are some more security measures:

  • Patching/upgrading vulnerable apps and services
  • Prohibiting addition of new services without IT review and approval
  • Eliminating unused, unnecessary, and non-secure programs and services

Similarly, it’s important to keep up with hotfixes and patches on the server side. It may be wise to disable unnecessary network services, registries, executables, and test scripts that are known to be insecure. Properly restricting permissions for files, services, end points, and registry entries is also smart. Of course, the specific security measures vary based on operating system and require careful review to ensure functionality isn’t compromised.

Access Control

Here are some basic security steps for access control to water utility networks:

  • Restrict permissions for files and data according to end-user roles
  • Automate user provisioning (and de-provisioning) to standardize and streamline the process, reducing the risk of errors and delays
  • Use dual-factor authentication such as a passcode and a chip-enabled card or fingerprint scanner for critical systems
  • Audit access on a regular basis so you know who is accessing which resources

The most obvious step in access control is ensuring that user passwords throughout the system are strong and difficult to guess. As a next step, implementing Single Sign On (SSN) gives users access to multiple applications without re-entering their information. Making it simple to sign in supports the best practice of signing out whenever a person is away from their workstation. However, the AWWA points out that SSN shouldn’t be used to allow users to access both process control systems and enterprise systems. As always, shielding PCS is the key to safeguarding critical infrastructure.

More to come: Next month, we will explore application security and encryption.