Cybersecurity Tips for Water and Wastewater Systems of All Sizes

Big or small, the importance of protection and security are the same

WaterISAC Staff

Jun 1, 2022


Image by Pete Linforth from Pixabay

Critical infrastructure is defined as an asset that is so essential and vital to the United States and the people of this country that any ripple, destruction, or incapacity to perform would have a significant impact on physical, economic, or public health and safety. National Critical Functions are defined as pieces of the government and private sector for which any disruption could crumble security ranging from economic to public health across the nation. Both water and wastewater fall under these categories — a lifeline and necessity to all.

Whether a utility serves 300 people or hundreds of thousands with water and wastewater service, the importance of protection and security are the same. What's important to remember is that while federal agencies like the Cybersecurity and Infrastructure Security Agency are keenly concerned about the impact of large water system outages and their effect on particular regions, a cyber-attack at the smaller system is just as damaging to life and the economy on a local scale.

To block or limit information technology (IT) or operational technology (OT) compromises, there are some basics that all water and wastewater utilities should follow and understand. WaterISAC's 15 Cybersecurity Fundamentals for Water and Wastewater Utilities (http://www.waterisac.org/fundamentals) do not discriminate based on the size of the population served. Instead, "15 FUN" — our name for the fundamentals — is the foundation that can (and should) be implemented by all. However, because these are risk-based best practices, all of them may not apply to every system.

1. Perform Asset Inventories

Can you account for all your assets? In order to protect your environment, you must be aware of what you are protecting. If you have not already or recently done so, now is the time to take inventory and identify your assets. Know the items on your network and what they each do.

2. Assess Risks

This is the time and place to be risk-averse. Once you inventory your assets, it is time to identify vulnerabilities or security gaps. An assessment will help you know and prioritize the risks in your environment based on a likelihood of an attack or threat. In complying with America's Water Infrastructure Act, many systems used the U.S. Environmental Protection Agency's Vulnerability Self-Assessment Tool, but other options exist, offered by consultants or technical assistance providers.

3. Minimize Control System Exposure

What happens in your environment stays in your environment. One way to help protect your control system environment is to keep it isolated. However, what might be desirable and what is practical do not always align. There are steps that can be taken to minimize exposure such as network segmentation, traffic restrictions, and encrypted communications for starters.

4. Enforce User Access Controls

Not everyone can be a VIP. In this case, the more the merrier is not a good thing. Limiting control system access and privileges to only those necessary is technically an easy and valuable fundamental to implement. WaterISAC encourages utilities to also follow other related access restrictions such as requiring strong passwords, using multifactor authentication, and deploying secure remote access solutions.

5. Safeguard from Unauthorized Physical Access

Finders keepers. It may seem elementary to point out that physical access to your IT and OT environments should be limited but doing so is sometimes overlooked. Ensure there is a physical security defense in place around the buildings and rooms that contain your IT and OT equipment. These defenses can include security personnel, locked doors, fencing, and cameras. Grant physical access only to those who need it to successfully complete their job functions.

6. Install Independent Cyber-Physical Safety Systems

Think through it all. If you can think of a worst-case scenario for your utility that can be triggered by abuse of the control system, that means an adversary can probably do the same thing. To keep the imagined worst-case scenario at bay, WaterISAC encourages systems to protect their assets from cyber-physical threats. Take preventative steps from these blended attacks by installing non-digital engineering solutions to block or reduce consequences.

7. Embrace Vulnerability Management

It is never too late to address your flaws. WaterISAC advises catching flaws or vulnerabilities before they are exploited by others. This type of management is an ongoing effort to identify vulnerabilities and address them as appropriate with patches and other mitigations. Vulnerabilities never sleep and take many forms.

8. Create a Cybersecurity Culture

Don't have the weakest link. Every employee is responsible for the effectiveness of their utility's cybersecurity. Leadership needs to take charge to ensure all employees are aware, being supported, and are provided with ongoing training. A weak link when it comes to awareness can let threats go unnoticed and even unintentionally open the door to insider threats.

9. Develop and Enforce Cybersecurity Policies and Procedures

Know the rules, understand the rules, and follow the rules. Water systems should keep their cybersecurity policies and procedures clear, actionable, and updated. Known as "governance," policies and procedures evolve and conform to changing utility security needs. Once adopted, policies and procedures should be communicated, distributed, and understood by all staff.

10. Implement Threat Detection and Monitoring

This is a good time to look for red flags. You know your systems — their patterns, design, and normal activity. Threat detection and monitoring requires logging and having systems watch for malicious patterns or abnormal behavior that may indicate an active threat. Understand your baseline and ensure continuous logging.

11. Plan for Incidents, Emergencies, and Disasters

This isn't a drill. With the sector currently on high alert, utilities need to ensure there are plans in place for any incidents or emergencies that come your way. Keep continuity and resilience in mind when planning your cyber incident response or disaster recovery plans. Most effective plans are not done in a silo, they are done in collaboration with other members or departments to ensure a cohesive, unified response. Be sure to include a manual operations plan to maintain water and wastewater service if a control system fails for any reason.

12. Tackle Insider Threats

We can't all be perfect. Malicious or not, insider threats come down to the people. Insider threats can be the most innocent and unintentional action of a staff member, which adds to the importance of clear policies, procedures, and adoption of a cybersecurity culture. For those insider threats that come from a place of malice, staff should be aware of behavioral changes and have a safe place to share those observations and concerns.

13. Secure the Supply Chain

Keep it real and know your partners. Maintaining system operations requires consultants, vendors, contractors, suppliers, and others who you will need to lean on and trust. Remember attackers are aware that smaller businesses may not be as secure and may use a supply chain vulnerability as an entry point. It is important to include the people and items of your supply chain in your ongoing risk assessments and vulnerability testing.

14. Address All Smart Devices

Just assume your cellphone is listening. We all know that a moment away from our cellphone or tablet can feel like a lifetime. However, these devices that we all view as our safety nets present security challenges and risks. Devices that are connected to your network can act as a gateway for the exploitation of your industrial control systems. Don't forget that smart devices should be included in all training, asset inventory, vulnerability assessments, etc.

15. Participate in Information Sharing and Collaboration Communities

Learn to play in the sandbox together. We all have been taught sharing is caring. We cannot stress enough the importance of information sharing and collaboration — the good, the bad, and the ugly. We can all learn from each other and the more that is shared, the more the sector benefits. As we said in the beginning, size doesn't matter; we are all fighting the same cyber threats and we all provide a daily necessity. Sharing will make us stronger.