What does a human need to survive? Typically, the first two items are food and water followed by a place live. Most of us take for granted that our water supply is always safe and drinkable. As such a vital resource, one would think that the critical infrastructure that purifies and monitors water must be completely secure at all times.
Unfortunately, that is not always the case. Take the classic hacker case of the
Maroochy water plant in Queensland, Australia, for instance, where sewage was released into local waterways over a three-month period.
This event triggered government entities to become involved. The Australian Department of Communications, Information Technology and the Arts (DCITA) launched an effort to investigate the potential risks to
SCADA systems and began holding a series of instructional workshops across the country regarding security mitigation and risk management. The workshop utilized known techniques such as defense-in-depth strategies.
In the United States, governments and utilities were paying attention to the fact that critical infrastructure should not be taken lightly. In 2013, President Obama issued
Executive Order 13636 – Improving Critical Infrastructure Cybersecurity. One of the more interesting
actionable items is:
Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program. (a) The Secretary, in coordination with Sector-Specific Agencies, shall establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities (the "Program").
The question then becomes: how do we identify and implement some mechanism to protect critical infrastructure? By “we,” I mean the utility trying to build a security posture with no prior knowledge.
In the case of the power transmission and distribution world, there are hard requirements to meet known as the
NERC CIP requirements. These are put in place to protect the United States’ electrical grids.
In contrast to NERC CIP, the American Water Works Association (AWWA) is meant for guidance rather than enforcing compliance. AWWA builds the Cybersecurity Guidance document outlining key categories of importance for water/wastewater. The document, as outlined in the Executive overview, is “to provide water sector utility owners/operators with a consistent and repeatable recommended course of action to reduce vulnerabilities to cyber-attacks.”
A few of these categories include access control, application security and encryption. As a quick example, the document breaks down some of the recommended practices for water sector security:
The AWWA has also created a cybersecurity tool that allows Water/Wastewater entities to select use cases that mirror their organization. Based on their selection, the tool will then identify specific mitigation options and a priority of which items to implement. An analysis of the mitigation is also performed against pre-existing standards; in so doing, it provides a more comprehensive description of how to implement the control.
As an example, one set of use cases is related to PLC programming and maintenance. (There are many other categories.):
(Image from:
https://www.awwa.org/Portals/0/files/legreg/documents/AWWACybersecurityguide.pdf)
Once the user has selected specific use cases that apply to their SCADA system, the tool outputs descriptions and security considerations. For example, if the user had selected “PLC3: Remote PLC programming and maintenance,” the table includes:
As we all know, there should never be a direct remote Internet link to a PLC, contrary to
Shodan outputs.
The beauty of the guidance document AND the guidance tool is that they both outline common use cases and examples that apply to not only water/wastewater configurations, but the same use cases can also be found in the oil and gas industry; the machine builder industry; and the power transmission and distribution industry. Having actionable items makes it a lot easier to pick the “low-hanging fruit” and apply tangible changes to a pre-existing network.
These requirements are built off of many robust reference standards, including NIST, ISA, and ISO. This means that a lot of thought and proven success has gone into the guidance outlined by the AWWA document and tool.
One of the recurring themes I hear from customers is, “Where do I start? I have looked at all these documents but don't really know what devices I need to buy or how to begin securing my network.”
I think the AWWA guidance tool and document for water/wastewater gives tangible first steps to take and elements to think about when going down the security posture path.
About the Author: Erik Schweigert leads the Tofino Engineering team within Belden's Industrial Cybersecurity platform. He developed the Modbus/TCP, OPC, EtherNet/IP modules and directed the development of the DNP3, and IEC-60870-5-104 deep packet inspection modules for Tofino security products. His areas of expertise include industrial protocol analysis, network security, and secure software development. Schweigert graduated with a Bachelor of Science in Computer Science from Vancouver Island University.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
