As the US federal government begins to put its eye on securing more of its infrastructure against the rising risk of large-scale cybersecurity attacks, a late January statement from the White House has put its eye on securing water facilities.
The U.S. Environmental Protection Agency (EPA), the National Security Council (NSC), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Water Sector Coordinating Council and Water Government Coordinating Council (WSCC/GCC), are taking part in President Biden’s Industrial Control Systems (ICS) Initiative. This is part of National Security Memorandum 5, Improving Cybersecurity for Critical Infrastructure Control Systems.
The Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan concentrates on high-impact activities that can be surged within 100 days to protect water resources by improving cybersecurity across the water sector. The federal government and critical infrastructure community will help facilitate the deployment of technologies that provide cyber-related threat visibility, indicators, detections, and warnings.
Prior to this, the federal government set out to create new standards and regulations, beginning with the American Water Infrastructure Act of 2018 (AWIA 2018), which called for water utilities to perform an assessment and response plan.
The United States relies on a decentralized water utility network, putting state, municipal, and city governments in charge of managing their own utilities. While some private companies cover vast regions, it is common to see individual towns and cities manage their own water for their residents.
While these standalone utility authorities allow communities more autonomy and flexibility in their operations, they commonly struggle to pool together the critical resources needed to secure their operations against the ever-evolving face of cybersecurity hackers. Lack of standards and regulation presents opportunities for hackers looking to disrupt their delicate Operational Technology (OT) and Industrial Control Systems (ICS). This is especially true at a time when these facilities are facing the need for remote access and operations to remain resilient during natural disasters and pandemics, beyond cyber attacks.
These fragmented systems open new attack vectors for competitive nation-states, criminals, and terrorists to exploit vulnerabilities in a far more distributed infrastructure. This means water districts and municipalities sharing reservoirs also share risks. An example of this is how water asset owners are located in rural areas, although they may have large water supplies. Being on the periphery makes them less likely to receive government funding early on, relative to larger providers, even though they are more susceptible to cybersecurity attacks because of lack of regulation due to their smaller size.
Part of the AWIA-2018 recommends monitoring the operational networks at water utilities. Continuous monitoring, anomaly detection, incident management & reporting, and remediation planning are vital to remaining compliant. These clearly defined deliverables will aid in protecting the water infrastructure for people throughout the country. An effective ICS/SCADA protection plan requires comprehensive identification and mapping of all devices, connections, ports, and other network assets. Only then will utility providers be able to detect vulnerabilities and exposures while assessing them in terms of severity and potential impact if compromised.
Devising an ICS protection plan can be a daunting task. There’s no one-size-fits-all solution, and in many cases, operators have incomplete visibility into their networks.
It’s critical to partner with an MSP organization to save time and resources in implementation. This allows the water utilities to harden vulnerabilities that they face in their systems today immediately. This strengthening of a facility’s cybersecurity posture is not just a large technical load but also introduces a significant risk of project failure without the right mixture of partner and toolset. Resources are too critical to rely on the educated guesswork of industry veterans and experts.
Some companies in the field, such as Radiflow, are working around the globe facing similar issues. While some systems and regulatory protocols may vary by region, the global cybersecurity threat landscape demands the same level of protection regardless of location. Radiflow has helped facilities managers protect their IT environment by introducing the same digitally mirrored virtual environments commonly used in the IT world to prepare teams to mitigate and manage future threats.
This golden opportunity presented by the current administration in the US is a once-in-a-lifetime opportunity for managers of critical utility sites to secure themselves today and into the future.