By: Jim Schultz, Principal Consultant, Global Industrial Cybersecurity, Black & Veatch

The complexities of cybersecurity can impede a water utility’s ability to initiate new projects with confidence. This article describes 10 practical cybersecurity recommendations utilities can use to kick-start their risk reduction efforts for their supervisory control and data acquisition (SCADA) system. To be clear, there are certainly more than 10 recommendations, and our discussion points below only begin to scratch the surface of the subject matter. But the odds are very good that these ideas represent significant opportunities for utilities to reduce their risk.

No. 1: Network Segmentation. The first problem to solve usually is preventing communications between network endpoints that don’t really need to communicate. The simple answer: network segmentation. A good analogy is the bulkhead of a large ship. If one compartment is compromised, the entire ship doesn’t go down. That’s ultimately what we want – smaller networks that resist attacks. A best practice is to physically separate information technology (IT) and SCADA local area network (LAN) infrastructure. Why? Well, we don’t want mission critical traffic on port 1 of an Ethernet switch and Internet traffic on port 2; that’s too close for comfort. Another best practice is to make sure other often off-site, centrally managed systems like HVAC, card access and security video are part of the IT network, not on the operational technology (OT) network.

No. 2: Boundary Protection. Network segmentation is a great place to start, but the ingress/egress points of the networks also must be protected. Routers, at the network boundary, are required for network-to-network communications. Routers allow traffic by default and work tirelessly to make external connections. Firewalls do just the opposite – they deny traffic by default and allow only by exception. This is where cybersecurity resources focus a lot of their attention. The goal is to minimize network-to-network traffic and still meet business objectives. Any traffic allowed through the boundary is analyzed, fully understood and vetted as essential for business. In this manner, the utility knows and accepts the associated risk.

No. 3: Employ an OT-DMZ. Most cybersecurity guidance recommends the use of an OT-Demilitarized Zone (OT-DMZ), which is a buffer network between the IT and SCADA networks. This buffer network contains servers, which are used as intermediaries or “pivot points,” providing a functional interface between IT and SCADA networks without a direct network connection. These interfaces can support remote access, read-only Web portals, historians, software updates, alarm notification relays, backups and more.

No. 4: Use Recommended Remote Access Methods. Poorly configured remote access solutions are often linked with cyberattacks. The free guidance mentioned above recommends a “jump server” in the OT-DMZ to closely monitor and control remote access. A remote user first logs into the IT network using a virtual private network (VPN) connection, opens a remote desktop connection to the jump server, and then opens a second remote desktop connection to a SCADA network endpoint. The jump server acts as a pivot point that prevents a direct network connection between IT and SCADA.

No. 5: Discontinue Use of Mobile Devices and Wi-Fi in OT. There is an adage in cybersecurity: “When convenience goes up, security goes down.” This definitely applies to mobile devices and Wi-Fi. It also is interesting to note the conspicuous lack of SCADA-related guidance available regarding how to secure these solutions. A best practice is to utilize the “business network” Wi-Fi and connect mobile devices to that network. The mobile devices then can access a read-only human machine interface (HMI) web portal in the OT-DMZ for enhanced situational awareness. Allowing control of critical infrastructure using mobile devices is a risk-based decision each organization must carefully consider.

No. 6: Harden Endpoints and Network Devices. Once network segmentation and boundary protection are addressed, we can turn our attention to the devices in the SCADA LAN. The good news is that these devices can last for decades. The bad news is that these devices can last for decades … long after the vendors stop releasing security patches. The end result is the accumulation of vulnerabilities over time, which gives cyber adversaries a menu of attack options once they understand what’s on the SCADA network. Not all automation products support hardening and these should be replaced with more secure alternatives, when possible. There typically are a lot of well-known server, workstation and laptop operating systems and applications that can be hardened by removing unnecessary software and utilizing available security features.

No. 7: Patch Vulnerabilities. From a historical perspective, the number of ransomware attacks on water utilities outnumber all other types of attacks. The top defense against ransomware is patching. Think of “risk” as a mathematical equation, where risk is defined as threat times vulnerability times consequence. We can’t do much about the threat; however, by patching, we can work toward driving the vulnerability variable toward zero. The obvious end result is that risk is also driven toward zero.

No. 8: Implement an Effective Backup Strategy. Your No. 1 response to ransomware is an effective backup strategy. An asset inventory listing all of your OT software and hardware is the perfect start to defining what needs to be backed up, when, how often, the method, etc. Where to store backups also is important. A common recommendation is online (in case of hardware failure), offline (in case of cyberattack), offsite (in case of natural disaster) and redundant (in more than one offsite location). The most important aspect of backups is periodic testing so you can be confident they will work when you need them most.

No. 9: Improve and Automate Access Control. Access control is one of the most important areas of cybersecurity, touching on broad and often complicated concepts such as authorization, authentication, and accounting (AAA). That’s where we find the best practice of “least privilege,” where an employee only is given enough permission to perform his/her job and no more. Account review and off-boarding policy also are very important to prevent former disgruntled employees from accessing systems. When possible, automating this process ensures someone doesn’t leave the organization without access controls being removed. This was relevant in a variety of water sector cyberattacks over the past few years. In other words, your threat is not always terrorists on the other side of the globe – they can be right in your backyard.

No. 10: Be Strategic. The previous nine steps were tactical or short-term in nature. To really be in control, you need a long-term SCADA cybersecurity strategy. The best approach is to stand up a governance committee to identify the cybersecurity framework to follow for your utility. There are many, including ISA/IEC 62443, NIST SP800-53, and NIST Cybersecurity Framework, along with numerous guidance documents available from the U.S. Environmental Protection Agency (EPA), American Water Works Association (AWWA), Water Information Sharing and Analysis Center (WaterISAC), Cybersecurity and Infrastructure Security Agency (CISA), FBI and National Security Agency (NSA). Once you have decided on a framework, you can develop policies essential to formalizing your risk tolerance and establish the vision you are trying to realize. An assessment that compares your paper policy to the reality of your SCADA system identifies the gaps you need to fill to achieve your vision. Then it becomes a matter of planning your work and working your plan.

Many of the recommendations presented here are true tenets of OT cybersecurity. If you are just getting started, these ideas will help you meaningfully reduce risk. If you already have momentum, compare your efforts to these recommendations to see if there are any additional opportunities for improvement.

Cybersecurity of OT systems is paramount in today’s industrial world, and efforts spent on true protection and controls will reap multi-fold benefits.