How utilities can be confident in their cybersecurity posture

Designed for water and wastewater utilities seeking to secure their systems and acquire funding for further defense, Secure Systems: Fortifying Cybersecurity for Utilities is a series of articles addressing the unique challenges utilities face when establishing robust cybersecurity.

Calls for cybersecurity awareness at water and wastewater utilities have increased, and incidents of cybersecurity attacks have made national headlines. It’s no surprise that the U.S. Environmental Protection Agency (USEPA), National Security Agency, and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), alongside the American Water Works Association and other prominent industry organizations, have publicized calls to action and guidance. One of the most notable recent examples is USEPA’s letter to all U.S. Governors.

The market has responded as well, by providing cybersecurity tools. A number of software as a service (SaaS) products and cybersecurity appliances offer protection for operational technology (OT) networks and infrastructure.

That’s good news for utilities. But can these technology tools address all of your cybersecurity needs and provide robust, enduring protection for your utility? The short answer is no. While you may find that one of the current cybersecurity products is a good fit for your utility, that single tool alone cannot ensure your network and operations are fully protected. So, how can you protect your utility and determine which tool you might need and how best to use it?

A comprehensive risk assessment process, partnered with product implementation, is the answer. This process is the first step in a cybersecurity management program, specifically for your OT Supervisory Control and Data Acquisition (SCADA) networks, that builds in a security lifecycle including policies, procedures, regular reviews, and audits.

This OT cybersecurity program management approach is different from an Information Technology (IT) cybersecurity approach. It has to be, as it is focused on operations SCADA systems and industrial networks, which use completely different communication protocols and exhibit different traffic behavior than typical IT networks. But this approach can help IT teams too, as the assessment can uncover and identify device vulnerabilities that fall under the purview of IT, essentially supplementing IT efforts to identify areas of concern.

The benefit is worth the effort: once you’ve established a good cybersecurity management program and are operationally prepared, you can be confident in your overall cybersecurity posture. And you can be confident that you’re making the best use of the limited resources you have for cybersecurity.

No doubt, developing and maintaining a cybersecurity management program can sound intimidating, and it can seem simpler to just buy a SaaS cybersecurity product or appliance and hope for the best. But building in layers of defense and, in the process, finding the best tools to enhance that defense can be done by following a straightforward, step by step process that becomes a cybersecurity improvement cycle.

Step 1: Know what's on your network with a full system assessment

Look in every control panel. Develop a complete list of every asset on your network. Collect information about firmware versions and software versions of your assets. Know what backup programs and configurations you have on all of these assets. Know the configurations of switches and firewalls. Document all of it.

It can be tempting to assume that if the only connection to your network is behind a firewall monitored by your IT department then there’s no need for a full risk assessment. But you don’t know what you don’t know.

For example, your utility may have a package system or vendor supplied system with its own skid mounted unit and PLC control panel. These can come with unsolicited VPN cellular modems provided by the manufacturer or vendor. The modems are there to make it easier for the vendor to legitimately monitor and service the equipment remotely. But often, the vendor hasn’t asked for permission to include this device, or the modem hasn’t been noted. This can potentially create a backdoor into the network for malicious actors and increase the attack surface of your system.

How? The vendor may not have ill intentions, but it’s possible that their network is not secure. They could be using an infected computer and not realize it. Ultimately, this creates another entry point into the network that needs to be evaluated, monitored, and managed. That’s just one example of a liability that might go undetected and why it’s a good idea to do a complete risk assessment.

Once the examination of the system is complete, score the criticality of items on the network. Assess, process by process, the worst-case scenarios. What would happen if someone were to hack into this process and control it? What are the risks? And what is the actual risk tolerance of your specific utility?

It’s not uncommon for utilities in the same industry to have different risk tolerances. For example, a utility that has a remote pump station with a telemetry network allowing for monitoring, control of pumps, and control of other large equipment from the plant SCADA system might consider the risk associated with this site to be very high, since the potential impact could be significant. A different utility with a similar remote pump station, but one that only monitors via telemetry - with no control abilities - might consider the risk much lower, since if that portion of the network were to be compromised, the overall impact would be less.

Even similar risk tolerance between utilities will come with nuance and subjectivity. During the assessment process, tolerance to risks from various threats and vulnerabilities must be considered and quantified on an individual basis to determine resource allocation. If the worst-case scenario for a compromised asset only results in a few thousand dollars in estimated damages, does it make sense to spend tens of thousands protecting it?

After assessing and answering questions about risks and risk tolerances, you can identify the gaps you need to fill to reach your target security level.

Step 2: Implement the necessary countermeasures you’ve identified

This is when you can procure the necessary software protection or appliance. Or perhaps you don’t need any new hardware or software, and just require policy or procedural changes. For example, you might need to establish a procedure for a ransomware event or situation in which the operator notices that someone might be in the system. What’s the next step? Who does the operator notify? What should be done if it’s determined that the PLC or server has been compromised? And so on.

Once new policies and procedures have been clearly documented, it’s time to run scenarios or tabletop exercises to practice the steps so that if an incident occurs everyone is prepared and knows what to do.

Step 3: Maintain

Once you’ve implemented your new solutions or made policy changes to complete the plan of action built in response to your assessment, it’s time to monitor the network.

This includes periodic reviews, audits of existing policies, and reassessments. It also includes performing regular network packet captures and manually reviewing for obvious red flags. Your policies should govern the frequency and level of detail of these reviews.

A good cybersecurity management program is a continuous cycle. When should you start the cycle over? Any incident, regardless of how minor it is, should trigger a reassessment. It may be that you only examine the specific system area affected and keep it internal. Or you may reassess the entire system. Your cybersecurity management program governance documents should dictate this.

After you reassess, implement solutions for the issues found in the reassessment. Then continue to maintain. Even with no incidents, planning for a reassessment and restarting the program cycle every two years is recommended.

How Garver can help

Garver can provide cybersecurity risk assessments and help you establish an effective, comprehensive cybersecurity management program. We have experts certified in ISA/IEC 62443 Cybersecurity Standards for Industrial Automation and Control Systems, and our dedicated Instrumentation & Control (I&C) and SCADA design teams have years of experience designing and developing SCADA and OT network architecture, giving them a deep understanding of the requirements and nuances that come with OT networks.

Guided by a defense-in-depth approach, which goes further than simply preventing bad actors from getting into your network, our team can help you identify the countermeasures needed to make it much more difficult for any bad actor to move around in your system without being detected. The longer it takes them to act post-intrusion, the more time you have to detect them and respond before they can do damage.

A perimeter firewall is good, but don’t let it create a false sense of security. If it’s easy for someone to move around in the system once they get past the firewall, that’s a liability.

Building a layered cybersecurity defense instead of hoping to rely on an “impenetrable wall” provides utilities the security they need. Developing the policies and procedures to guide incident response and recovery provides utilities additional confidence in their cybersecurity. And finally, implementing and maintaining this kind of cybersecurity management program helps ensure that resources are allocated efficiently and effectively, minimizing risk and liability where it matters most.