An increasing reliance on technology in water and wastewater infrastructure management has resulted in cybersecurity challenges becoming a significant concern in the sector, and one that must be addressed to ensure a safe and reliable water supply.
As more critical infrastructure is connected to the internet or accessible to staff, it is increasingly targeted by cybercriminals interested in breaching operational technology (OT) networks to lay the groundwork for future attacks.
A cyberattack on water and wastewater treatment facilities can temporarily stop operations and have huge consequences, not only for the water authority and the community it serves, but also the nation’s overall economy.
Risks from legacy technologies and insider threats
Many water infrastructure systems still rely on outdated technology and managers are often under-resourced. Managers must invest in modernising and regularly upgrading their systems and can seek external assistance from cybersecurity experts.
Many employees are also unaware of cyberattack risks, while another threat is current or former employees with malicious intent. Water infrastructure systems are increasingly interconnected and often use third-party vendors and contractors, which makes them more vulnerable to cyberattacks.
Risk mitigation measures
The specific mitigation measures each facility decides to implement will depend on its unique security risks. However, there are some key mitigation measures that most water infrastructure managers should implement as best practice:
Segmentation into zones: This should be practiced in every plant to help limit access to safety systems. For example, a demilitarised industrial zone (IDMZ) with firewalls and data brokers can securely segment the plantwide network from the enterprise network. Also, using virtual LANs (VLAN) and a layer-2 or layer-3 switch hierarchy can create functional sub-zones to establish smaller domains of trust and simplify security policy enforcement.
Physical access: Many organisations use RFID cards to control facility access, but physical access security should go further. Lock-in, block-out devices should be used to prevent the unauthorised removal of cables and to close unused or unnecessary ports. Control cabinets should also be locked to restrict walk-up and plug-in access to the industrial automation and control system devices.
Network-integrated safety and security: CIP Safety™ and CIP Security™ are extensions to the common industrial protocol (CIP), which is the application-layer protocol for EtherNet/IP™. CIP Safety allows safety devices to co-exist on the same EtherNet/IP network as standard devices and enables a safe shutdown during a denial-of-service attack. In addition, CIP Security incorporates data integrity and confidentiality into EtherNet/IP communications.
Asset and change management: Asset management software can automate the discovery of new assets and centrally track and manage configuration changes across an entire facility, including within safety systems. It can detect real-time malicious changes, log those activities and report them to key personnel. If unwanted changes are made, the software can access archived copies of a device program for fast recovery.
Ensuring safety through security
The security landscape is ever-changing, so it’s important to partner with a company that is trustworthy to manage the constantly evolving risk.
NHP works closely with Rockwell Automation and Claroty to provide comprehensive cybersecurity solutions beyond just network security, and its industrial security portfolio and services will help you assess, implement and maintain ICS security within operations and enable transformational technologies that rely on enterprise connectivity.
Organisations that want to stay ahead of these risks must comply with the latest standards, conduct a comprehensive risk analysis and implement risk mitigation measures using the latest technologies.
This sponsored editorial is brought to you by NHP. For more information, contact NHP in Australia on 1300 647 647 or mailto:[email protected] or in New Zealand on 0800 647 647 or mailto:[email protected].