The recently signed America’s Water Infrastructure Act of 2018 is widely viewed as the most significant water infrastructure bill in decades. This comprehensive legislation was designed to authorize $6B in funds to address current water infrastructure projects, scrap $4B in existing development projects deemed unfeasible or no longer viable, and incentivize businesses to buy and use American products, while creating jobs and reducing regulation.
In my previous blog entry, I discussed how digital transformation is changing water and wastewater cybersecurity. In respect to the AWIA, cybersecurity is an even greater point of emphasis.
Some of the key takeaways of the bill include:
- For the first time since 1996, congress authorized the drinking water state revolving fund. These funds give states certainty that they can meet their drinking water needs and repair or replace aging drinking water systems.
- The bill also gives local experts an increased role in prioritizing which projects get built by the Army Corps of Engineers, cutting regulatory “red tape”, and allowing states and cities to decide which projects have the most positive impact on their community (SEC. 1102).
- And significant attention is paid to increased cybersecurity for American water and wastewater infrastructure, with respect to systems risk and resilience. It’s on this subject in particular that I’d like to go into a little further detail.
Water System Risk and Resilience
“In general – Each community water system serving a population of greater than 3,300 persons shall conduct an assessment of the risks to, and resilience of, its system. Such an assessment –
(A) shall include an assessment of –
- the risk to the system from malevolent acts and natural hazards;
- the resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system;
- the monitoring practices of the system;
- the financial infrastructure of the system;
- the use, storage, or handling of various chemicals by the system; and
- the operation and maintenance of the system; and
(B) may include an evaluation of capital and operational needs for risk and resilience management for the system.”
– America’s Water Infrastructure Act of 2018
Within the bill, the term ‘resilience’ is defined as,
“the ability of a community water system or an asset of a community water system to adapt to or withstand the effects of a malevolent act or natural hazard without interruption to the asset’s or system’s function, or if the function is interrupted, to rapidly return to a normal operating condition.”
The emphasis not only on the natural hazards but also any malevolent attempts to interrupt the assets system or function marks a first in making a specific distinction for outside threats to water infrastructure, including cyber threats. This also brings to light some of the cybersecurity challenges facing executives, asset owners, operators, IT, and security personnel in the water and wastewater industries today.
Historically, asset owners and plant operators have kept their operational technology networks, those that support plant operations, isolated or siloed from all external networks. However, as water infrastructure has modernized increasingly these operational systems are becoming connected to not only each other, but also corporate networks, the internet, the cloud, etc. It is for this reason that the AWIA requires the new risk and resilience assessments for all providers serving more than 3,300 customers.
AWIA risk and resilience assessments scope reaches far down into the OT network, looking into the resiliency and security of electronic, computer, or other automated systems which are utilized by the system. Some useful questions to ask if you are managing the process network or if you are on the corporate IT team managing the network devices in the process network are:
- Do you know all of the external access points to your network?
- Are there any pivot points in your network?
- Does your network allow remote access?
- Does IT manage any switches, routers, business systems (workstations and servers)?
After you’ve answered these questions, you can start by taking the time to map out all the inbound and outbound connections to and from the process network, then take into consideration the level of risk and impact for each. If you need some help figuring out your risk level and appropriate actions to take, the ISA/IEC 62443 Security Level guidelines are a good place to start.
Prioritizing Operational Risk and System Resiliency
Operational risk has always been a key element in any effective strategy for operational assurance, business assurance, and system resilience. Prioritization is vital to success and should be based on impact to business operations.
- Standards and best practices provide a good starting point for any cybersecurity program
- Operational risks are not about data, they are about maintaining operational functions
- Security controls should be selected to address identified operational risks
In some cases, the unique requirements of an OT environment may not line up well with some traditional IT system resilience tools. Data backup is a good example. In OT environments, downtime can result in lost production. For example, delivering clean drinking water, generating electricity, or even an assembly line in manufacturing. Data backup’s purpose is to get your systems back up and running, but you may have already lost critical production time. Which is part of the reasoning behind defense in depth – building layers of protection into your environment so that if one fails, the others will still prevent threats from reaching the most critical systems.
ICS cybersecurity programs should always be part of broader ICS safety and reliability programs across all water and wastewater technology infrastructure, because cybersecurity is essential to the safe and reliable operation of modern industrial processes. Threats to control systems can come from numerous sources, including hostile governments, terrorist groups, disgruntled employees, malicious intruders, complexities, accidents, and natural disasters as well as malicious or accidental actions by insiders.
Whether it is a water utility looking to increase the security posture of the SCADA network, a electric utility looking to protect historical data, or a municipality looking to securely transfer data across an “air-gap” or DMZ to the corporate IT network, ICS security objectives typically follow the priority of availability and integrity, followed by confidentiality (Stouffer et al., 2018)
Over time, the scope of the use cases has evolved to incorporate increased operational resiliency. For example, high availability for a data historian, in order to provide a level of redundancy to address the risk associated with a single point of failure.
Another great example is secure remote monitoring with no backchannel back into the process network, via data diode, to mitigate the risk associated with firewall misconfiguration, a compromised device, or human error. For those situations where vendor support or expertise is needed, and can be provided via phone or helpdesk, remote monitoring of HMI Screens and other operational data sources can be critical to correct an issue in real-time. A few great opportunities for secure remote monitoring are when a site is inaccessible due to remote location or even safety concerns.
Operators are looking to protect the most critical assets in their process network from being compromised from external threats, in doing so they are also looking to increase operational resiliency. Owl Cyber Defense has protecting critical infrastructure for over 10 years. We provide our customers with the ability to deploy a hardware-enforced one-way transfer for critical data flows. If you are looking to learn more about data diode cybersecurity solutions for water and wastewater, check out www.owlcyberdefense.com/network-security-solutions.
- America’s Water Infrastructure Act of 2018
- Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M. and Hahn, A. (2018). Guide to Industrial Control Systems (ICS) Security. [online] Nvlpubs.nist.gov. Available at: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-82r2.pdf [Accessed 28 Nov. 2018].