Spotlight on Cyber Security
Municipalities and investor-owned utilities are taking proactive measures to enhance cyber-related aspects of water and wastewater security
Organizations of all types—water and wastewater facilities included—are dialing up security measures as this issue continues to take on increased significance in response to recent events.
One driver of increased security scrutiny is government regulations. The most notable is Title IV of the Bioterrorism Act (Public Health Security and Bioterrorism Preparedness and Response Act) of 2002.
This act stipulates that each community water system conducts a vulnerability assessment of its system to a terrorist attack or other intentional act that disrupts the supply of drinking water, and prepare/revise and maintain an emergency response plan.
Physical security, including fences and perimeter security, guards, procedures, and other similar measures, is one important focus, and certainly the most visible to the average person. No less important are cyber security measures that ensure the integrity of an organization’s financial and/or operational information systems.
While no legislation currently exists regarding cyber security specifically for the water and wastewater industries, municipalities and investor-owned utilities are taking proactive measures to enhance this aspect of water and wastewater security.
Take, for example, the area of process monitoring and control. Over the last few years, the water and wastewater industries have increasingly turned to distributed control systems that go far beyond the basic definition of process control to ensure cleaner, safer water supplies, reduce environmental hazards and deliver significant operational cost savings. There are a variety of tools available to help assure the security of these control systems.
Among them are:
- Hardening, which disables unused ports and services. Because cyber attacks target ports and services, removing those that are not used (e-mail, for example) lowers the
system’s profile and makes it less vulnerable to attack;
- Anti-virus software, which protects a system from
malicious programs spread by unsuspecting users; and
- Intrusion detection systems, which protect a system from cyber attacks from hackers and worms, which are viruses that reside in the active memory of a computer and duplicate themselves, potentially wrecking havoc.
Two important security concepts are: authentication, which identifies the user or host; and/or authorization, which dictates the actions a user and/or host can take. There are a number of approaches where these concepts can be used alone or, more effectively, in combination, to discourage cyber attacks.
One security tactic is password management. The strength of passwords/PINS is based on their length and randomness. Unfortunately, the very thing that makes a password difficult to crack also makes it difficult for the user to remember.
This can be compounded by the need for different passwords to perform various activities or gain access to different programs, not to mention the necessity to periodically change passwords. A variation of password management is known as the challenge/response, in which computers must correctly respond to a question (similar to people using questions like “what was the name of your grade school?” or “who won the 1993 World Series?” to confirm someone’s identity) to gain access to the system.
Another related technique, so called “smart cards,” which must be used to gain access to the system, is also gaining popularity.
However, lost or misplaced cards not only limit the ability for personnel to do their job, but also pose a security concern themselves.
While it may sound like something out of a James Bond movie, biometrics, which read a user’s physical attributes, such as finger prints, facial geometry or retinal signatures, will likely gain ground as the technology continues to improve and the social acceptability of these techniques become more accepted.
Another approach for authorizing users is known as Role Based Access Control (RBAC). In this approach, people are assigned to roles, and their authorization is based on the role.
In today’s work environment, people change positions and companies more frequently than in the past, and this approach is gaining popularity, partially due to its ease of administration. Utilizing the RBAC approach, the role remains constant, despite employee turnover.
However, there are issues and weaknesses to consider. For example, a single sign-on can be difficult with multiple control systems, and because RBAC requires central servers and digital certificates, it may not be supported by legacy systems.
When designing a security program, it is important to keep a number of trade-offs in mind. These include security versus ease of use; security versus the time needed to authenticate; and security versus the ability to operate in an emergency. The key is to put in place a customized solution that meets the security requirements without negatively impacting the ability for employees to efficiently do their jobs.
Of course, technology is just part of the security equation. Cyber security measures are most effective when they also identify and address the human factors that can lead to security breaches.
The first reaction may be to view cyber security from a perspective of protecting operations and processes from intentional, malicious intrusion.
In fact, it is more likely that there is no malicious intent—rather, an employee has let down his guard.
For example, an employee may open non-work-related e-mail messages or give out his password to an unauthorized user.
The best way to address the human side of the equation is training and education. The focus here is to not only ensure employees know the policies and procedures, but that they also think about their actions and understand the ramifications.
Change is constant
When it comes to cyber security, the adage that “the only constant is change” certainly applies. New viruses and other cyber threats require constant vigilance. It is therefore advantageous to factor in security requirements when selecting a distributed control system vendor for water and wastewater facilities.
The control system supplier should continuously and proactively offer product and service enhancements that address different types of cyber security concerns.
To help ensure security offerings meet the real-world security needs of municipalities, look in particular for suppliers that work with existing customers to test and validate new features.
Last but certainly not least, the control system supplier should understand that security is just one of many demands faced by the industry.
With that in mind, the supplier should offer solutions that make complex security issues easy to manage as part of an overall monitoring and control system strategy, ensuring the secure and reliable operation of facilities both today and well into the future.