Implementing cybersecurity best practices has never been more critical for water and wastewater utilities. Recently, the EPA focused new attention on the issue with the launch of its Industrial Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan, which is driving deployment of technologies that protect against cyber-related threats.
The need for vigilance at water utilities is clear. Yet, a 2021 State of the Water Industry survey of U.S. water utilities found that only 20% of respondents had fully implemented some form of plan to address cyber intrusion.
Designing Security into Your SCADA System
The availability of your SCADA system is critical for monitoring and controlling your systems. With the increasing convergence of OT and IT, paying close attention to who should and should not have access to the data your system provides is more important than ever. Today, UX design involves much more than design and flow; it is now a critical component of effective cybersecurity. That’s why a solid cybersecurity system should be baked into your UI and UX design.
Following are three critical steps to take when designing a system that provides secure access to data to credentialed users.
1. Understand all connections and how you can secure them.
Start by identifying all the connection points in your system early in the design process. You can do this by building an architecture diagram that includes all connection points, together with all routers and switches. Then, conduct a comprehensive audit of all connections – to staff, clients, databases, applications, the SCADA system, PLCs, and more – so that you can determine how to encrypt them.
TIP: With applications that are accessed by a client, you will need to leverage HTTPS. Without that lock, your connection is not secure.
When you have a complete understanding of how everything works, you will be better able to set up the firewalls needed to protect the network.
To ensure that your OS is protected, do the following:
- Enable firewalls to restrict network traffic
- Remove any programs that are not needed
- Limit the ports in your system
- Close any ports in the firewall that are not needed (open ports that are not being used are vulnerable to attack.)
TIP: Be sure to keep all your patches and services up to date. There are many automation tools that can help.
Be sure to conduct regular system audits to ensure that you have a detailed understanding of your network traffic and can quickly identify suspicious activity.
TIP: There are many tools that you can use to scan your network and get reports on activity. While they can be expensive, they provide significant benefits, especially as systems become more and more complex.
2. Employ two-factor authentication and single sign-on.
When users access your systems or applications, they should have the highest possible authorization. You can add an extra layer of security by requiring users to provide a password and a second authentication factor to a separate device.
TIP: There are many identity providers that employ industry-leading encryption protocols to support two-factor authentication and single sign-on (SSO), including Ping Identity, Okta, Duo Security, and ADFS.
3. Leverage a DMZ network.
A demilitarized zone (DMZ) network is a perimeter network that keeps the local area network separate from untrusted networks. This provides many benefits, including the improved security that results from preventing traffic from entering various network segments; and improved access, control, monitoring, performance, and containment.
TIP: If a risk is identified, you can turn off or eliminate the DMZ and maintain security and local functionality.
Ensure Secure Access to Data
As data becomes more critical to water utility operations, the more you will need to ensure fast and efficient access to that data, while ensuring that your systems are secure. The good news is that there is technology available that can help OT and IT work together to take these steps to apply cybersecurity best practices – and to reap the benefits.