Protect production, workers and intellectual property by maintaining cybersecurity with these best practices.
By Dave Perkon, Contributing Writer
It's simple. To verify cybersecurity, policy and procedures need to be put into place, Defense-in-Depth (DiD) needs to be established, and best practices need to be followed. One word should come to mind when it comes to cybersecurity: protect. Protect the integrity of production, the safety of people and the confidentiality of intellectual property.
And while not as robustly funded as their counterparts in private enterprise, even small, district-level water treatment plants are part of the nation’s critical infrastructure. As such, cybersecure policies and procedures must be taken seriously.
In the 2016 Assessment Summary Report by the U.S.’s National Cybersecurity and Communications Integration Center (NCCIC), the water and wastewater segment comprised 43% of the assessment, “a significant sample from which to draw conclusions,” says Jeffrey Gray, deputy chief, Control Systems Training Section of the National Cybersecurity Training & Exercise Center of Excellence, during a presentation at the 2018 Rockwell Automation TechED event in San Diego.
"For the last three reports, the top cybersecurity weakness was boundary protection between industrial control systems and enterprise networks,” says Gray. “The rapid growth of the Internet of Things will make a much larger attack surface, including Internet-connected devices and mobile devices, which can complicate detection."
Unnecessary functionality was second on the list of cybersecurity vulnerabilities cited in the report. "Decrease the vectors for malicious access to critical systems," Gray recommends. "Shut down functionality that is not needed. Limit your profile to an attacker. Then you want to understand where all your traffic on your network is going and narrow that traffic lane so nothing is talking to something it doesn't need to, and the traffic is only moving in the direction you want."
Help for Those Getting Started
For smaller water and wastewater utilities — and others that need help getting started on their cybersecurity journeys — the United States Computer Emergency Readiness Team (US-CERT) or Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) have a lot to say about cybersecurity best practices. These CERTs and other teams were brought together to form the NCCIC several years ago.
According to its website, the NCCIC analyzes cybersecurity and communications information; shares timely and actionable information; and coordinates response, mitigation and recovery efforts. The NCCIC can help get you started in cybersecurity beginning with a threat assessment, so get a team together and start with the basics.
"Anyone looking for a magic bullet for cybersecurity — the three or four things you can do to secure everything — the reality is that it is a process," says Gray. "It's risk management, which is a process. You can identify what threat actors are doing or have done in the past; what the majority of vectors they have used to get into the systems have been; but it's really about the day-to-day understanding of what those vulnerabilities are and working to close them. The NCCIC encourages working in the risk avoidance area."
The statistics and field work have borne out some very simple results. "We see that the No. 1 vulnerability from year to year is boundary protection between control systems and enterprise networks," he notes. "The No. 1 way overall for system intrusion is phishing attacks."
Phishing essentially is social engineering — the psychological manipulation of a person to perform a specific action or reveal confidential information. It may take the form of luring a victim to click a link or plug in a USB device, pretexting false information to get at privileged information or using scareware from a legitimate-sounding company alleging that your computer is infected and a download is required. Elicitation techniques, gathering requirements through a variety of methods without creating suspicion, also may be used.
"There are many examples of attacks or entry into ICS networks that are stopped at the enterprise level," he explains. "That's a good thing. The boundary protection works. If you look at the Shamoon virus that was used against Aramco in 2012, it wiped out 30,000 computers on the IT networks, but it didn't get into their control systems. And that was their target. In the final analysis, their defense worked, they held on to the castle using defense in depth."
Cybersecurity is needed everywhere due to cascading effects. For a water utility application, for example, attacking the supply chain can cause serious problems. If daily additives are not available because the supplier is shut down, it's as effective as taking out the water source.
"There are many different attack vectors, and that's why NCCIC and DHS does regional assessments where they look at cascading effects across the region and interdependencies," says Gray. "You may concentrate on one player, but you must understand everything.”
Assessment Tools Available
Cascading effects and interdependencies always will exist. "We like to say that if you have a supply chain on which you are dependent, you should hold your suppliers and contractors to the same cybersecurity standards that you hold yourself to," says Gray.
"The scale doesn't matter. I have walked into places where the one overworked man or women is the control system engineer, the electrician and the IT guy. The NCCIC can do a lot to help them through the products and information we have available. There is information out there that can help everybody, but it's hard when you are out there all alone,” Gray explains.
"The Cyber Security Evaluation Tool (CSET®, https://cset.inl.gov) can help to evaluate an organization’s security posture," he adds. "You and your team sit down and start answering standards-based questions. When you are done, if you were honest, you will have useful results. If you have people who are afraid for their jobs, you may get garbage in, garbage out."
The CSET will create an executive-level summary that includes a Top 20 list of what should be concentrated on.
The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.