Utilities can mitigate cybersecurity risks by using a proactive approach that extends beyond regulatory compliance and integrating security controls.
By Umair T. Masud, senior consultant, Network & Security Services business, Rockwell Automation
A hacker, set on wreaking havoc, gains access to the local water supplies by manipulating critical equipment and contaminating drinking water.
This isn’t the latest action movie, it’s a serious threat that water utilities work to protect against every day.
Massive cybersecurity breaches make news headlines on a regular basis. These constant reminders of potential system vulnerability can be particularly troublesome to those charged with safeguarding the public’s water supply.
With limited staffs and budgets, utilities must often postpone comprehensive upgrades, evolve their industrial control systems (ICS) and IT infrastructure slowly, and rely on external expertise.
Still, water utilities can take steps now to better mitigate risk through a proactive approach that extends beyond regulatory compliance and makes ICS security part of the utility master plan.
Change the Mindset
Utilities tend to view any initiative related to ICS and IT as a “project” and take a project approach to implement passive cyber defenses, such as firewalls and email filters. But when it comes to cybersecurity, a “set-it-and-forget-it” project mentality can be dangerously limiting.
Cyber threats are continually evolving and escalating and can impact every aspect of a utility. To be truly effective, cybersecurity must be based on an agile and active defense strategy that extends through every project in parallel with all business operations.
It’s time to change the mindset: Cybersecurity is an ongoing process, not a project.
Lay the Foundation
Water utilities often have a high volume of critical assets plus complicated governance, making the scope of an ICS security program seem daunting. Regardless of infrastructure size or complexity, all utilities face similar challenges, and can deploy a common, proven methodology to mitigate risk. That methodology must:
- Begin with an assessment of business needs and the specific operational requirements of the process control system.
- Identify critical assets and data that are essential to operation.
- Support asynchronous technology and business change.
- Recognize that no single product or technology will fully secure industrial networks — the most secure posture will always require people (analysts).
- Utilize a Defense-in-Depth (DiD) strategy based on multiple countermeasures that disseminate risk over an aggregate of security mitigation techniques.
Get Executive Buy-In
Identifying the right team to support and execute this methodology is critical. To be effective, this team must be endorsed at the executive level, and include expertise encompassing both the ICS and business level networks.
Ideally, this team will be charged with formalizing and executing the policies and procedures that will guide the utility on cybersecurity issues for years to come.
Set Strategic Priorities
Assessments are the starting point for any cybersecurity program. Through an assessment, a utility can determine what is “normal” from the standpoint of data entering and leaving the system. This is a crucial first step to identifying abnormalities and potential security events.
In addition, an assessment evaluates a utility’s security practice architecture and its ability to protect ICS assets.
Effective security assessments also extend beyond the technology deployed and take into account existing policies, procedures and typical behavior.
At minimum, an assessment should include:
- An inventory of authorized and unauthorized devices and software.
- Detailed observation and documentation of system performance.
- Identification of tolerance thresholds and risk/vulnerability indicators.
- Prioritization of each vulnerability, based on impact and exploitation potential.
The outcome of any assessment is a prioritized list of mitigation activities.
Push for Proper Investment
With prioritized mitigation steps in hand, a utility is ready to implement a cybersecurity program. However, justifying funding is often fraught with challenges.
Why? First, the benefits of a cybersecurity program are usually invisible and can only be tracked through metrics. It’s easier to justify additional costs or divert funds for improvements that directly impact water delivery or quality.
In addition, cybersecurity is not a one-time expenditure. It’s a commitment that commands vigilance and an ongoing investment in people, process and technology.
Because of these factors, aligning critical security controls investment closely with the utility master plan is the most effective, publicly palatable and fiscally responsible approach.
Ways to Align
While not an exhaustive list, here are some specific ways a utility can implement a strategic, life-cycle approach to cybersecurity investments:
- Biggest impact first. Follow the initial assessment prioritization and allot funds first to investments deemed most critical.
- Assess all cyber investments for risk. Most utilities include risk assessments as part of the selection process for physical infrastructure investments. Extend this mindset to investments that affect the IT infrastructure and ICS.
- Invest for a more secure future. Make future-ready ICS and IT investments at every level of the enterprise. Select technology that incorporates cybersecurity features — even if those features can’t be activated immediately.
- Scrutinize and limit system proliferation. Narrow the scope of system suppliers and service level agreements (SLAs). The fewer disparate systems within an environment, the easier it is to secure them.
- Consider quality based selection (QBS). This pre-selection procurement system focuses on the long-term life-cycle costs of a solution — not only upfront capital costs. QBS helps set a technology direction for the future that prioritizes an integrated secure environment.
- Recognize the value of ongoing and annual assessment. A successful cybersecurity strategy requires an ongoing audit of what exactly is occurring in the system, and an annual assessment to restate or realign priorities.
Positioned for the Future
On the surface, water systems may not appear very different from the day they were commissioned. But chances are, the internetworking of these systems has changed radically. Often, there is a tremendous intermixing of old and new products and various creative methods to exchange information.
Within this environment, understanding even the current system security baseline can be a challenge. However, the need to address cybersecurity issues has never been greater.
By aligning critical security controls investment with the master plan, utilities are well positioned to identify system vulnerabilities and undertake essential mitigation steps — both now and in the future.
The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.