Securing the US water supply: Smart people, processes and technology
By Rick Peters, CISO for operational technology Fortinet
Water-treatment and supply systems must comply with complex regulations and mandates, and—with certainty—must offer safe, stable, continuous operations. Complicating that mission imperative is the rise of cyberattacks against critical infrastructure, which includes water-control systems, according to the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.
Threats to the nation’s 150,000+ water systems put public health and the environment at risk. In acknowledgement of these rising threats, the Biden Administration is undertaking a new 100-day plan to improve its cybersecurity. Let’s take a closer look at what’s behind these efforts.
Water utilities are at real risk for cyberattack
Why are water utilities at high risk? The OT networks that water utilities depend upon may contain hundreds of different components that can be challenging to map and update. Operators often lack complete visibility into their networks, which can contribute to misconfigurations, security gaps and other vulnerabilities. Bad actors employ special tactics to access the cyber-physical systems of OT environments; according to a recent survey, 9 out of 10 OT organizations experienced at least one system intrusion in the past year; 63% had three or more intrusions.
Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices are a key factor in expansion of the attack surface. Most IoT devices are headless—they can't be patched or updated, nor can they run security software. That makes them perfect targets for botnet malware that can target critical systems with denial-of-service attacks.
To develop a strong cybersecurity strategy, water-sector leaders need to focus their attention on people, processes and technology.
The role of people
Employees pose a substantial risk to any organization, albeit mostly unintentional. Cybersecurity training is key to keep employees aware of the latest threats and scams, and to help them avoid falling for phishing scams and other such incidents. Once educated, employees become an asset that acts as the first line of defense.
Organizations should also incorporate access-management policies (such as the principle of least privilege) to reduce the exposure and damage from a breach. This cybersecurity practice ensures that devices, applications, and users have access to the resources they need to do their job...and nothing more.
Re-thinking processes
To improve visibility into traffic and users, sound processes are required. With visibility established, operators can control flows from user inception or device installation to the locations and services they require or serve. This traffic mapping, along with continuous monitoring, provides actionable intelligence so security teams can proactively prevent disruptions and respond quickly to incidents.
A second essential element of improving processes is an incident-response plan. The plan should include repeatable procedures and detail how the organization will recover business processes. To minimize downtime and increase the chances of data recovery after an event, organizations must ensure that proper backups are in place and regularly test recovery processes to ensure readiness.
In addition, process-related solutions substantially improve when expanded with actionable threat intelligence to effectively detect and respond to threats.
Using the right technology
Integrating point solutions for each networking and security problem has long been the standard. Unfortunately, while solutions may work as advertised, they weren’t designed to work in tandem to achieve time-sensitive cybersecurity situational awareness. Networks made up of point products are vulnerable to attacks designed to exploit the security gaps between isolated solutions.
Though there are myriad cybersecurity solutions to choose from, it's essential that they not be selected in isolation. A better approach is to choose tools based on their integration and automation capabilities to create an interoperable cybersecurity-mesh architecture to achieve time-sensitive detection and mitigation of threats.