Water Industry Cyber Security Human Resources and Training Needs

Water and Environment Journal, 2018

Recent events have highlighted the need to address cybersecurity threats to systems supporting critical infrastructure and federal information systems which are evolving and growing. These threats have become ubiquitous in the United States, and throughout the world. Many information and communications technology (ICT) devices and other components are interdependent so that disruption of one component may have a negative, cascading effect on others. In the United States, the Federal role in cyber-security has been debated for more than a decade but creating a policy is complicated because in the United States, State and local governments are the major institutions responsible for providing services to their populations. It is important that critical infrastructure such as Publically Owned Treatment Works (POTWs) and Public Water Systems (PWSs) adopt suitable countermeasures to prevent or minimise the consequences of cyber-attacks. This paper discusses both technological and procedural techniques that can be used to protect against cyber-threats.

European Conference on Cyber Warfare and Security

Industrial Control Systems (ICS) comprise software, hardware, network systems, and people that manage and operate industrial processes. Supervisory Control and Data Acquisition Systems (SCADA) and Distributed Control Systems (DCS) are two of the most prevalent ICS. An ICS facilitates the effective and efficient management and operation of industrial sectors, including critical infrastructure sectors like utilities, manufacturing, and water treatment facilities. An ICS collects and integrates data from various field controllers deployed in industrial contexts, enabling operators to make data-driven decisions in managing industrial operations. Historically, ICS were isolated from the internet, functioning as part of air-gapped networks. However, the efficiency improvements brought about by the emergence of Information Technology necessitated a shift towards a more connected industrial environment. The convergence of Information and Operational Technology (IT/OT) has made ICS vulnerabl...

2016

Water management is a critical infrastructure activity in The Netherlands. Many organizations, ranging from local municipalities to national departments are involved in water management by controlling the water level to protect the land from flooding and to allow inland shipping. Another important water management task is the purification of waste water and sewage. To fulfill these tasks, such organizations depend on information and communication technologies, ranging from standard office IT facilities to Industrial Control Systems (ICS), for example to control excess water pumps and locks, as well as to monitor and control water purification plants. The worldwide increase of both volume and sophistication of cyber attacks made the Dutch government decide to sponsor a project to determine a cyber security posture of the water management organizations by benchmarking the cyber security state of their water management installations and processes. In this paper we present our benchmark...

World Environmental and Water Resources Congress 2020, 2020

Water system managers increasingly operate in distributed information exchange environments characterized by internal and external data communications. These sensorcontroller-machine intensive environments must communicate internally (within and between device-level rings, within and between subsystems, and/or within and between systems) and externally (with and between original equipment manufacturers and/or with and between credentialed third parties). In critical infrastructure, cyber risk is magnified due to the heterogeneous nature of the technologies, protocols, and standards. Such an environment requires an approach that goes beyond information technology practices incorporating the unique needs of operational technologies. Protecting blended topologies requires a multi-dimensional framework integrating logical segmentation, cyber hygiene, network oversight, and human reliability. Logical segmentation compartmentalizes the network to align with service delivery. Cyber hygiene provides intrusion detection/prevention, identity services, malware protection, and network behavior analysis. Network oversight monitors network activity detecting and automatically responding to non-compliant actions with response policies that are service delivery fail-safe cognizant. Human reliability recognizes the potential for inadvertent and/or purposeful harmful actions and places digital safeguards at critical points to avoid compromise. Each dimension is significant itself but, collectively, they dramatically reduce the potential for gap and blind-zone formation with technologies and practices that are deployed in industrial and control system network operations today. This paper summarizes recent cyber-physical threat events and describes best practices in use across small and large critical infrastructure enterprises. Findings highlight the role network architecture design and operational practices to reduce attack surfaces and, at the same time, increase operational efficiency, ensure data integrity, and provide operational resilience in the face of evolving threats to cyber-physical systems.

2017

Cyber security is a growing challenge for all organizations. In the past two decades, organizations have developed a huge amount of infrastructures based on important industrial control systems (ICS) for their businesses. A specific domain of these challenges comprises the industrial organizations that manage railway infrastructures, public utilities, nuclear plants, communication infrastructures and utilities. The aim of the paper is developing a conceptual bridge between organizational research on safety and new research program on cyber security in industrial setting. Working on data provided by an ongoing project on cyber risk in ICS, the paper suggest a preliminary framework to face with relevant questions and reflections on how the organizational social construction of safety can be in some way a good proxy to understand the sociotechnical side of cyber risk in industrial sites.

Handbook of Research on Cybersecurity Risk in Contemporary Business Systems, 2023

Protecting networks that are part of industrial control systems (ICS), such as supervisory control and data acquisition (SCADA) systems, is a significant issue that affects public health as well as public safety and national security. Industrial control systems such as the SCADA systems that manage our electrical grids, oil pipelines, and water distribution systems remain vulnerable to cyber-attacks from different directions through various technologies in the U.S. It is essential to understand that the security of critical infrastructure goes far beyond the scope of cybersecurity. Qualitative interviews with subject matter experts were used to discover the best practices for protecting these systems.

Securing the Nation’s Critical Infrastructure - A Guide for the 2021-2024 Administration, 2022

Since the “Final Rule” of the Chemical Facilities Anti-Terrorism Standard (CFATS), released in 2007, Chemical manufacturers have been implementing controls and processes to comply and shore up their facilities’ security. CFATS provided a good starting point to address the physical and (rudimentary) cybersecurity aspects of protecting our critical chemical production facilities. In 2014, Congress’s Act to reauthorize and codify the CFATS program (6 USC §§ 621-29) passed. This legislation laid the foundation for the continued maturation of the CFATS program. Even though extended through April of 2020, these programs left considerable gaps to overcome, not addressed by the initial standards. This section will discuss some of the challenges that complicate the operational sustainability of cybersecurity programs of our critical chemical production facilities. Faced with Advanced Persistent Threats (APT), comprised of Nation-State actors, Cyber Criminal, and Hacktivist organizations, a more sophisticated and coordinated attack capability has emerged, reaching beyond the original scope of CFATS. Quantifying and Qualifying threats by location starts with the production or storage of “chemicals of interest,” as outlined in CFATS, but transitions across all aspects of the business. Leveraging a consequence-based risk assessment process produces a “bottom-line impact” assessment to augment the financial element of implementing controls. The convergence of IT security tools and rigor with the OT environment unifies the visibility into Indication of Compromise (IOC) and Indications of Attack (IOA). Early February of 2021, a would-be attacker(s) attempted to make parameter changes in a water treatment plant that would potentially poison the population by introducing deadly amounts of sodium hydroxide. This attack was not caught by automation or IOC or IOA monitoring, rather the astute observations of an operator intimately familiar with the water treatment process, watching the production control systems. This breach and configuration change attempt was a dangerously close call and lucky catch. This event highlights the need to be ultra-virulent in designing and maintaining an OT SOC capability and locking down the data flow controls and micro-segmentation in the OT environment. These additional cybersecurity disciplines play an essential role in limiting the ability to establish Command and Control (C2). This paper’s final topic is the challenge of budget allocation in the traditional business practice and setting expectations for cultural change to keep the cybersecurity programs prioritized. Keywords: CFATS, CybersecurityInfrastructure protection/Computer networks; Infrastructure protection/Chemical industry and hazardous materials; Cyberspace and Cybersecurity; Cyberspace and Cybersecurity/Targets and vulnerabilities

Historically, control and safety systems for critical infrastructures have not included cyber security measures. The addition of these measures will increase the cost of both design and construction but the increase in cost will be lower than adding them after design. Even though control systems architecture is becoming more like IT systems, there are major differences that must be recognized and applied during the engineering design and implementation. This paper presents design considerations for control and safety systems in new infrastructure projects.

2020

The U.S. Army Engineer Research and Development Center (ERDC) solves the nation's toughest engineering and environmental challenges. ERDC develops innovative solutions in civil and military engineering, geospatial sciences, water resources, and environmental sciences for the Army, the Department of Defense, civilian agencies, and our nation's public good. Find out more at www.erdc.usace.army.mil.

International Journal of Critical Infrastructure Protection, 2011

International studies have shown that information security for process control systems, in particular SCADA, is weak. As many critical infrastructure (CI) services depend on process control systems, any vulnerability in the protection of process control systems in CI may result in serious consequences for citizens and society. In order to understand their strengths and weaknesses, the drinking water sector in The Netherlands benchmarked the information security of their process control environments. Large differences in their security postures were found. Good Practices for SCADA security were developed based upon the study results. This paper will discuss the simple but effective approach taken to perform the benchmark, the way the results were reported to the drinking water companies, and the way in which the SCADA security good practices were developed. Figures shown in this paper are based on artificially constructed data since the study data contain company and national sensitive information.