5 Ways to Strengthen Water Infrastructure Security

5 Ways to Strengthen Water Infrastructure Security

As the line between cyber and physical becomes more blurred, smarter, more cost-effective physical security solutions are necessary to secure water treatment plants and physical access to workstations that store customer data.

“Physically managing a perimeter is expensive,” Groom said. “It costs labor and time; it’s an operational expense that repeats every 8 hours.”

While water utilities may not be able to afford advanced, multiperimeter physical defenses, surveillance systems that use artificial intelligence to detect anomalous or potentially concerning activity in camera feeds help fill gaps.

LEARN MORE: The Verkada CD52 Dome camera supports agencies with easy integration.

“I want a tap on the shoulder, ‘Hey, take a look here,’” Groom said. “You can do that with smart surveillance systems and alarms. An alarm tells you what direction to look in and gives a human the opportunity to call the cavalry if needed.”

5. Secure Industrial Internet of Things Devices

Many water utilities are starting to use IIoT devices that improve equipment monitoring and staff safety. Each new end point is a new attack vector.

According to a report from CISA, an Iran-backed hacker group compromised water utilities by breaching poorly secured programmable logic controllers. Water utilities use PLCs to remotely transmit information to and from industrial equipment.

Other IIoT attack vectors that need to be secured include:

  • Supervisory control and data acquisition (SCADA) systems
  • Devices that rely on the Modbus communication protocol 
  • Devices that use Message Queuing Telemetry Transport (MQTT) protocol
  • Distributed control systems (DCSs)

These technologies and communication protocols provide fast and reliable remote access that allows industrial devices to talk to one another in near real time, but they’re not inherently secure. Modbus and MQTT, for instance, are open communication protocols that lack strong authentication by default, according to CISA.

Until defensive actions are taken — such as identifying all assets and endpoints that use these protocols, segmenting IIoT networks and protecting them with firewalls, and implementing strong authentication — these endpoints should be presumed to be at risk.

“This interconnected system has provided so many advantages to the citizens of the United States, but with digital transformation comes digital risk,” Grant Geyer, chief strategy officer for Claroty, recently told StateTech.

Geyer added that running in the other direction is not the right answer. Rather, he advises that utilities act now to face cyber risk so that they can be secure by design and benefit from IIoT devices indefinitely.

“The key is to go from being unaware to being open-eyed about the risk,” he said.

link

Leave a Reply

Your email address will not be published. Required fields are marked *