NIST’s NCCoE focuses on OT remote access in water and wastewater sector cybersecurity architectures

The National Institute of Standards and Technology (NIST) through its National Cybersecurity Center of Excellence (NCCoE) released on Wednesday a draft Technical Note inviting public comments. The note outlines universal remote access cybersecurity architectures and demonstrative solutions planned for the ‘Cybersecurity for the Water and Wastewater Sector: A Practical Reference Design for Mitigating Cyber Risk in Water and Wastewater Systems’ project. The public comment period is open up to July 15, this year.

Developed in collaboration with technology vendors, water utilities, and various experts, these architectures aim to enhance cybersecurity architectures and appropriate measures in critical water management systems. The NCCoE is using commercial products provided by the collaborators to build secure remote access example solutions.

The cybersecurity product vendors are StrongDM, Cisco, Cyber 2.0, Q-net Security, and TDI Technologies; the Water and Wastewater Utilities and Professional Associations include the Association of State Drinking Water Administrators (ASDWA), Denver Water, ReWa, and Washington Suburban Sanitary Commission (WSSC); and the consultants are Bedrock Systems, I&C Secure, and West Yost & Associates. 

“The NCCoE continues to work with these collaborators to develop example solutions that demonstrate how these security architectures can be leveraged to address cybersecurity risks associated with remote access to water and wastewater operational technology systems,” according to the document. “This Technical Note presents a traditional on-premises remote access architecture and two example solutions, one for medium to large water and wastewater systems (WWS) and one for very small to small water and wastewater systems. A cloud-based remote access architecture and example solution are also described.”

A remote access solution connects people or systems over an external communications infrastructure to an organizationally managed communications infrastructure for accessing organization information and operations assets. In WWS utilities, remote access is used as a primary method for connectivity into the operational controls and SCADA (supervisory control and data acquisition) system from people and systems outside the WWS operations network.

Remote access technologies provide a critical link in supporting infrastructure and operational requirements, including a widely geographic distribution of components and subsystems; high availability for ongoing operations and off-hour support requirements; remote diagnostics and rapid system maintenance; third-party vendor access for equipment troubleshooting; access to remote or unmanned locations for service and incident response; and convergence with existing IT networks, cloud storage, or IIoT environments. 

However, the use of remote access also introduces several potential security problems. NIST SP 800-46r2, ‘Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security,’ identifies several concerns, including lack of physical security controls of client-side devices, unsecured networks of externally managed communications infrastructure and potential for infected devices transferring malware into the utility’s network. 

When it comes to medium to large utilities serving populations of 3,301 to 100,000 people, these utilities are typically characterized by larger watersheds and widely dispersed distribution networks, including possible interconnection with neighboring community water systems. These systems require remote water sourcing, pumping, treatment, storage, and pressurized distribution systems. Technologies providing efficient monitoring and control are required to support this wide-area infrastructure. 

Other potential characteristics may include high-capacity systems with complex SCADA networks; advanced treatment, sophisticated sensors, data collection, and alarms; ‘state-of-the-art’ capabilities, such as real-time monitoring and predictive analytics; dedicated staffing for different aspects of the system; high maintenance costs and dedicated resources; multiple vendors and third-party management arrangements, requiring remote access for maintenance and updates of specialized SCADA components; integration with municipal IT networks to store and process data; and vendor provided subsystems, or ‘skid systems,’ which are a modularized set of components to provide a specific function.

Very small to small water and wastewater utilities in the U.S., serving populations from 25 to 3,300, make up about 80 percent of community water systems. While these smaller systems share several characteristics with larger ones, there are notable differences that affect their use of remote access. Typically, these utilities do not cover the extensive areas seen with larger systems. They usually have source points located closer to their treatment facilities, utilize elevated storage and gravity-fed networks for water distribution to homes and businesses, and have fewer requirements for remote pumping.

Other characteristics are simpler (or even no) SCADA with fewer sensors, data points, and alarms, or completely manual controls; lower complexity in technology, both in infrastructure (treatment and distribution) and supporting network architecture; existing OT hardware that may lack compatibility with required cybersecurity protections or security upgrades, the costs of which may be difficult to justify; staffing challenges, where personnel may be responsible for a wide range of duties; and general economic constraints with proportionately less to spend on upgrades. 

Although system architecture and deployment of different-sized systems vary, there is a common list of capabilities needed to provide secure remote access when it comes to building cybersecurity architectures. All remote access architectures should at least provide, but are not limited to, the capabilities that address these security needs including end-user devices should provide security capabilities that protect against malware infection; communications over externally managed communications infrastructure should have confidentiality and integrity protection; and remote access to WWS should only be available to authorized users.

It also covers remote access services should authenticate all users connecting to the service; remote access services should maintain a log of user actions; remote access services should prevent the introduction of malicious content into the OT environment; and remote access should employ the concepts of least privilege and be configured to only allow access to the specific assets required for the user’s role and scope of work. Recognizing that systems or vendors may install their own (or other third-party) remote access solutions, the utility should ensure that all the cybersecurity characteristics are met and properly integrated to meet all required security standards. This will also include considerations for ongoing support, maintenance, updates, and upgrades to address ongoing cybersecurity concerns.

When it comes to traditional remote access architecture, the NCCoE document presents a product-agnostic traditional architecture for secure remote access to an OT environment. Two example solutions that implement this architecture have been detailed – one each for medium to large and very small to small WWS.

In the case of cloud-based remote access, the considerations covering cybersecurity architectures will include a cloud security provider that handles authentication and authorization uses in the cloud environment, with security gateways and relays within the operational networks. A remote user will initiate an authentication to the cloud security provider utilizing an MFA solution to gain an access token for their cloud-based user access client. This client will then authenticate to the cloud access gateway inside of the operational network using a secured communications connection. This token will assign an RBAC (role-based access controls) profile to the authenticated user, and the gateway will handle privileges assigned to that role. Logging and routing controls are then submitted back to the cloud security provider for storage.

Water and wastewater utilities face potential challenges that may result from unauthorized access, such as the use of default or shared authentication credentials, broad access to OT and related networked systems, and lack of MFA (multi-factor authentication) requirements. The expected outcomes of demonstrating solutions to these challenges include ensuring security safeguards are configured on all devices and systems on the network, providing role-based access control mechanisms, and detecting intrusion/anomalous behavior. This, in turn, offers solutions that can protect water/wastewater utilities from potential cyber-attacks while enabling and maintaining secure, available remote access systems so utility operations can continue undisrupted.

The NCCoE is currently building lab prototypes of the example solutions described here. The cybersecurity architectures, example solutions, and lab prototypes may be modified in response to feedback received on this initial public draft, and the publication will be updated to describe any modifications and document the results of lab prototyping efforts.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.