Attacks and Vulnerabilities
CISA
Critical infrastructure
News
NIST
Utilities: Energy & Power, Water, Waste
Vulnerabilities

NCCoE project releases draft document for securing water and wastewater utilities, calls for feedback

November 03, 2022
NCCoE project releases draft document for securing water and wastewater utilities, calls for feedback

The National Cybersecurity Center of Excellence (NCCoE) published a draft project description seeking feedback from all stakeholders in the water and wastewater utilities sector. The NCCoE project is working to ensure that its guidance can benefit the broadest audience and is especially interested in hearing from water utilities of all sizes. The public comment period is open until Dec. 19, 2022.

The document titled “Securing Water and Wastewater Utilities: Cybersecurity for the Water and Wastewater Systems Sector,” outlines a project that will develop example cybersecurity solutions to protect the infrastructure in the operating environments of the water and wastewater systems (WWS) sector. The increasing adoption of network-enabled technologies by the sector merits development of best practices, guidance, and solutions to ensure that the cybersecurity posture of facilities is safeguarded.

The document identifies common scenarios across the WWS sector that may showcase higher-risk cybersecurity characteristics for WWS sector utilities. The scenarios are informed by the project team’s conversations with stakeholders across the WWS sector. The NCCoE project team will address each scenario in collaboration with members of the WWS sector and vendors of cybersecurity solutions. The resulting reference design will detail an approach that can be used by WWS sector organizations to plan for and mitigate cybersecurity risks. 

The NCCoE project explores four areas of concern identified by WWS stakeholders, namely asset management, data integrity, remote access, and network segmentation. These areas have been under review to determine the common features among sector stakeholders and to identify issues being faced by broad segments of the sector. For this project, the focus is on municipal-scale utilities. 

The project will largely demonstrate solutions to improve the cybersecurity posture of WWS stakeholders. It is guided by the assumptions that WWS infrastructure that adequately reflects operational capabilities is available for solution testing, and a range of commercially available solutions exist and are readily available to sector stakeholders to demonstrate solutions to the identified challenges. 

“Critical infrastructure issues in the WWS sector present several unique challenges. Utilities in the sector typically cover a wide geographic area regarding piped distribution networks and infrastructure together with centralized treatment operations,” the NCCoE project said. “The supporting operational technologies (OT) underpinning this infrastructure are likely reliant on supervisory control and data acquisition (SCADA) systems which provide data transmission across the enterprise, sending sensor readings and signals in real time.” 

The NCCoE project also said that these systems control the automated processes in the production environment which is linked to the distribution network. “Additionally, many OT devices are now converging upon information technology (IT) capability with the advent of Industrial Internet-of-Things (IIoT) devices and platforms, such as cloud-based SCADA and smart monitoring,” it adds.

The project will identify specialized cybersecurity capabilities from collaborating vendors to address the vulnerabilities identified in the previous section. To demonstrate the reference architecture, collaborating stakeholders need to supply products and technology that offer asset management, data integrity, remote access and network segmentation.

Asset discovery and visibility solutions identify all assets that exist on the network, whether physical, virtual, on- or off-premises, or on the cloud. These software solutions further deliver information on existing gaps in configurations, product versions, or protocols that require updates or enforcement of security policies. The NCCoE project will also work on improving asset discovery and visibility is generally accomplished by the classification and categorization of all network devices, followed by an audit and compliance stage. Enforcement of a predetermined security posture can be accomplished by automation and orchestration of baseline requirements. 

Data integrity solutions will provide capabilities to assure communications within the OT environment are not modified or replaced in transit. These technologies will determine if integrity has been compromised, such as in data modification or spoofing. They provide capabilities to prevent loss of integrity, such as cryptographic mechanisms and validation techniques. These capabilities would also integrate with existing security information and event management systems in the capture and analysis of network traffic data.

The NCCoE project will also include capabilities which serve to provide and enforce access policies. These solutions ensure that authorized communications can take place among network devices and prevent unauthorized access or information exchanges from unknown systems. The capabilities can be configured to monitor and log for unauthorized attempts to authenticate onto the network, providing visibility into the anomalous behavior. In addition, these systems may need to work in tandem with existing identity and access management solutions within the WWS entity, such as federated systems, hybrid cloud/IT networks, multi factor authentication, and IIoT device management.

Network segmentation capabilities will provide logically isolated network subsets that can be managed more efficiently and effectively. Segmentation is accomplished by establishing zones, or logical groups, of devices and infrastructure based on commonalities such as process or operational area, ICS protocol, or accessibility requirements. The NCCoE project assesses that segmentation provides a more detailed level of authorization and access, visibility into network flows among critical assets and infrastructure, and control of device management, and minimizes the potential harm from threats by isolating them to a limited part of the network.

The NCCoE project will identify challenges and develop a reference architecture that demonstrates solutions using commercially available products and services. These solutions will be integrated into a pilot-lab environment to develop a reference architecture and case study. 

The project will result in a publicly available NIST Cybersecurity Practice Guide which will include a detailed implementation guide of the practical steps needed to implement a cybersecurity reference design that addresses these challenges.

The NCCoE project also highlights the presence of various capabilities among WWS utilities regarding cyber-enabled operations. Identifying challenges that can be representative in addressing various issues may be difficult. Also, lab-constructed test solutions may not address the complexities of real-world operational scenarios. Furthermore, the NCCoE does not provide prescriptive solutions, but rather demonstrates illustrative cases that may be voluntarily adopted by a large segment of the sector.

The U.S. administration extended the Industrial Control Systems (ICS) Cybersecurity Initiative to the water sector earlier this year. The Water Sector Action plan outlines surge actions that will take place over the next 100 days to improve the cybersecurity of the sector. The action plan was developed in close partnership with the Environmental Protection Agency (EPA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Water Sector Coordinating Council (WSCC).

Commenting on the NCCoE project document, Chris Warner, OT Cybersecurity Consultant, GuidePoint Security, wrote in an emailed statement that water systems are unique and challenging to secure because many systems are over 50 years old, and it will take tremendous financial and human resources to replace or upgrade to stay in compliance with regulatory entities. “Water SCADA systems have numerous physical sites that are diverse in architecture and challenging to ensure integrity and security for water treatment basins, distribution centers, storage towers/level management, drinking water distribution networks, real-time decentralized industrial wastewater treatment centers, and real-time flood control system monitoring,” he adds. 

Warner also said that the American Water Works Association (AWWA) mandates over 180 standards of practice for water utilities, and many U.S. states have their own regulations. “Some states are now encouraging water utilities to align to the NIST CSF. The NIST CSF mainly focuses on the business, IT, and a limited amount of OT. Creating an overlay of the NIST 800-82 with the CSF specifically addresses SCADA systems,” he highlights.

“The water sector is an absolutely critical component of national security and also a huge area of exposure. With 148,000 public water systems in the U.S., operators are dealing with older, legacy infrastructure that, in most cases, pre-dates any modernization efforts, including security measures from the ground up,” Chris Gray, AVP of security strategy at cybersecurity firm Deepwatch, wrote in an emailed statement. 

Gray added that like a lot of issues in critical infrastructure, security was originally provided by the physical difficulties in gaining access to the controllers. “Operators have adopted remote access technologies to allow connectivity, which gives easy access but also availability for exploitability. In order to protect these systems, we have to ‘bolt on’ security measures given the cost (both financial and operational) of replacement technology. The NIST guidelines will be a welcomed addition to anything the EPA does put out but likely difficult to implement in today’s current environment.”

Last month, the U.S. administration disclosed that it is working towards securing cyberspace and strengthening American critical infrastructure. Anne Neuberger, deputy assistant to the president and deputy national security advisor for cyber and emerging threats, confirmed that the communications, water, and healthcare sectors are looking at new cybersecurity standards.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings