Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
NIST
Utilities: Energy & Power, Water, Waste

NIST seeks information on products, technical expertise to provide cybersecurity across water and wastewater sector

June 20, 2023
NIST seeks information on products, technical expertise to provide cybersecurity across water and wastewater sector

The National Institute of Standards and Technology (NIST) has called upon organizations to provide letters of interest describing products and technical expertise to support and demonstrate security platforms to deliver cybersecurity across the water and wastewater sector. The measure is the initial step for the National Cybersecurity Center of Excellence (NCCoE) in collaborating with technology companies to address cybersecurity challenges across the sector.

According to a notice published Tuesday in the Federal Register, the agency is soliciting responses from all sources of relevant security capabilities to enter into an NCCoE Cooperative Research and Development Agreement (CRADA) to provide products and technical expertise to support and demonstrate security platforms for the project. Collaborative activities will commence as soon as enough completed and signed letters of interest have been returned to address all the necessary components and capabilities, but no earlier than July 20, 2023. Participation in the project is open to all interested organizations. 

The ‘Cybersecurity for the Water and Wastewater Sector: A Practical Reference Design for Mitigating Cyber Risk in Water and Wastewater Systems’ project will employ products, provided by collaborating vendors, that deliver cybersecurity capabilities, including asset management, data integrity, remote access, and network segmentation. The move is working on developing example cybersecurity solutions to protect the infrastructure in the operating environments of water and wastewater systems sector utilities. 

It also comes amidst the increasing adoption of network-enabled technologies by the sector and merits the development of best practices, guidance, and solutions to ensure that the cybersecurity posture of facilities is safeguarded. 

“Critical infrastructure issues in the WWS sector present several unique challenges. Utilities in the sector typically cover a wide geographic area regarding piped distribution networks and infrastructure together with centralized treatment operations,” the NIST notice said. “The supporting operational technologies (OT) underpinning this infrastructure are likely reliant on supervisory control and data acquisition (SCADA) systems which provide data transmission across the enterprise, sending sensor readings and signals in real-time. These systems also control the automated processes in the production environment which is linked to the distribution network.” 

Additionally, the notice identified that “many OT devices are converging upon information technology (IT) capability with the advent of Industrial Internet-of-Things (IIoT) devices and platforms, such as cloud-based SCADA and smart monitoring. This project will develop a reference design that demonstrates practical solutions for water and wastewater utilities of all sizes.” 

“The reference design will use commercially available products and services to address four WWS cybersecurity challenges: asset management, data integrity, remote access, and network segmentation,” the Federal Register notice identified. “The commercial products and services will be integrated into a demonstration of the reference design. The project also initiates a broad discussion with WWS sector stakeholders to identify commercial solution providers.”

Additionally, the project will result in a publicly available NIST Cybersecurity Practice Guide which will include a detailed implementation guide of the practical steps needed to implement a cybersecurity reference design that addresses these challenges.

The notice said that asset management capabilities discover and identify physical and virtual assets in the OT environment. These assets may be geographically distributed and may be cloud-based. “In addition to network-connected assets, these capabilities should provide a means to discover and identify assets connected by low-bandwidth communications channels and disconnected assets. The asset management capability maintains an inventory of known assets which contains information such asset type, product version, and communication protocols used. Asset management capabilities may provide automation to establish and enforce a baseline security posture,” it added. 

“Data integrity capabilities protect data and communications within the OT environment against improper modification or destruction,” according to the notice. “Additionally, these capabilities monitor the OT environment to detect potential integrity violations and generate alerts to initiate any needed responses.”

Remote access capabilities provide entities (people and systems) controlled access to OT assets from outside the OT environment, the notice said. “These capabilities authenticate any entity seeking access, allow only explicitly authorized access, control which actions are allowed for each authorized entity, and maintain a record of all actions attempted and completed by each entity.”

When it came to network segmentation capabilities, the notice said that it provides logically isolated network subsets that can be managed more efficiently and effectively. Segmentation allows for a more detailed level of authorization and access, visibility into network flows among critical assets and infrastructure, and control of device management, and minimizes the potential harm from threats by isolating them to a limited part of the network.

The notice also detailed that in their letters of interest, responding organizations need to acknowledge the importance of and commit to providing access for all participants’ project teams to component interfaces and the organization’s experts necessary to make functional connections among security platform components. Additionally, they also deliver support for the project, which will be conducted in a manner consistent with the various standards and guidance, including FIPS 200, FIPS 201, SP 800–82, and SP 800–53, the NIST Cybersecurity Framework, and the NIST Privacy Framework.

The agency said that it cannot guarantee that all the products proposed by respondents will be used in the demonstration. “Each prospective participant will be expected to work collaboratively with NIST staff and other project participants under the terms of the NCCoE consortium CRADA in the development of the Cybersecurity for the Water and Wastewater Sector: A Practical Reference Design for Mitigating Cyber Risk in Water and Wastewater Systems project.” 

Prospective participants’ contribution to the collaborative effort will include assistance in establishing the necessary interface functionality, connection and set-up capabilities and procedures, demonstration harnesses, environmental and safety conditions for use, integrated platform user instructions, and demonstration plans and scripts necessary to demonstrate the desired capabilities, the notice added. 

“Each participant will train NIST personnel, as necessary, to operate its product in capability demonstrations. Following successful demonstrations, NIST will publish a description of the security platform and its performance characteristics sufficient to permit other organizations to develop and deploy security platforms that meet the security objectives of the Cybersecurity for the Water and Wastewater Sector: A Practical Reference Design for Mitigating Cyber Risk in Water and Wastewater Systems project,” according to the notice. “These descriptions will be public information. Under the terms of the NCCoE consortium CRADA, NIST will support development of interfaces among participants’ products by providing IT infrastructure, laboratory facilities, office facilities, collaboration facilities, and staff support to component composition, security platform documentation, and demonstration activities.”

NIST also said that the dates of the demonstration will be announced on the NCCoE website at least two weeks in advance. The expected outcome will demonstrate how the components of the project architecture can provide security capabilities to mitigate identified risks related to data throughout its lifecycle. Participating organizations will gain from the knowledge that their products are interoperable with other participants’ offerings.  

Last November, the NCCoE published a draft project description seeking feedback from all stakeholders in the water and wastewater utilities sector. The project said it is working to develop example cybersecurity solutions to protect the infrastructure in the operating environments of the water and wastewater systems. The increasing adoption of network-enabled technologies by the sector merits the development of best practices, guidance, and solutions to ensure that the cybersecurity posture of facilities is safeguarded.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights