Incorporating cybersecurity into water utility master planning — Part 2

Protecting critical infrastructure systems is imperative, but it is necessary to determine how to work within the context of organisational structure and budget.

By now it is well known that the cybersecurity threats are increasing in sophistication for all industries. In Part 1 of this article, the unique cybersecurity issues of water utilities were introduced, and the inadequate nature of traditional cybersecurity countermeasures that are commonly found.

While there is an understandable tendency for utilities to view any initiative related to information infrastructure, metering or process control systems as a ‘project’, by definition, projects are limited in scope and have well-defined objectives, timelines and budgets. But when it comes to safeguarding a utility’s industrial control system, a ‘set-it-and-forget-it’ project mentality can be dangerously limiting.

As a critical business objective, cybersecurity must be approached as an ongoing process, albeit one where budget projections and public relations are challenging. And where success is measured by what doesn’t happen, rather than what does.

Building the program: laying the foundation

Cybersecurity touches every aspect of a typical business. For water utilities — which have a high volume of critical assets plus complicated constituency and governance — the scope of an ICS Security Program can appear particularly daunting.

However, regardless of size or complexity of the existing infrastructure, all utilities face similar challenges. And when it comes to mitigating risk, all ICS Security Programs can deploy a common, proven methodology. That methodology must:

• begin with an assessment of business needs and the specific operational requirements of the process control system;
• identify critical assets and data that are essential to operation;
• support asynchronous technology and business change — and be adaptable to the evolving landscape and move towards active defence with minimal overhaul;
• recognise that no single product or technology will fully secure industrial networks;
• utilise a defence-in-depth strategy based on multiple countermeasures that disseminate risk over an aggregate of security mitigation techniques.¹

Stakeholders and executive buy-in

Identifying the right team to support and execute this methodology at the outset is critical. To be effective, this team must be endorsed at the executive level — and include expertise encompassing both the industrial control system and business-level networks. In utilities with limited ICS and IT expertise, incorporating a trusted third-party consultant is a viable option.

Ultimately, this team will be charged with formalising and executing the policies and procedures that will guide the utility on cybersecurity issues for years to come. And will be instrumental in determining and implementing related technologies and contingency plans.

Setting strategic priorities: know your environment

An ICS Security Program based on a defence-in-depth strategy begins with a clear understanding of the environment and what needs to be protected. Once the current state is clearly understood, utilities can determine which critical control investments will have the most impact.

Security assessment

Assessments are the starting point for any cybersecurity program. An assessment outlines a utility’s current security posture — important baselines for system availability, integrity and confidentiality.

Through an assessment, a utility can determine what is ‘normal’ from the standpoint of data entering and leaving the system. This is a crucial first step to identifying abnormalities and potential security events. In addition, an assessment evaluates the robustness of a utility’s security practice architecture — and its ability to protect ICS assets.

Effective security assessments also extend beyond the technology deployed. For example, good security assessments take into account not only networks and industrial control systems, but also existing policies, procedures and typical behaviour. In addition, automation expertise can be leveraged to provide a comprehensive review, including process control application performance within the existing infrastructure. Specifically, an assessment should include at minimum: Inventory of authorised and unauthorised devices and software. Detailed observation and documentation of system performance. Identification of tolerance thresholds and risk/vulnerability indications. Prioritisation of each vulnerability, based on impact and exploitation potential.   The final outcome of any assessment is recommended and prioritised mitigation activities. These recommended activities are often aligned with what are known as critical security controls. Security controls investment and utility master planning With the results of a security assessment and prioritised mitigation steps in hand, a utility is positioned to implement a cybersecurity program. However, while the need for a program may be well understood within the utility, justifying funding to implement recommendations can be a significant hurdle — especially when public opinion comes into play. The following factors pose public relations challenges — both within municipality governance and the broader community — and may forestall funding approval: Given finite budgets, funding a new cybersecurity investment generally means diverting funds previously allocated for other more popular purposes. In the public sphere, it’s usually easier to justify additional costs — and potential rate hikes — for improvements to the system that immediately and directly impact water delivery or quality. The benefits of a cybersecurity program are often invisible. Cybersecurity is not a one-time expenditure. Security is a commitment that commands vigilance and an ongoing investment in people, process, product and technology.   Due to these factors, aligning security controls investment closely with the utility master plan is the most effective, publicly palatable and fiscally responsible approach.

What is the NIST Cyber Security Framework (CSF)?2 The NIST Cyber Security Framework was developed by the National Institute of Standards and Technology, in concert with other US agencies and industry experts to address risks in the industrial control environment and the critical infrastructure that are controlled by them. The framework enables any organisation to apply the principles and best practices of risk management to improving the security and resilience of an industrial control infrastructure. The functions and categories that make up the framework are as follows: Identify Asset management Business environment Governance Risk assessment Risk management strategy Protect Access control Awareness and training Data security Information protection processes and procedures Maintenance Protective technology Detect Anomalies and events Security continuous monitoring Detection processes Respond Response planning Communications Analysis Mitigation Improvements Recover Recovery planning Improvements Communications The Cyber Security Framework allows for each organisation to align the effort of managing risk with their unique business requirements and priorities.

Ways to align

While not an exhaustive list by any measure, here are some specific ways a utility can implement a strategic, lifecycle approach to cybersecurity investments:

• Biggest impact first: It may go without saying, but follow the initial assessment prioritisation — and allot funds first to those investments that are most critical.
• Assess all cyber investments for risk: Most utilities routinely include mechanical risk assessments as an intrinsic part of the selection process for any investments related to the physical infrastructure. Extend this mindset to new investments that impact the IT infrastructure and industrial control system as well. Make it part of the purchasing decision.
• Invest for a more secure future: Do not silo cybersecurity. Take a ‘future-ready’ mindset to all investments — SCADA systems, process control systems, power control and monitoring systems, and software — at every level of the enterprise. Work to confirm new investments incorporate cybersecurity features — even if the utility cannot immediately activate those features. Move towards a more active defence with every investment.
• Scrutinise and limit system proliferation: Narrow the scope of system suppliers and SLAs, starting with the procurement process. The fewer disparate systems within an environment, the easier it is to secure them.
• Consider quality-based selection (QBS): This pre-selection procurement system focuses on the long-term lifecycle costs of a solution, including overall sustainability — not only upfront capital costs. QBS helps set a technology direction for the future that prioritises an integrated secure environment.
• Recognise the value of ongoing and annual assessment: A successful cybersecurity strategy requires an ongoing audit of what exactly is occurring in the system — and an annual assessment to restate or realign priorities.

Conclusion

For years, water utilities have enjoyed the limited protection intrinsic to systems that are isolated from a connected world. The industry, too, has achieved tremendous returns on investment — thanks to the seemingly timeless products that comprise their water systems and the skilled staffs that maintain them.

Although the water systems of the past may not appear very different from the day they were commissioned, the internetworking of many of these systems has changed. Typically, ‘islands of automation’ have been replaced by hybrid systems with an intermixing of old and new products — and a variety of creative methods to exchange information. Connectivity of even the older systems to business operations and potentially to the outside world has become a norm, not an exception.

Within this environment, understanding even the current system security baseline can be a challenging task for water utilities. However, the need to address cybersecurity issues has never been greater.

By viewing cybersecurity as an ongoing process and aligning critical security controls investment with the utility master plan, utilities can better identify system vulnerabilities and undertake essential mitigation steps.

References

1. US Department of Homeland Security 2009, Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth, <https://ics-cert.us-cert.gov/sites/ default/files/recommended_practices/Defense_in_Depth_ Oct09.pdf>
2. National Institute of Standards and Technology 2016, Framework for Improving Critical Infrastructure Cybersecurity, <https://www.nist.gov/sites/default/files/documents/ cyberframework/cybersecurity-framework-021214.pdf>

Image: ©stock.adobe.com/au/robynmac