Cyber Defense for Regional Water & Sewage Utilities
Author: Daniel Ehrenreich, Consultant and Lecturer, SCCEIntroduction
Water and sewage operators handle the most critical supply affecting the well-being of people, because they cannot survive without these services. Regional water & sewage utilities worldwide are responsible for providing 24/7 potable water at stable pressure, sewage removal and treatment services in the region under their responsibility. Cyber threats or mistaken actions by authorized personnel whether intentional or not, have made cyber protection of the water & sewage control infrastructures a first priority. Water utilities operate many kilometers of water pipes, pumping stations, reservoirs. Furthermore, they operate tens of lift stations, pressure modulators, treatment plants based in dispersed locations. These remote-controlled installations utilize mostly wireless communications (licensed, unlicensed, analog, digital, cellular, etc. media) and the equipment at these sites is continuously controlled by a Supervisory Control and Data Acquisition (SCADA) system. This paper highlights the most typical cyber defense challenges, and best practice guidelines for the deployment of effective and cost-aware cyber defense for water and sewage systems.
SCADA system risks
SCADA cyber security experts are well aware the fact that there is no single measure (no matter how expensive or advanced) that provides absolute cyber protection for water, sewage and other SCADA installations. Implementation of incremental cyber defense measures to the existing systems by deploying upgrades and add-on solutions helps achieving the goals. But (!), in reality, it doesn’t matter how much money your organization spends on the latest cyber security hardware, software, training; if your mission-critical systems are computer-based and connected in some form to the internet, they can never be made absolutely cyber secured. Securing SCADA systems always require understanding the control process, careful evaluation of the computer hardware, operating system, communication network and application software.
Most water and sewage SCADA architectures consist one or several MS WindowsTM based control center, a variety of Remote Terminal Units (RTUs), Programmable Logic Controllers (PLCs) and a SCADA-Data network combining physical and wireless media. In the past, all control architectures focused on achieving operational reliability and safety and use of outdated hardware and operating system software was not considered as a risk. Prior defining the technical solution for defending your water and sewage infrastructure, first you must compile and analyze the list of expected threats and associated risks. When SCADA Cyber security experts review the operating process towards achieving higher cyber defense, they shall always start with identifying and defining the potential risks related to the control process that might result from hostile exploitation of vulnerabilities.
Maintaining reliable communication between the SCADA control center and remote sites (RTUs, PLCs, etc.) is important, however the system design must assure that a short interruption not cause an operation disruption. Among possible risk to business continuity you may find:
- Internally (via USB) and externally (via internet) generated attacks on the system
- Changing operating parameters – thus causing disruption of the process
- Interfering with water quality monitoring and data might leads to supply outage
- Blocking information flow to the SCADA center might prevent optimization processes
- Interfering with pressure control and leak detection might lead to increased losses
- Ransomware attack on the IT network might also lead to operation outages damages
Points of penetration
A vulnerability analysis is aimed to identify points of potential threats:
- Unauthorized (but detected) entry of people to remote sites (pumping and valve stations)
- Irresponsible or mistaken action by authorized people who have access to SCADA equipment.
- Unauthorized “backdoor connection” left on site by employees or external service personals.
- Added Industrial IoT (IIoT) devices via wireless connection which are not properly authenticated
- Poorly secured connection between SCADA components and Internet nodes.
Securing the SCADA system
In a statement above, I already mentioned that there isn’t a single defense mechanism (“no silver bullet”) that provides complete cyber defense to the entire control system. Deployment of a layered defense is the right direction towards achieving higher level, (even if not absolute) protection.
The following cyber defense measures may be applicable for water and sewage utilities:
- Deployment of physical security measures (camera, access control, fence) at field sites and the SCADA control center is an “absolute must” for minimizing the risk of unauthorized access.
- Effective hardening (blocking/disabling) of all unused/not needed communication ports and features on SCADA computers, communication devices and field control units (RTU, PLC).
- Strict adherence to the two P’s in PPT triad, such as related to passwords, exclusive use of SCADA computers, preventing connection of 3rd party service computers, training and drills, etc.
- Deployment of segregation and zoning using SCADA-aware firewalls. Use of manageable switches capable connecting among fiber and cooper media provides enhanced security.
- Controlling the access to RTUs and PLCs though strong authentication. These cyber defense measures combine of physical access monitoring at the remote sites and at gates.
- Use of stateful firewalls performs inspection of incoming and outgoing data-packets through short-latency technology, ensures that the control process is not negatively impacted.
- Deployment of “White Listing” cyber defense assures that no unauthorized software code can be installed on any of the SCADA related components.
- Industrial Intrusion Detection Systems (IIDS) are capable detecting anomalous data traffic and irregular processes. This shall be monitored in multiple nodes in the SCADA architecture.
- Deployment of measures for detecting and blocking Denial of Service (DOS and Distributed DoS) type attacks on the IT section is also effective. These measures help to assure business continuity.
- Use of Unidirectional diode for secure communicating SCADA related processes, data collection and sending management report without risking the database and the SCADA process.
- Utilizing secured wireless and physical communication is important. When dealing with a wide-area network, these measures may minimize the risk of Man in the Middle (MitM) attacks.
- Implementing measures for analyzing events by Security Information and Event Management (SIEM) and the Security Operation Center (SOC) can be used to expedite security alerts.
Summary and Conclusions
Water and sewage utilities operating worldwide are considered critical infrastructures, as they directly affect the well-being and the health of citizens. With the growth of sophisticated cyber capabilities by attackers who are financed and directed by countries and hostile organizations, the challenges of protecting SCADA systems (using legacy hardware, software and communication), have become a complex task.
Water and sewage utility management must deploy a modern, layered and incrementally improving approach combining a range of technical solutions, suited policies and training and drills (PPT triad), each targeting a dedicated SCADA segment. Financial investment and allocation of trained personnel shall match the level of the risk. It must be adequate for keeping your cyber defense at least a step ahead of the attackers.
Daniel Ehrenreich, BSc. is a Consultant and Lecturer acting at Secure Communications and Control Experts, teaching at cyber security colleges and presenting at ICS cyber defense conferences; Daniel has over 25 years’ engineering experience with electricity, water, gas and power plants systems as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as Chairman for the ICS Cybersec 2018, taking place on 11-10-2018 in Israel. Linkedin