Route 66 runs through downtown Albuquerque, New Mexico. Kristin Sanders, CISO for the Albuquerque Bernalillo County Drinking water Utility Authority, uncovered how New Mexico’s largest drinking water and wastewater utility has been addressing the security obstacle. (Asaavedra32, CC BY-SA 3. https://creativecommons.org/licenses/by-sa/3., by means of Wikimedia Commons)
As critical infrastructure amenities progressively converge their IT and OT techniques, visibility into typically isolated operational systems is turning into a important security problem. Kristin Sanders, main data security officer for the Albuquerque Bernalillo County H2o Utility Authority, uncovered final week how New Mexico’s biggest water and wastewater utility has been addressing this obstacle by leveraging a series of application solutions, sensors and internet-of-matters tech.
Recognizing that the ABCWUA is “ahead of a whole lot of the drinking water authorities” across the U.S. in terms of IT/OT modernization and compliance with the H2o Infrastructure Act of 2018, Sanders supplied information to utilities that are trying to find to make comparable development. She suggested to start off by concentrating on the Center for Internet Security’s top rated 20 controls and means, and then see how you can employ in some different alternatives to truly knock out some of that reduced-hanging fruit.”
From an economics place of check out, solutions that can be concurrently applied throughout both of those IT and OT environments – these types of as secure-access platforms with two-aspect or multi-issue authentication – is a great spot for a utility to commence, she added, speaking in an on the net webinar structured by Cisco Devices.
“You can actually make absolutely sure that you use this item across several factors – RDP, VPN, email – all that are continuously being attacked,” explained Sanders, noting that ABCWUA’s resolution from Cisco and Duo Security processes over 12,000 authorizations for every thirty day period.
The very same philosophy applies to ABCWUA’s set up of its cloud-based business network security application. “We’re able to roll that out not only for our desktop personal computers and for laptops and for VPN purchasers, but even for mobile equipment,” mentioned Sanders. “So we’re equipped to choose this a single solution and use it across a entire bunch of distinctive endpoints to be certain that we’re receiving total protection.”
A further important step is investing in education for workforce so they fully grasp both of those IT and OT functions, not just one or the other. “It was not some thing that we were being at any time anticipated to want to know in the earlier,” stated Sanders. But times adjust, so “one of the fantastic factors that we did was we really employed any individual who was familiar with the operation aspect, and in fact introduced him in on the IT side” to aid practice the IT staff members, stated Sanders.
The authority, which serves extra than 650,000 buyers and has had additional than 100,000 intelligent meters mounted since drop 2012, had historically kept its OT processes air gapped and individual from IT. “Now we’re setting up to see a convergence of these two into IoT, [although] typically the two teams under no circumstances truly worked a full ton with every single other,” stated Sanders.
So far, “it’s been heading actually perfectly,” she mentioned. Nonetheless, this sort of modernization is not without risk. Infosec gurus at the plant should fret about destructive actors likely sabotaging OT devices employing the connected IT techniques as an preliminary vector of compromise. These kinds of an attack could theoretically have an affect on the utility’s 3,000+ miles of drinking water offer pipeline, 2,400 miles of sewer collector pipeline or its dual groundwater/area drinking water source technique.
These types of hazards have been highlighted final February when it was discovered that a malicious hacker attempted to poison the Oldsmar, Florida drinking water supply after hijacking a distant access system used by personnel at the city’s drinking water treatment method plant.
To handle this risk, a utility’s security staff have to have visibility into OT exercise. Having said that, “there tends to be really antiquated tools that operates within these industrial management environments,” and monitoring at the ABCWUA has traditionally been carried out manually, with employees checking operations on a monitor, Sanders described. “A large amount of times, the security was type of an afterthought it was not created into the solution initially because it was hardly ever intended to ever talk to a network,” she ongoing.
As IT and OT converged, untrained IT staffers had been uncertain at 1st as to what an attack may well look like. “Because there’s no way of recognizing that there’s an anomaly if you have no clue what regular even appears to be like,” spelled out Sanders.
But the utility’s team has begun to obtain improved network traffic visibility just after deploying the industrial IoT security and visibility remedy Cyber Vision from Cisco and integrating it with wise sensors and freshly implemented industrial switches.
“It will do the baselining for you so you can start out to create out this thought of what ordinary website traffic is,” mentioned Sanders. “That way you can see when a thing irregular transpires.” Now, the authority has visibility into its inventory of OT assets and endpoints, and it can detect new products connecting to its units and ship alerts appropriately.
As aspect of its modernization, the authority also carried out a firewall administration centre, a secure accessibility and coverage administration platform, a network controller and administration dashboard, and a online video conferencing system.
In accordance to Sanders, the improved security infrastructure has placed the utility in a placement to make certain “staff basic safety and also the basic safety of our water.”
Some parts of this article are sourced from:
www.scmagazine.com