Route 66 operates by downtown Albuquerque, New Mexico. Kristin Sanders, CISO for the Albuquerque Bernalillo County Water Utility Authority, disclosed how New Mexico’s most significant drinking water and wastewater utility has been addressing the security problem. (Asaavedra32, CC BY-SA 3. https://creativecommons.org/licenses/by-sa/3., by means of Wikimedia Commons)
As critical infrastructure services significantly converge their IT and OT systems, visibility into traditionally isolated operational programs is turning into a essential security challenge. Kristin Sanders, chief facts security officer for the Albuquerque Bernalillo County Drinking water Utility Authority, unveiled last week how New Mexico’s largest water and wastewater utility has been addressing this problem by leveraging a sequence of application remedies, sensors and internet-of-points tech.
Recognizing that the ABCWUA is “ahead of a lot of the h2o authorities” across the U.S. in terms of IT/OT modernization and compliance with the Drinking water Infrastructure Act of 2018, Sanders offered assistance to utilities that are looking for to make equivalent development. She advised to start off by focusing on the Centre for Internet Security’s top rated 20 controls and assets, and then see how you can employ in some unique answers to genuinely knock out some of that reduced-hanging fruit.”
From an economics issue of view, methods that can be concurrently carried out throughout both equally IT and OT environments – this sort of as protected-entry platforms with two-aspect or multi-factor authentication – is a excellent location for a utility to get started, she additional, talking in an on the web webinar arranged by Cisco Methods.
“You can truly make guaranteed that you use this item throughout multiple points – RDP, VPN, email – all that are continuously staying attacked,” reported Sanders, noting that ABCWUA’s solution from Cisco and Duo Security processes above 12,000 authorizations per month.
The very same philosophy applies to ABCWUA’s set up of its cloud-primarily based company network security application. “We’re ready to roll that out not only for our desktop computers and for laptops and for VPN shoppers, but even for mobile equipment,” reported Sanders. “So we’re in a position to choose this 1 product or service and use it across a total bunch of diverse endpoints to be certain that we’re acquiring entire protection.”
Another vital action is investing in education for staff members so they recognize both of those IT and OT operations, not just a person or the other. “It wasn’t some thing that we were at any time predicted to need to know in the previous,” stated Sanders. But instances change, so “one of the fantastic matters that we did was we really hired any person who was familiar with the operation facet, and in fact brought him in on the IT side” to assist coach the IT team, explained Sanders.
The authority, which serves extra than 650,000 individuals and has had more than 100,000 intelligent meters installed since slide 2012, experienced traditionally retained its OT procedures air gapped and independent from IT. “Now we’re commencing to see a convergence of these two into IoT, [although] historically the two teams hardly ever really worked a whole large amount with each and every other,” said Sanders.
So significantly, “it’s been likely actually well,” she mentioned. Nevertheless, these types of modernization is not with no risk. Infosec gurus at the plant ought to fear about destructive actors most likely sabotaging OT programs utilizing the related IT units as an first vector of compromise. These types of an attack could theoretically have an effect on the utility’s 3,000+ miles of drinking water supply pipeline, 2,400 miles of sewer collector pipeline or its twin groundwater/surface area water offer system.
This sort of dangers have been highlighted previous February when it was disclosed that a destructive hacker attempted to poison the Oldsmar, Florida water supply after hijacking a remote accessibility process employed by workers at the city’s water cure plant.
To management this menace, a utility’s security crew must have visibility into OT activity. Having said that, “there tends to be extremely antiquated gear that runs in just these industrial regulate environments,” and checking at the ABCWUA has traditionally been performed manually, with staff checking functions on a display, Sanders spelled out. “A lot of times, the security was type of an afterthought it was not crafted into the product or service initially simply because it was under no circumstances intended to ever talk to a network,” she continued.
As IT and OT converged, untrained IT staffers were unsure at initially as to what an attack could search like. “Because there is no way of recognizing that there’s an anomaly if you have no clue what standard even looks like,” described Sanders.
But the utility’s staff has started out to attain improved network website traffic visibility immediately after deploying the industrial IoT security and visibility alternative Cyber Eyesight from Cisco and integrating it with intelligent sensors and freshly implemented industrial switches.
“It will do the baselining for you so you can commence to make out this idea of what normal site visitors is,” explained Sanders. “That way you can see when one thing abnormal happens.” Now, the authority has visibility into its inventory of OT assets and endpoints, and it can detect new gadgets connecting to its methods and send alerts accordingly.
As portion of its modernization, the authority also implemented a firewall management centre, a secure entry and plan management platform, a network controller and management dashboard, and a video conferencing system.
In accordance to Sanders, the improved security infrastructure has put the utility in a posture to guarantee “staff basic safety and also the safety of our water.”
Some parts of this article are sourced from:
www.scmagazine.com