ISA Interchange

Welcome to the official blog of the International Society of Automation (ISA).

This blog covers numerous topics on industrial automation such as operations & management, continuous & batch processing, connectivity, manufacturing & machine control, and Industry 4.0.

The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

How to Protect Water and Wastewater Facilities from Cyberattack

 

This guest post was authored by David Mattes, director of engineering at VMWare.

 

“If you aren’t scared yet, you haven’t been paying attention.”  So goes the aphorism for modern times, and it applies equally well to industrial cybersecurity.  Conclusive proof is hard to come by, but consider the supporting evidence: U.S. presidential executive orders, vulnerabilities markets for ICS, U.S. Secretary of Defense warnings of a “cyber Pearl Harbor”, extremely low patch uptake for ICS/IT automation components, vast and varied ICS CERT warnings, Internet census reports of huge populations of exposed ICS systems.  Before Stuxnet, stories like this just didn’t get any attention if they were even published.  All industries are affected.  Water and wastewater environments are no different, and in fact are particularly attractive to threat actors not only because they are the foundation of advanced societies, but because they are easy targets.

 

 

Because water and wastewater environments are critical infrastructure that have stringent availability and quality requirements, operators have a duty to protect these systems from cyberattack.  When trying to balance the surety with the risk, there are many challenges that have opposing forces, and network connectivity is a classic example of trying to make progress in one domain (e.g. reduced downtime), while backsliding in another (e.g. cyber risk exposure).

Despite the cybersecurity challenges associated with increasing connectivity, industry and government organizations are making steady progress.  How do you get caught up on the progress on security standards and best practices?  How does this progress turn into actionable steps you can take at your utility to strengthen the cybersecurity and increase the robustness of your industrial systems?  These are tough questions to answer, but ultimately this is where the rubber meets the road.  This is a big responsibility.  Are you up for it?  I hope so, because we all depend on you for our high quality of life.

To stay current, you have to get involved in the discussions that are happening.  The hardest step is the first step.  Beyond this, simply keep going.  The ISA participates in the cybersecurity discussion with ISA 99, ISA Secure, and ISA 100.  The U.S. government has some great resources, including ICS-CERT, ICSJWG, NIST Special Publications (SP 800-82 focuses on ICS Security).  If you work for a water utility, DHS offers free ICS Security trainingSANS also provides training and resources (20 critical security controls).  Most large North American electric utilities are regulated by FERC, and the CIP standards published by NERC are worthwhile reading, at least from the perspective of what may eventually happen in the water industry.  Finally, there are various LinkedIn groups with active discussions about ICS security.

My cybersecurity focus is on standards and solutions for network segmentation, which seeks to minimize network connectivity to the absolute minimum.  As Ralph Langner, the researcher who cracked the Stuxnet code, discusses in his book Robust Control System Networks, automation systems are not well-suited to large, flat and open networks.  Network segmentation is about applying the principle of least privilege to network communications, and when implemented in automation networks, you can achieve environments that are more robust, resilient and secure.

The ISA TR100.15.01 document presents an architecture model that describes how to segment, secure, and manage communications over trusted and untrusted networks.  When combined with the IF-MAP and ICS Security standards from the Trusted Computing Group (TCG) and the Host Identity Protocol (HIP) from the Internet Engineering Task Force (IETF), a picture emerges of how to create scalable, manageable, industrial cybersecurity products that are a natural fit for water utilities.

What makes a good fit?  A security solution must be “secure by default,” easy to use, flexible to changing environments, self-documenting and integrate well with other defensive layers.  Most importantly, a security solution must support and enhance the availability, robustness and resiliency of the automation systems.  By supporting our water resources, you play a vital role in our great society.  As part of this responsibility, I challenge you to stay abreast of the cybersecurity issues and challenges facing your industry, and standards-based solutions that can make a real difference.  Together we can rise to the occasion.

 

ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:

 

About the Author
David Mattes is director of engineering at VMWare. He previously founded Asguard Networks to create products that address the challenge of managing connectivity and information security for industrial control systems (ICS). Prior to Asguard Networks, David spent 13 years in Boeing’s R&D organization. At Boeing, David focused on ICS security issues, particularly on the challenge of segmenting connectivity for ICS devices into private networks and securely connecting them to and through Boeing’s enterprise networks. David was the co-creator and technical and implementation lead on an architecture that not only satisfied Boeing’s InfoSec governance and security requirements, but also met the needs of the end users. He received a master's degree in electrical engineering from the University of Washington and a bachelor's degree in electrical engineering from the University of New Mexico.

 

Connect with David
LinkedInTwitter

 


Related Posts

Ask the Automation Pros: The Use of Artificial Intelligence in Process Control

The following discussion is part of an occasional series, "Ask the Automation Pros," authored by Greg McM...
Greg McMillan Nov 12, 2024 4:30:00 PM

Protecting Electrical Terminal Blocks From Tampering

Electrical terminal blocks are a common sight in the automation world. Usually mounted on DIN rail in ind...
Anna Goncharova Nov 8, 2024 10:30:00 AM

How to Access ISA Technical Content

You Have Questions? ISA Has Answers. Serving up member-generated technical content related to standards, ...
Renee Bassett Nov 5, 2024 7:00:00 AM