“If you aren’t scared yet, you haven’t been paying attention.” So goes the aphorism for modern times, and it applies equally well to industrial cybersecurity. Conclusive proof is hard to come by, but consider the supporting evidence: U.S. presidential executive orders, vulnerabilities markets for ICS, U.S. Secretary of Defense warnings of a “cyber Pearl Harbor”, extremely low patch uptake for ICS/IT automation components, vast and varied ICS CERT warnings, Internet census reports of huge populations of exposed ICS systems. Before Stuxnet, stories like this just didn’t get any attention if they were even published. All industries are affected. Water and wastewater environments are no different, and in fact are particularly attractive to threat actors not only because they are the foundation of advanced societies, but because they are easy targets.
Because water and wastewater environments are critical infrastructure that have stringent availability and quality requirements, operators have a duty to protect these systems from cyberattack. When trying to balance the surety with the risk, there are many challenges that have opposing forces, and network connectivity is a classic example of trying to make progress in one domain (e.g. reduced downtime), while backsliding in another (e.g. cyber risk exposure).
Despite the cybersecurity challenges associated with increasing connectivity, industry and government organizations are making steady progress. How do you get caught up on the progress on security standards and best practices? How does this progress turn into actionable steps you can take at your utility to strengthen the cybersecurity and increase the robustness of your industrial systems? These are tough questions to answer, but ultimately this is where the rubber meets the road. This is a big responsibility. Are you up for it? I hope so, because we all depend on you for our high quality of life.
To stay current, you have to get involved in the discussions that are happening. The hardest step is the first step. Beyond this, simply keep going. The ISA participates in the cybersecurity discussion with ISA 99, ISA Secure, and ISA 100. The U.S. government has some great resources, including ICS-CERT, ICSJWG, NIST Special Publications (SP 800-82 focuses on ICS Security). If you work for a water utility, DHS offers free ICS Security training. SANS also provides training and resources (20 critical security controls). Most large North American electric utilities are regulated by FERC, and the CIP standards published by NERC are worthwhile reading, at least from the perspective of what may eventually happen in the water industry. Finally, there are various LinkedIn groups with active discussions about ICS security.
My cybersecurity focus is on standards and solutions for network segmentation, which seeks to minimize network connectivity to the absolute minimum. As Ralph Langner, the researcher who cracked the Stuxnet code, discusses in his book Robust Control System Networks, automation systems are not well-suited to large, flat and open networks. Network segmentation is about applying the principle of least privilege to network communications, and when implemented in automation networks, you can achieve environments that are more robust, resilient and secure.
The ISA TR100.15.01 document presents an architecture model that describes how to segment, secure, and manage communications over trusted and untrusted networks. When combined with the IF-MAP and ICS Security standards from the Trusted Computing Group (TCG) and the Host Identity Protocol (HIP) from the Internet Engineering Task Force (IETF), a picture emerges of how to create scalable, manageable, industrial cybersecurity products that are a natural fit for water utilities.
What makes a good fit? A security solution must be “secure by default,” easy to use, flexible to changing environments, self-documenting and integrate well with other defensive layers. Most importantly, a security solution must support and enhance the availability, robustness and resiliency of the automation systems. By supporting our water resources, you play a vital role in our great society. As part of this responsibility, I challenge you to stay abreast of the cybersecurity issues and challenges facing your industry, and standards-based solutions that can make a real difference. Together we can rise to the occasion.
ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:
- ISA Global Cybersecurity Alliance
- Cybersecurity Resources Portal
- Cybersecurity Training
- IEC 62443 Conformance Certification
- Family of Standards
- ISA/IEC 62443 Cybersecurity Certificate Programs
- Suite of Security Standards
About the Author
David Mattes is director of engineering at VMWare. He previously founded Asguard Networks to create products that address the challenge of managing connectivity and information security for industrial control systems (ICS). Prior to Asguard Networks, David spent 13 years in Boeing’s R&D organization. At Boeing, David focused on ICS security issues, particularly on the challenge of segmenting connectivity for ICS devices into private networks and securely connecting them to and through Boeing’s enterprise networks. David was the co-creator and technical and implementation lead on an architecture that not only satisfied Boeing’s InfoSec governance and security requirements, but also met the needs of the end users. He received a master's degree in electrical engineering from the University of Washington and a bachelor's degree in electrical engineering from the University of New Mexico.