Safeguarding critical infrastructure: Addressing threats to the water sector
Despite being designated as critical infrastructure, many of the nation's public water and wastewater facilities are considered antiquated and outdated.
Recent foreign cyberattacks targeting the water systems highlight the increasing threat to not just this one vital sector but to all of our nation’s critical infrastructure sectors at large. These incidents have resulted in customer data loss, prompting a cybersecurity advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and other agencies. The advisory emphasizes the need for fundamental cybersecurity measures and highlights significant vulnerabilities in water system security practices.
Despite being designated as critical infrastructure, many of the nation’s public water and wastewater facilities are considered antiquated and outdated due to resource constraints, even as they adopt digital infrastructure like sensors and network-connected systems. This gap leaves systems vulnerable to attacks, with inadequate incident response coordination and information sharing increasing the risks.
To bolster cybersecurity, agencies and critical infrastructure organizations must prioritize adopting a comprehensive approach to modernization and protection. This includes implementing zero trust measures to mitigate risks, enhancing incident response processes to improve resilience and recovery capabilities, and sharing resources efficiently. As you’ll see, implementing zero trust does not have to be difficult.
Laying the security groundwork
Like other critical infrastructure sectors, the water sector relies heavily on operational technology (OT) systems and is often integrated with Internet of Things (IoT) systems. Many of these OT systems are legacy technologies that are not up to current cybersecurity standards, making this IoT/OT landscape incredibly ripe for “cyber-physical” incidents.
In fact, escalating threats to critical infrastructure, including the targeting and compromising of OT systems and industrial control systems (ICS) in the water sector, have resulted in the federal government sounding the alarm over malicious cyber actors who now pose physical threats against “insecure and misconfigured OT environments.”
Securing OT/IoT systems is paramount, and zero trust frameworks offer a layered defense strategy. This approach ensures the security of critical systems while enabling efficient data exchange with internet-connected IT systems. Enhanced visibility and traffic monitoring further safeguard against potential threats, including command-and-control attacks.
Enter zero trust
Adopting zero trust architectures is a crucial step in hardening remote access to ICS devices that rely on a mix of IT and OT assets. In the absence of zero trust, systems can become key attack vectors and another entry point for malicious actors.
Zero trust operates under the principle of “never trust, always verify,” and is inherently designed to reduce a network’s attack surface, prevent lateral movement of threats, and lower the risk of a data breach. A zero trust security model leverages least-privileged access controls, granular micro-segmentation, and multifactor authentication (MFA) to provide continuous verification of identities and devices, regardless of location, type or network connection.
By implementing a zero trust approach, critical infrastructure operators and agencies will have more effective OT security, with adaptive, context-based application access that doesn’t depend on network access and users only having access to the applications and systems necessary for their job.
Crucially, the correct zero trust solution must not require refactoring applications or OT controllers that cannot be modified. A good litmus test for zero trust is one in which the solution can use the network but does not depend on it for security.
Finding the right tools
Concurrently, critical infrastructure organizations and agencies must enhance their incident response capabilities. Resources like CISA’s Cyber Incident Response Guide for the Water and Wastewater Sector provide a framework for effective incident management, covering preparation, detection, containment, eradication, recovery and post-incident activities. Standardized tools and collaboration platforms facilitate information sharing and coordination among utilities and supporting organizations.
Collaboration at all levels, including federal, state and local, and between critical infrastructure operators, government and industry is crucial for maximizing resources and enhancing cybersecurity across these vital sectors. By pooling resources and expertise, technology and cyber leaders can make meaningful strides in safeguarding information and OT systems in water and wastewater facilities.
By embracing modern cybersecurity solutions and leveraging available resources, the water and wastewater sector can lead by example in public sector cybersecurity, ensuring the resilience and security of critical infrastructure essential for safeguarding our communities and nation.
Federal agencies must also serve as role models for secure and resilient systems by securing outdated technology while simultaneously modernizing security processes and supporting critical infrastructure operators with their digital modernization efforts. Again, securing outdated technology requires using zero trust solutions that do not force refactoring of applications or controllers nor depending on the network to provide that security. Otherwise, critical infrastructure sectors will remain easy targets, and the prospect of devastating disruptions to essential services will grow.
Adopting zero trust is a journey. While OT presents challenges to implementing zero trust and modern security, federal leadership in support of greater collaboration, standardization and accountability is an effective way to secure critical infrastructure sectors from malicious threat actors.
Hansang Bae is public sector chief technology officer at Zscaler.
Safeguarding critical infrastructure: Addressing threats to the water sector
Despite being designated as critical infrastructure, many of the nation's public water and wastewater facilities are considered antiquated and outdated.
Recent foreign cyberattacks targeting the water systems highlight the increasing threat to not just this one vital sector but to all of our nation’s critical infrastructure sectors at large. These incidents have resulted in customer data loss, prompting a cybersecurity advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and other agencies. The advisory emphasizes the need for fundamental cybersecurity measures and highlights significant vulnerabilities in water system security practices.
Despite being designated as critical infrastructure, many of the nation’s public water and wastewater facilities are considered antiquated and outdated due to resource constraints, even as they adopt digital infrastructure like sensors and network-connected systems. This gap leaves systems vulnerable to attacks, with inadequate incident response coordination and information sharing increasing the risks.
To bolster cybersecurity, agencies and critical infrastructure organizations must prioritize adopting a comprehensive approach to modernization and protection. This includes implementing zero trust measures to mitigate risks, enhancing incident response processes to improve resilience and recovery capabilities, and sharing resources efficiently. As you’ll see, implementing zero trust does not have to be difficult.
Laying the security groundwork
Like other critical infrastructure sectors, the water sector relies heavily on operational technology (OT) systems and is often integrated with Internet of Things (IoT) systems. Many of these OT systems are legacy technologies that are not up to current cybersecurity standards, making this IoT/OT landscape incredibly ripe for “cyber-physical” incidents.
Discover how agencies ensure end-to-end security of software development in our new ebook, sponsored by Synack.
In fact, escalating threats to critical infrastructure, including the targeting and compromising of OT systems and industrial control systems (ICS) in the water sector, have resulted in the federal government sounding the alarm over malicious cyber actors who now pose physical threats against “insecure and misconfigured OT environments.”
Securing OT/IoT systems is paramount, and zero trust frameworks offer a layered defense strategy. This approach ensures the security of critical systems while enabling efficient data exchange with internet-connected IT systems. Enhanced visibility and traffic monitoring further safeguard against potential threats, including command-and-control attacks.
Enter zero trust
Adopting zero trust architectures is a crucial step in hardening remote access to ICS devices that rely on a mix of IT and OT assets. In the absence of zero trust, systems can become key attack vectors and another entry point for malicious actors.
Zero trust operates under the principle of “never trust, always verify,” and is inherently designed to reduce a network’s attack surface, prevent lateral movement of threats, and lower the risk of a data breach. A zero trust security model leverages least-privileged access controls, granular micro-segmentation, and multifactor authentication (MFA) to provide continuous verification of identities and devices, regardless of location, type or network connection.
By implementing a zero trust approach, critical infrastructure operators and agencies will have more effective OT security, with adaptive, context-based application access that doesn’t depend on network access and users only having access to the applications and systems necessary for their job.
Crucially, the correct zero trust solution must not require refactoring applications or OT controllers that cannot be modified. A good litmus test for zero trust is one in which the solution can use the network but does not depend on it for security.
Finding the right tools
Concurrently, critical infrastructure organizations and agencies must enhance their incident response capabilities. Resources like CISA’s Cyber Incident Response Guide for the Water and Wastewater Sector provide a framework for effective incident management, covering preparation, detection, containment, eradication, recovery and post-incident activities. Standardized tools and collaboration platforms facilitate information sharing and coordination among utilities and supporting organizations.
Collaboration at all levels, including federal, state and local, and between critical infrastructure operators, government and industry is crucial for maximizing resources and enhancing cybersecurity across these vital sectors. By pooling resources and expertise, technology and cyber leaders can make meaningful strides in safeguarding information and OT systems in water and wastewater facilities.
Read more: Commentary
Taking a sector-wide approach
By embracing modern cybersecurity solutions and leveraging available resources, the water and wastewater sector can lead by example in public sector cybersecurity, ensuring the resilience and security of critical infrastructure essential for safeguarding our communities and nation.
Federal agencies must also serve as role models for secure and resilient systems by securing outdated technology while simultaneously modernizing security processes and supporting critical infrastructure operators with their digital modernization efforts. Again, securing outdated technology requires using zero trust solutions that do not force refactoring of applications or controllers nor depending on the network to provide that security. Otherwise, critical infrastructure sectors will remain easy targets, and the prospect of devastating disruptions to essential services will grow.
Adopting zero trust is a journey. While OT presents challenges to implementing zero trust and modern security, federal leadership in support of greater collaboration, standardization and accountability is an effective way to secure critical infrastructure sectors from malicious threat actors.
Hansang Bae is public sector chief technology officer at Zscaler.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
AI-enabled digital twins are transforming government critical infrastructure
DHS names China, AI, cyber standards as key priorities for critical infrastructure
Pro-Russian hacktivists have breached American critical infrastructure networks