Protecting Water Utilities From Cyber Threats

PB 25 Rockwell newlogo 400

September 13, 2021

By Janine Nielsen, Business Development Manager, Water/Wastewater Industry, Rockwell Automation

Water utilities are just the latest industry to experience high-profile cyber incidents.

Earlier this year, a hacker breached a California water treatment plant and removed programs used to clean water. In another incident that made national headlines, a hacker gained remote access to a Florida treatment plant and increased the amount of lye in the treatment process – a change that a plant employee fortunately noticed and quickly corrected.

Going back to a time when water utilities were less connected isn’t an option. COVID-19 demanded connected operations so employees could work remotely. And “smart water” capabilities like real-time monitoring and remote connectivity are increasingly essential to helping water utilities quickly respond to challenges like population changes and more severe weather events.

The best thing water utilities can do is address the challenge head on, with a comprehensive approach to cybersecurity.

Start with a plan

A cybersecurity plan isn’t only essential for securing your operations, it’s required by the United States Environmental Protection Agency.

The American Water Infrastructure Act (AWIA) requires that all community water systems serving populations of 3,300 people or more carry out two risk management activities every five years.

First, you must complete a risk-and-resilient assessment, formerly known as a vulnerability assessment. Second, you must complete an emergency response plan.

It’s important to note that, while the AWIA previously only required that physical security considerations be addressed in these activities, it now requires that the activities also address cyber risks to a plant’s process control system.

Know your assets, know your risks

You can’t assess the risks in your operations until you assess the assets in them. That’s because you can only secure what you know exists. And unfortunately, most people don’t know all the devices that have been placed on their network over the years.

An installed base evaluation (IBE) can provide a complete assessment of all devices connected to your network. If you perform the IBE yourself, make sure your IT and operational technology (OT) teams are collaborating from the start. These teams have different technologies and sometimes competing priorities, so it’s crucial that they be on the same page from the start of the IBE.

Many plants choose to hire IT and OT pros to conduct their IBE. If you go this route, it’s again important to make sure you’re bringing in both IT and OT expertise. Cisco and Rockwell Automation, for example, offer a “best of both worlds” approach, bringing unparalleled IT and OT expertise to an IBE.

The findings of an IBE can be eye-opening. Plant staff may go into the process with a high level of confidence that their operations are secure because they’ve invested in high-quality devices, only to find that the IBE reveals several vulnerabilities. Just some of the risks that we’ve identified during an IBE include uninstalled security patches, unauthorized remote connections made by subcontractors, decommissioned assets that are still connected and more.

Developing a plan

An IBE will help inform the development of your cybersecurity plan. But your plan should also address some key objectives.

First, it should be aligned with security standards and regulations, such as the NIST security framework, ISA/IEC 62443 and ISA84/IEC TC65. Your plan should also use a defense-in-depth security approach. This involves using multiple layers of protection to mitigate threats.

If you feel overwhelmed by the task at hand or are unsure where to start, a number of resources are available to help you in your journey to more secure water or wastewater operations.

The American Water Works Association (AWWA) tool can help you meet the AWIA’s requirements. And free Converged Plantwide Ethernet (CPwE) design guides from Rockwell Automation and Cisco offer design guidance and best practices for deploying a scalable, robust, secure, and future-ready industrial network architecture.

Watch the on-demand webinar, “The Critical Role of Network Security in Water Utilities,” to learn more.


Related Articles

Editor’s Pick: Featured Article

Weidmüller’s u-control 2000: The Automation Controller

Weidmüller’s u-control 2000: The Automation Controller

Weidmüller’s scalable engineering software, u-control 2000, adapts individually to your requirements. And, the u-control is powerful, compact and fully compatible with Weidmüller’s I/O system u-remote. This article looks at what makes u-control the heart of your automation.

Programmable logic controllers (PLCs) are one of the main components of any automated system. A typical control system has inputs, outputs, controllers (i.e., PLCs), and some type of human interaction with the system, a human machine interface (HMI), for example.

Read More

Latest Articles

  • Q&A with HELU: Cables for the Production of Biogas

    April 15, 2024 The biogas industry involves the production of biogas through the anaerobic digestion of organic materials such as agricultural or municipal waste. Biogas and biomethane are considered the fastest-growing forms of bioenergy. Their combined market share in total demand is anticipated to be between 12 – 20% by 2040, according to the International… Read More…

  • ABB’s Care and Modernization Services Breathe Second Life into Legacy Equipment

    April 3, 2024 The most comprehensive and sustainable options for extending product life In today’s world with environmental concerns top of mind, ABB offers sustainable options to extend equipment life through refurbishment and repair—which support a circular economy and reduce landfill footprints. In this context, ABB Canada’s Brampton facility is recognized for offering customized solutions… Read More…