Unintentional and intentional cyber incidents on our nation’s critical infrastructure have repeatedly uncovered the vulnerabilities of our connected world. While there are no federal regulations that mandate how water utilities should protect themselves against cybersecurity threats, states are beginning to act. Most recently, the New York State (NYS) Department of Health (DOH) passed a law that will require all community water systems to provide a cybersecurity vulnerability assessment (VA) and an emergency response plan (ERP) for cyber-attacks as a part of their water supply emergency plans by 2018. While this regulation is one of the first of its kind in the country, all water utilities will benefit from implementing vulnerability assessments for their utilities, whether it becomes mandatory or not.
Cybersecurity vulnerability assessments can help utilities identify all the vulnerabilities within their Information Technology (IT) and Operational Technology (OT) systems which they can then use to create a prioritized plan to mitigate or eliminate each identified vulnerability. Here is the methodology we follow when completing a vulnerability assessment for a water utility:
1. Conduct Site Investigations
Site investigations are a critical first step in any vulnerability assessment. This initial phase is used to gather data, take photos and assess current physical security of a utility’s SCADA system.
2. Gather Detailed Asset Inventories
After a bird’s eye view of the system is established, the next step is to develop a thorough asset inventory of all hardware, software, and virtual assets connected to the system. Any connection to the SCADA system brings a level of vulnerability along with it. By understanding all connections to the system, a list of possible vulnerabilities starts to form.
3. Passive Assessment Methods
Passive assessment methods are used to track how information is flowing through the system on a day-to-day basis. Collecting device logs; device configuration like firewalls, routers, and switchers; and computer and server configurations give us insight into how the system is set up and what security measure are in place. ARP table reviews provides a list of the network interfaces, target systems and physical (MAC) address of each system and by capturing network traffic form key location throughout the SCADA network we get a strong understanding of how each device in the system is communicating with each other and with other outside connections.
4. Active Assessment Methods
Active assessment methods utilize outside network scanning applications to determine what devices are available on the network, identify services based on ports, and identify operating systems. There are also active assessment methods that use network vulnerability scanning applications to assess computers, systems, networks or applications for weaknesses, by testing against databases of known vulnerabilities.
5. Perform Penetration Testing
Penetration testing can put your system to the test by actively exploiting the discovered vulnerabilities to reveal the extent to which your system could be compromised. This is the closest test to an actual hacker trying to break into your system and can specifically show you ways your system can be compromised.
Vulnerabilities identified through this process are weighed against the safety and business impact they would have if they were exploited. The results of this analysis are then used to prioritize expenditures and projects to mitigate or eliminate the vulnerabilities.
National Cyber Security Month (NCSAM)
October is National Cyber Security Awareness Month (NCSAM)! This month-long campaign applies to both personal and professional entities. There are lots of great resources out there to help make you more secure when using the Internet. Below are some links that I highly recommend seeking out to get you started.
- Department of Homeland Security
- DHS – Stop. Think. Connect.
- National Cyber Security Alliance
- Cyber Security & Information Systems Information Analysis Center
- CIS – Center for Internet Security