Route 66 runs through downtown Albuquerque, New Mexico. Kristin Sanders, CISO for the Albuquerque Bernalillo County H2o Utility Authority, revealed how New Mexico’s most significant drinking water and wastewater utility has been addressing the security challenge. (Asaavedra32, CC BY-SA 3. https://creativecommons.org/licenses/by-sa/3., by means of Wikimedia Commons)
As critical infrastructure amenities significantly converge their IT and OT methods, visibility into traditionally isolated operational programs is turning into a critical security challenge. Kristin Sanders, main facts security officer for the Albuquerque Bernalillo County Drinking water Utility Authority, unveiled last week how New Mexico’s greatest water and wastewater utility has been addressing this problem by leveraging a sequence of program options, sensors and internet-of-issues tech.
Recognizing that the ABCWUA is “ahead of a ton of the water authorities” across the U.S. in terms of IT/OT modernization and compliance with the Drinking water Infrastructure Act of 2018, Sanders made available suggestions to utilities that are in search of to make related progress. She advised to start out by focusing on the Middle for Internet Security’s leading 20 controls and means, and then see how you can put into action in some distinctive answers to really knock out some of that reduced-hanging fruit.”
From an economics place of see, methods that can be concurrently executed across both of those IT and OT environments – this sort of as safe-access platforms with two-factor or multi-factor authentication – is a good put for a utility to start, she included, talking in an on the net webinar arranged by Cisco Units.
“You can genuinely make positive that you use this solution throughout multiple issues – RDP, VPN, email – all that are constantly being attacked,” mentioned Sanders, noting that ABCWUA’s option from Cisco and Duo Security procedures more than 12,000 authorizations for each month.
The similar philosophy applies to ABCWUA’s set up of its cloud-dependent company network security application. “We’re ready to roll that out not only for our desktop desktops and for laptops and for VPN customers, but even for cell devices,” explained Sanders. “So we’re able to acquire this one particular products and use it throughout a entire bunch of various endpoints to make certain that we’re having total coverage.”
An additional important action is investing in education for staff members so they have an understanding of equally IT and OT functions, not just a single or the other. “It was not something that we have been ever predicted to need to have to know in the earlier,” said Sanders. But periods change, so “one of the wonderful things that we did was we really hired any person who was acquainted with the operation side, and actually brought him in on the IT side” to assistance educate the IT staff members, claimed Sanders.
The authority, which serves additional than 650,000 consumers and has experienced extra than 100,000 smart meters mounted considering the fact that drop 2012, experienced traditionally kept its OT procedures air gapped and independent from IT. “Now we’re starting up to see a convergence of these two into IoT, [although] usually the two groups in no way genuinely labored a whole large amount with every single other,” stated Sanders.
So considerably, “it’s been likely truly effectively,” she explained. Nonetheless, such modernization is not without risk. Infosec specialists at the plant should worry about destructive actors possibly sabotaging OT programs applying the connected IT systems as an original vector of compromise. These kinds of an attack could theoretically affect the utility’s 3,000+ miles of water offer pipeline, 2,400 miles of sewer collector pipeline or its dual groundwater/surface area drinking water provide technique.
This sort of risks have been highlighted previous February when it was uncovered that a malicious hacker attempted to poison the Oldsmar, Florida h2o supply after hijacking a distant obtain technique made use of by staff members at the city’s water remedy plant.
To control this danger, a utility’s security crew should have visibility into OT exercise. However, “there tends to be extremely antiquated devices that operates within just these industrial handle environments,” and checking at the ABCWUA has traditionally been done manually, with personnel checking functions on a monitor, Sanders defined. “A ton of instances, the security was sort of an afterthought it was not constructed into the products originally because it was never meant to at any time speak to a network,” she ongoing.
As IT and OT converged, untrained IT staffers were unsure at to start with as to what an attack may possibly seem like. “Because there is no way of realizing that there’s an anomaly if you have no clue what ordinary even appears like,” stated Sanders.
But the utility’s staff has began to achieve improved network website traffic visibility soon after deploying the industrial IoT security and visibility answer Cyber Eyesight from Cisco and integrating it with intelligent sensors and recently executed industrial switches.
“It will do the baselining for you so you can get started to build out this idea of what ordinary website traffic is,” stated Sanders. “That way you can see when a thing abnormal transpires.” Now, the authority has visibility into its stock of OT assets and endpoints, and it can detect new products connecting to its programs and mail alerts appropriately.
As portion of its modernization, the authority also applied a firewall administration heart, a secure accessibility and coverage management system, a network controller and administration dashboard, and a video clip conferencing platform.
According to Sanders, the enhanced security infrastructure has put the utility in a situation to ensure “staff protection and also the security of our h2o.”
Some elements of this short article are sourced from: