Cyber security is of great importance to the water management world. Many water authorities and boards are hard at work to up their cyber security level. Conforming to the BIWA-standard and preparing for the Dutch cyber security legislation are top priority. How will water sector companies handle cyber security?
Hudson Cybertec, a worldwide cyber security solution provider in the Operational Technology (OT), has noticed that a lot of companies in the water sector are struggling with implementing cyber security for their primary processes. Adequate cyber security knowledge is often lacking, which often results in insufficient policies and OT networks which are focused on functionality. “Cyber security is still inadequately managed”, says Marcel Jutte, managing director at Hudson Cybertec, “We often speak various water sector companies and have noticed that there is a great need for help.”
A structured approach is required. Just picking up some of the security matters and improving on them does not add structure and is unmanageable in the long term. To make the first step in cyber security and improving on security matters, is to know where the organization stands today. A cyber security assessment will give a clear overview of the current state of cyber security. All important factors need to be included. Which means attention is required for people, process and technology. Jutte: ”We have a lot of experience with cyber security assessments, for which we use the IEC 62443 standard. Herein all three factors are extensively discussed. Customers see, due to our holistic approach, that they can greatly improve on multiple fronts in their cyber security.”
The IEC 62443 is the worldwide de facto standard for cyber security in Industrial Automation & Control Systems (IACS), also known as the OT domain. A security assessment performed according to this standard provides an unambiguously insightful view on the matters the water authorities will need to act. For example: an assessment, performed at a water authority, clearly showed a very low conformance to the IEC 62443. Not strange in itself seeing as the organization was not yet actively working according to the standard. What did become immediately obvious however, was the enormous gains the organization could achieve on process, technical and people factors.
Making smart choices allows for a water authority to still make some important steps in cyber security on a limited budget. On advice of Hudson Cybertec, the choice was made to update their security policy and implement network segmentation according to the zones & conduit model of the IEC 62443 standard. In the following years, new choices can be made, and the earlier choices will still be managed.
Pentest the OT
Every company in the water management world is unique. The approach differs because of this. At another water company a combination of different pen-tests was performed to show just how vulnerable the OT infrastructure is. Several vulnerabilities were quickly found during these controlled pen tests, performed in the live environment as requested by the water company. Jutte: “Everyone within the OT organization was informed and on stand-by, this allowed to perform the pen-tests in the production environment. The goal was to see if it was possible to intrude in the systems. This resulted in various serious vulnerabilities being found.” Based on this, recommendations were made, and action was immediately undertaken to improve cyber security.
IACS Forensic Readiness
Companies need to be prepared for when an incident occurs. They should be able to view what is happening on the network at all times. The importance of forensic data is increasing within the IACS (OT) domain. The upcoming Dutch cyber security legislation necessitates that parties provide insight into matters. It is of great importance to be prepared for that. IACS Forensic Readiness ensures that organizations can secure the data necessary for a forensic investigation. For example: to determine the cause of an incident or determine, if any, causers. “Other critical infrastructure sectors have shown interest in our expertise” Jutte mentions, “The demand for forensic readiness has also been increasing in the water management world.” One could think of preventive design, maintenance and exploitation of the necessary infrastructure in order to facilitate incident response, monitoring and detection, logging and the management and maintenance of back-ups.
Hudson Cybertec unburdens as much as possible. “Our clients are our partners. The mutual trust with our partners allows us to fully unburden them”, Jutte continues, “The goal for our managed services is to make cyber security as accessible and approachable as possible.” Companies of which the core business revolves around water management or drinking water, can keep focus on their primary process this way.
They can also profit from the specialization of Hudson Cybertec: cyber security for Industrial Automation & Control Systems. While the demand in general increases, Jutte sees an increase in demand for specialist support: “We know what is going on, due to our experience, in the OT environments of drinking water companies and water authorities, including the security challenges with which they have to deal. Because of this, combined with our cyber security expertise in the OT domain, water sector companies ask for our help. We unburden water sector companies by managing their cyber security. But the water management itself, we leave to them.
Click here to read the article (in Dutch).