Water and Wastewater
Cyber Secure-Gateway for Water Systems
The productivity of nations and the well-being of people worldwide depend on the availability of fresh and potable water. Yet, it is often the case that Supervisory Control and Data Acquisition (SCADA) solutions for water control are not granted adequate attention and resources. Consequently, many water infrastructure systems suffer from undetected leakage and inaccurate consumption metering, as well as unaccounted-for water (UFW) and financial losses.
While legacy water distribution control systems used to rely on public networks and proprietary data communication protocols, modern systems rely mainly on IP communication, over cooper, fiber optic and wireless media. Data communications in water systems may utilize a range of industry-standard protocols such as MODBUS.
In recent years, critical infrastructures of all kinds have become a target for cyber-attacks by hostile organizations and governments. Since water sites, which are typically unmanned, are spread across wide geographical areas, they should be considered a prime target for cyber-attacks, committed either by an insider who had gained unauthorized access to a site, or from outside the site via the operational network.
The 3180 is optimized to serve in remote water sites with its variety of communication interfaces and its rich security feature-set, all contained in a compact ruggedized chassis. Case in point is what happens during maintenance, which is, according to most security experts, one of the greatest vulnerability points. Maintenance processes require access to specific parts of the network, however many operators lack the ability to enforce such limited access to specific network segments or locations.
The Radiflow 3180 provides the operator the ability to manage complex maintenance operations using Authentication Proxy Access (APA), which enables the operator to intuitively define work orders per technician for a specific device within one of the subnets and for a limited time-slot.
The 3180 includes a Deep Packet Inspection (DPI) firewall to filter the unauthorized traffic in the operational technology (OT) network. This allows the operator to control the entire process and reduce cyber threats and humans errors. At the end of the maintenance sessions, the APA issues an activity report.
Typical 3180 installations, used to remotely supervise site operations via secure channels, include:
- Monitoring and control for pumping at wells and underground aquifers
- Fresh water reservoirs, pumping stations, pressure monitoring, valve control stations
- Fresh water treatment (fluoridation), water quality and safety monitoring
- Monitoring of water supply metering (bulk meter), leakage and UFW
- Authentication proxy access (APA)
- Validation of the SCADA process per user using a per-port DPI firewall to assure high immunity against a variety of cyber attack vectors.
- Automatic learning of SCADA behavior toward setting a baseline for DPI rules, for reliable detection of anomalous activity and assuring minimal false alerts.
- End-to-end IPsec Layer-3 VPN for secure inter-site connectivity between substations and Water management control centers.
- Support for Ethernet and Serial interfaces, for connecting modern and legacy devices, including protocol gateway functionality and PoE+ support for integrated video surveillance traffic
- Reliable WAN interface over Ethernet utilizing copper and fiber, as well as private wireless and cellular (3G/4G)connectivity as a backup link
- Ruggedized security gateway hardware compliant to the requirements of remote outdoor sites where the water systems are deployed