Cybersecurity for Water and Wastewater Facilities

Protection against all Types of Potential Cyberattacks

Supervisory Control and Data Acquisition (SCADA) systems at water and wastewater treatment facilities have become potential prime targets for cyber attacks aimed at damaging the basic infrastructure of modern life.

Such attacks may originate from either on-site human activity or remote network breaches.

Radiflow offers OT security solutions for different types and sizes of installations, from local gateways at remote pumping stations to intrusion detection solutions at major facilities.

Intrusion Detection Solution for Large Water and Wastewater Facilities

Radiflow’s comprehensive cybersecurity solution for large facilities consists of the iSID Intrusion Detection System for monitoring local operations, combined with a Secure Gateway that serves as an industrial firewall and provides secure remote access to the OT network.

Radiflow’s iSID, designed specially for ICS systems provides full network visibility and anomaly detection, based on self-learning of the SCADA network. iSID is capable of detecting anomalies, which may indicate an insider attack (e.g. a malware on one of the PLCs) in the operational network’s behavior, based on its self-learned baseline behavior model. Alerts upon anomaly detection enable the operator to keep track of all operational changes done in the site.

The Secure Gateway is used to facilitate remote maintenance sessions, by means of secure VPN tunnel with configurable access rights. The Gateway’s authentication proxy validates each remote user and restricts the user’s access according to his predefined tasks (device, time slot, approved commands, etc.) All remote sessions are recorded for auditing purposes.

SCADA Solutions for water systems

OT Communications Solution for Remote Water Facilities

Radiflow’s 3180 secure ruggedized gateway is optimized to operate in remote water sites thanks to its variety of communication interfaces (IP communications over copper, fiber optic and wireless media) and industry-standard protocols (such as ModBus), as well as its rich security feature-set, all contained in a compact ruggedized chassis.

One of the major points of vulnerability in remote facilities occurs during maintenance sessions, which usually require access to only a specific part of the network. However, since many operators lack the ability to enforce access limitations, the entire OT network ends up exposed.

Radiflow’s 3180 allows the operator to manage complex maintenance operations using an Authentication Proxy Access (APA). The APA enables intuitively defining work orders per technician for a specific device within one of the subnets and for a limited time-slot, with full activity logging. This capability is enhanced by the 3180’s Deep Packet Inspection (DPI) firewall, used to filter out unauthorized traffic on the operational technology (OT) network.

Typical installations include:

  • Monitoring and control for pumping at wells and underground aquifers
  • Fresh water reservoirs, pumping stations, pressure monitoring, valve control stations
  • Fresh water treatment (fluoridation), water quality and safety monitoring
  • Monitoring of water supply metering (bulk meter), leakage and UFW (unaccounted-for water)