Cybersecurity for Water & Wastewater Facilities
Supervisory Control and Data Acquisition (SCADA) systems at water and wastewater treatment facilities have become potential prime targets for cyber attacks aimed at damaging the basic infrastructure of modern life. Such attacks may originate from either on-site human activity or remote network breaches.
With all the technological advancements in the water and wastewater industries, one constraint remains constant: facilities need to be located along the water’s supply and usage route.
Fresh water systems are highly distributed, from intake and pumping to reservoirs/water towers, chlorination and distribution to users. Each stage requires power for pumping, to maintain water pressure and/or elevation, which makes up a significant point of vulnerability. Remote facilities are often unmanned, and rely on low-bandwidth communication networks to send vast amounts of data to a central monitoring location, which may cause network overload and loss of data (as well as physical barriers to prevent unauthorized entry).
Wastewater systems share many of these challenges, with the additional complexity of treatment centers located inside or in close proximity to cities and small towns, which creates health and ecological hazards in the case of malfunction or shutdown.
In addition, as in any complex ICS, both types of water systems typically host an array of devices by multiple vendors.
Understanding the interplay between devices and business processes is a key factor in calculating risk. And as they are state-operated, water systems are typically slow to adapt new technologies. Many facilities use devices that were never designed for networked operation, and so don’t have adequate cyber-protection.
Radiflow offers OT security solutions for different types and sizes of installations, from local gateways at remote pumping stations to intrusion detection solutions at major facilities.
Water & wastewwater facilities present unique challenges in terms of geographical distribution, criticality of operations and antiquated network infrastructur
- In the aftermath of the Oldsmar Water Attack: using an OT-MSSP as a viable replacement for an in-house cybersecurity department
- Behind the News: Cyber Attack on Florida Water Treatment Facility
- SecurityWeek: Radiflow CEO Ilan Barda discusses cyber-preparedness of critical water infrastructures
- Cyber Attack Targets Israel’s Water Supply – Analysis and Mitigation Recommendations
Overcoming the Challenges of Water & Wastewater Systems
Water and wastewater systems are among the most crucial and geographically-distributed industrial automation systems, consisted of multiple remote and often unmanned facilities. Security challenges include managing physical access to the facility and to the network upon entry; managing scheduled maintenance activities; ongoing monitoring, threat detection and breach containment; and continuous transfer of data traffic to the control center for analysis.
Risk assessment & management: CIARA
- Fully IEC 62443-compliant; use of multiple sources for attacker threat intelligence
- Continuous calculation of the real-world risk for each device and business process, based on region/sector
- Comprehensive mitigation roadmap for optimizing the customer’s cybersecurity expenditure
Ongoing detection & monitoring: iSID Industrial Threat Detection & Monitoring platform
- Self-learned, visual network model, including all assets & properties, connections, protocols vulnerabilities.
- Multiple detection engines for different types of threats and activities
- Use of multiple threat intelligence sources for known and upcoming threats.
- iCEN management dashboard for multiple instances of iSID (for use at corporate or OT-MSSP SOC)
Securing remote locations: iSEG iRF-3180 DPI-Firewall Gateway
- Authentication Proxy Access (APA) for work order-based enforcement of identity and policies (for NERC CIP V6 compliance);
- User activity logging and per-port validation of user activity using the DPI Firewall
- iSIM management console for managing large arrays of iSEG gateways
Efficient data collection and transfer for analysis: iSAP Smart Collector
- Efficient data transfer over low-bandwidth connections using Radiflow’s proprietary compression and filtering algorithm
- Significantly reduces data volume, thus overcoming the problem of LAN overload that’s typical to industrial probes