Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) have jointly released a... The post New CISA and EPA guidelines aim to shield water and wastewater systems from cyber threats appeared first on Industrial Cyber.
Analysis Summary
# Best Practices: Protecting Water and Wastewater Systems from Cyber Threats—Focusing on HMI Security
## Overview
These practices derive from joint guidance by CISA and the EPA, specifically addressing cybersecurity risks within Water and Wastewater Systems (WWS). The primary focus is on minimizing the exposure and securing Human-Machine Interfaces (HMIs), which serve as critical endpoints for monitoring and controlling Supervisory Control and Data Acquisition (SCADA) systems linked to Programmable Logic Controllers (PLCs). Lack of controls on internet-exposed HMIs allows unauthorized viewing or modification of system contents, potentially leading to operational disruption.
## Key Recommendations
### Immediate Actions (0-1 Month)
1. **Identify and Inventory Internet-Exposed HMIs:** Conduct an immediate audit or inventory to identify all Human-Machine Interfaces (HMIs) that are directly accessible from the public internet (i.e., lack adequate protective controls).
2. **Immediately Isolate Exposed HMIs:** For any identified HMI accessible via the public internet, immediately implement segmentation or isolation to prevent direct external access. This may require temporary shutdown or strict firewall enforcement until proper protection is deployed.
3. **Review HMI Access Logs:** Immediately review access logs for all HMIs to check for any anomalous or unauthorized connection attempts or activities that may indicate prior compromise.
### Short-term Improvements (1-3 months)
1. **Implement Network Segmentation:** Deploy robust network segmentation between the Industrial Control System (ICS)/Operational Technology (OT) network and the Enterprise IT network, and strictly control access points to the HMI zone.
2. **Enforce Strong Authentication:** Mandate multi-factor authentication (MFA) for all remote access pathways leading to HMIs or the networks they reside on. For local access, enforce complex password policies.
3. **Harden Access Controls:** Restrict physical and logical access to HMIs only to personnel whose job function strictly requires it (Principle of Least Privilege).
### Long-term Strategy (3+ months)
1. **Implement Zero Trust Architecture Principles for OT:** Begin planning and deploying a Zero Trust (ZT) framework across the OT environment, moving away from implicit trust based on network location, particularly for remote access to HMIs.
2. **Implement Secure Remote Access Solutions:** Replace direct external internet access to HMIs with secure, vetted solutions such as VPNs with MFA, jump servers, or secure remote desktop gateways that minimize the attack surface.
3. **Establish Comprehensive Patch and Configuration Management:** Create a formal, documented process for regularly testing and applying security patches and configuration changes specifically for HMI software, operating systems, and underlying hardware.
## Implementation Guidance
### For Small Organizations
- **Prioritize Inventory:** Focus resources on creating an accurate, current inventory of all HMIs, noting their physical location and network connectivity (especially public access points).
- **Use Basic Firewall Rules:** Implement strict, deny-by-default firewall rules on any boundary devices allowing OT access, only permitting necessary communication ports and specifically approved source IP addresses.
- **Leverage Trusted Vendors:** Rely on vendor-provided hardening guides for immediate configuration fixes for existing HMI platforms.
### For Medium Organizations
- **Develop Segmentation Scope:** Develop a formal plan to segment the HMI and SCADA zones from the rest of the network, involving OT engineers in the justification and implementation steps.
- **Deploy Centralized Logging:** Start collecting and centralizing security logs from HMIs and adjacent network devices to a Security Information and Event Management (SIEM) system for basic analysis.
- **Establish Change Control:** Formalize the process for requesting, reviewing, and implementing any changes to HMI configurations or access permissions.
### For Large Enterprises
- **Deploy OT-Specific Monitoring:** Implement passive or non-intrusive network monitoring solutions capable of understanding ICS protocols to detect unauthorized activity around HMIs without disrupting operations.
- **Integrate IT/OT Security Teams:** Formalize governance structures (e.g., Security Steering Committees) that mandate collaboration between IT security, physical security, and OT operations staff concerning HMI security policies.
- **Conduct Regular Penetration Testing:** Schedule recurring penetration tests that specifically target the security perimeter around the SCADA/HMI environment to proactively identify exploitable vectors.
## Configuration Examples
*Note: The source material did not provide explicit configuration settings (e.g., specific commands or firewall ACL logic). The guidance below reflects the principles derived from the threat context.*
1. **Firewall Rule for Restricted HMI Access:**
* **Action:** Configure boundary firewalls to explicitly deny all inbound traffic attempting to reach HMI management ports (e.g., RDP, HTTP/S, proprietary ICS ports) originating from the Wide Area Network (WAN) or the public internet.
* **Allow List Principle:** Only permit traffic from defined, audited internal jump hosts or secure remote access gateways after successful MFA verification.
2. **HMI Local Account Lockdown:**
* **Action:** Disable all default or vendor-set administrator accounts on the HMI workstation operating system.
* **Configuration:** Enforce a minimum complexity standard for new local accounts (e.g., 14 characters, mix of case, numbers, and symbols) and mandate password rotation every 90 days for HMI operational accounts.
## Compliance Alignment
The guidance provided by CISA and EPA aligns closely with established cybersecurity frameworks applicable to critical infrastructure:
- **NIST Cybersecurity Framework (CSF):** Focus areas include **Identify** (Asset Management of HMIs), **Protect** (Access Control, Asset Hardening), and **Detect** (Monitoring).
- **NIST SP 800-82 (Guide to ICS Security):** Directly addresses securing SCADA components, including HMIs, emphasizing segmentation and secure remote access.
- **CIS Critical Security Controls (CIS Controls):** Directly relevant controls include Control 4 (Secure Configuration of Enterprise Assets and Software), Control 5 (Account Management), and Control 12 (Network Infrastructure Management, especially segmentation).
## Common Pitfalls to Avoid
1. **Treating HMIs like IT Desktops:** Assuming standard IT user authentication or patching schedules are sufficient for OT HMIs, which often run legacy operating systems and require specialized handling.
2. **Over-Reliance on Physical Security Alone:** Believing that physical control over the control room is enough; remote access vulnerabilities are a primary threat vector, regardless of physical security posture.
3. **Ignoring Indirect Exposure:** Failing to scan for or identify HMIs that may have been inadvertently exposed during network reconfigurations or while temporarily connecting to corporate systems for maintenance updates.
4. **Delaying Segmentation Justification:** Waiting for a major budget cycle to implement necessary network segmentation; segmentation should be prioritized as a critical risk reduction measure.
## Resources
- **CISA/EPA Joint Fact Sheet:** Consult the official joint fact sheet released by CISA and EPA focusing on Internet-Exposed HMIs in the WWS sector. (Search terms: "CISA EPA Internet-Exposed HMIs")
- **NIST SP 800-82:** Utilize this publication for detailed technical guidance on securing Industrial Control Systems (ICS).
- **CISA Cyber Hygiene Practices:** Refer to general CISA guidance for critical infrastructure asset owners for foundational security steps.