Full Report
Waterbury has signed on to be one of the first municipalities in the country to participate — at... The post Waterbury joins DEF CON Franklin program to strengthen cybersecurity for water systems appeared first on Industrial Cyber.
Analysis Summary
# Best Practices: Cybersecurity for Water and Wastewater Utilities
## Overview
These practices are geared towards bolstering the cybersecurity posture of critical infrastructure sectors, specifically water and wastewater systems, which are often targeted due to a lack of dedicated IT oversight and potentially outdated security safeguards. The focus is on leveraging external expertise to identify risks, implement best practices, and develop formal response plans.
## Key Recommendations
### Immediate Actions
1. **Engage External Expertise:** Actively seek out and engage with specialized, vetted cybersecurity experts or programs (like DEF CON Franklin) to conduct initial system assessments of operational technology (OT) and IT environments.
2. **Conduct Initial System Profiling:** Provide volunteer or contracted security experts with an overview of current system knowledge, technology stacks, access methods (especially remote access), and existing security measures.
3. **Review Critical Access Controls:** Immediately assess and secure remote access points used by operators, as these have become common vectors for modern attacks (a shift from traditional physical security).
### Short-term Improvements (1-3 months)
1. **Develop an Incident Response Plan (IRP):** Prioritize the creation and documentation of a formal cybersecurity incident response plan tailored specifically for water/wastewater systems. This must detail steps to take following a suspected or confirmed breach.
2. **Address Known Vulnerabilities:** Based on initial expert assessments, remediate high-risk vulnerabilities, particularly those related to remote management and industrial control systems (ICS) configurations that could allow manipulation of chemical additives or pump settings.
3. **Establish Regular Security Check-ins:** Institute a recurring schedule for consulting with IT/security partners to review emerging threats and maintain system vigilance, acknowledging the rapidly changing technology landscape.
### Long-term Strategy (3+ months)
1. **Integrate Dedicated Oversight:** Begin planning and budgeting for integrating dedicated cybersecurity oversight, either through dedicated in-house staff or enhanced, proactive managed security services, rather than relying solely on general external contractors.
2. **Upgrade Security Safeguards:** Align current system safeguards with modern cybersecurity best practices, acknowledging that historical security measures (e.g., locked doors) are insufficient against modern digital threats.
3. **Incorporate Cyber Risk into Infrastructure Planning:** Ensure that cybersecurity assurance is a non-negotiable component of all future technology upgrades, replacements, and operational changes (similar to physical infrastructure replacement schedules).
## Implementation Guidance
### For Small Organizations
- **Leverage Free/Low-Cost Programs:** Actively seek out collaborative, volunteer-based programs (like DEF CON Franklin) to gain access to high-level expertise that would otherwise be unaffordable.
- **Focus on Foundational Documentation:** If dedicated IT staff is absent, prioritize creating clear, documented procedures for system access, patching schedules, and initial breach confirmation, relying on existing operators for knowledge transfer.
- **Contractor Vetting:** Rigorously vet existing technology contractors to ensure they hold contemporary cybersecurity competency, as they are often the first line of defense.
### For Medium Organizations
- **Formalize Partnerships:** Transition from ad-hoc consultations to formal, retainer-based partnerships with security firms specializing in OT/ICS environments.
- **Pilot Dedicated Roles:** If a full-time CISO/Security Manager is too large a step, define a specific role (even part-time) responsible for managing vendor security relationships and ensuring compliance with new requirements.
- **Cross-Train Operators:** Train existing water/wastewater operators on recognizing cybersecurity awareness indicators, especially concerning suspicious remote connection requests or unexpected system behavior.
### For Large Enterprises
- **Establish Comprehensive Risk Framework:** Adopt a formal cybersecurity framework (NIST CSF or ISO 27001) and map current industrial control systems (ICS) inventory against it.
- **Implement Advanced Monitoring:** Deploy Security Information and Event Management (SIEM) or specialized OT monitoring tools to detect lateral movement and anomalous activity across the network beyond simple perimeter defenses.
- **Regular Red/Blue Team Exercises:** Conduct annual penetration testing (Red Team) exercises focused specifically on manipulating SCADA/control systems and use the findings to refine defensive postures (Blue Team).
## Configuration Examples
*Specific technical configurations are context-dependent and were not detailed in the provided text, but guidance focuses on securing remote access and industrial control systems.*
**Actionable Configuration Best Practice:**
If remote access is utilized, enforce Multi-Factor Authentication (MFA) on all VPNs and jump servers connecting to OT networks, even if the underlying control software does not natively support it.
## Compliance Alignment
While the article does not cite specific compliance mandates, the practices align with recognized standards for critical infrastructure:
- **NIST Cybersecurity Framework (CSF):** Focus aligns heavily with the **Identify** (Asset Management, Risk Assessment), **Protect** (Access Control, Training), and **Respond** (Incident Response Plan) functions.
- **NIST SP 800-82:** Guidelines for securing Industrial Control Systems (ICS).
## Common Pitfalls to Avoid
- **Assuming Physical Security is Sufficient:** Do not rely solely on locking control room doors; modern threats bypass physical barriers entirely through remote connectivity.
- **Underestimating ICS Vulnerability:** Avoid the belief that operational technology (OT) systems are too specialized or isolated to be targeted. Cyberattacks on chemical dosing (as seen in other incidents) pose direct public health risks.
- **Reacting Only After an Incident:** Waiting for a breach to develop an incident response plan is dangerous, especially in time-sensitive environments like water treatment.
- **Neglecting Remote Access Security:** The shift to remote operations necessitates treating remote access points as high-value targets requiring the strictest possible controls.
## Resources
- **DEF CON Franklin:** Program providing volunteer expertise to high-risk communities (water/wastewater, K-12).
- **University of Chicago Harris School of Public Policy’s Cyber Policy Initiative:** Collaboration partner organizing the expert volunteer efforts.
- **National Rural Water Association:** Partner organization used to identify and match communities with the program.