Governance & Risk Management , Operational Technology (OT)
NIST Publishes Draft OT Cybersecurity Guide for Water Sector
Agency Seeks Feedback on OT Security Reference Guide for Water, Wastewater SectorsNetworked control systems in municipal water systems are inescapable even for the localities that would prefer otherwise. New equipment with default remote access and an over-stretched repair workforce mean cutting off municipal water systems from the internet isn't a real option.
The challenge is how to securely authorize remote access to on-premises systems without running the risk of becoming the next target of a nation-state attack, such as the one that vaunted the Municipal Water Authority of Aliquippa, Pennsylvania, last fall from standard-issue local utility to global news headline (see: Iranian Hacking Group Attacks Pennsylvania Water Authority).
The U.S. National Institute of Standards and Technology has some ideas. It's seeking public feedback on the first phase of a project aimed at securing water and wastewater utilities from emerging cyberthreats. NIST issued draft reference guides Wednesday for water utilities to secure operational technology despite remote connection ports.
See Also: 2024 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
The first publication of the draft project is designed to offer solutions for a range of water and wastewater systems, as well as cloud-based remote access solutions that can be applied to water systems of all sizes.
The project is aimed at exploring the application of existing commercially available products to mitigate cybersecurity risks. NIST said the project will incorporate products provided by vendors that help improve asset management, enhance data integrity, expand network segmentation capabilities and still allow for remote access to OT assets from outside the OT environment.
NIST acknowledged that water utilities typically cover wide geographic areas and rely on supporting OT such as supervisory control and data acquisition systems that control automated processes, conduct monitoring and provide data transmission across the entire enterprise.
"The increasing adoption of network-enabled technologies by the sector merits the development of best practices, guidance, and solutions to ensure that the cybersecurity posture of facilities is safeguarded," the guidance says.
NIST's National Cybersecurity Center of Excellence included four scenarios that address critical cybersecurity concerns for the water and wastewater sector. The scenarios cover asset management issues, such as incomplete inventories of OT equipment and software that exclude offsite or remote devices, resulting in gaps in managing security configurations. Other concerns include data integrity, securing remote access to OT assets and ensuring adequate network segmentation to prevent threat actors from accessing sensitive systems and compromising operational integrity.
The reference guide recommends establishing methods, such as multifactor authentication and eliminating default accounts and passwords, to ensure security safeguards are configured across all devices.
The comment period on the draft publication is open until July 15 and comes as the Environmental Protection Agency warns of increased attacks targeting the water and wastewater sectors. Agency inspectors have also recently identified a series of "alarming cybersecurity vulnerabilities" across drinking water systems nationwide, warning that the vast majority of inspected systems have poor cyber hygiene (see: EPA Cracks Down on US Water System Cybersecurity Violations).
Experts previously told Information Security Media Group that both sectors lack funding and technical resources to comply with new federal security mandates and recommendations, even as the EPA and Cybersecurity and Infrastructure Security Agency have released a steady stream of free and low-cost resources in recent years.