Water is — said without pathos — our elixir of life. After the air we breathe, we depend on nothing more to survive. We are made up of about 70 percent water and can survive only a few days without its replenishment. So it’s fair to say that few other areas of critical infrastructure are as important to us as the supply of pure drinking water. But in the face of rising global tensions, there is growing concern that water supplies, which are as important as they are vulnerable, could become the target of cyberattacks.
Earlier this year, on January 11, 2022, the Joint Research Center of the European Reference Network for Critical Infrastructure Protection (ERNCIP) published its Water Security Plan in the form of a handbook. This addresses the implementation of security measures to protect the physical and digital integrity of water supply systems. The plan is intended to enable drinking water supply operators to lay the groundwork for implementing specific measures to improve water system security against threats and attacks.
Security standards to provide guidance
To secure the water utility’s digital flank, it is first helpful to look to standards such as ISO, IEC, ISA or other best practices for cybersecurity. They provide security officers with structured guidance on what security measures, if any, have already been implemented and where they still need to catch up. But standards, certifications and regulations are subject to bureaucracy and must go through lengthy processes before they can respond to current changes in the threat environment.
In contrast, cybercriminals’ attack techniques are constantly evolving. Often, newly discovered security vulnerabilities are exploited for days or weeks before they see the light of day and come to the attention of security officials.
Defenders are thus always at a disadvantage because they can only react to the dynamic threat situation.
To avoid falling behind against hostile actors and to detect potential attack attempts at an early stage, it is therefore advisable to keep an eye on data traffic throughout the entire plant network and watch out for anomalies.
Seamless real-time analysis and identification of suspicious anomalies are the best protection against cyberattacks
Section 2.2.3 of the ERNCIP report addresses water utilities’ cyber detection systems and identifies the following three items as priority security strategy actions:
Normal State Modeling
Sensor data as well as traffic are analyzed using “unsupervised” algorithms. Both the circulating data packets and the IP addresses of all sending and receiving devices are considered. Ports and protocols used for communication are also included in the analysis. From the sum of all these data, a normal state is extrapolated, whereby later deviations can be identified as warning signals.
Real-time protection systems for sensor data
To be able to guarantee the integrity of sensor data, it must be possible to monitor it in real time. By detecting deviations at an early stage, not only can potential attacks be averted, but malfunctions can also be corrected more quickly during ongoing operations.
Establishment of a Security Information and Event Management
SIEM is a proven IT security tool that allows its users to anticipate potential incidents and thus be prepared for the worst case scenario.
High-performance correlation methods allow data from different levels to be drawn upon and combined to form a situation picture. This allows early warning signals to be generated, on the basis of which security managers can take informed countermeasures.
Quality of information is crucial
The “how?” is more important than the “how much?” for analyzing network traffic. An experienced attacker rarely generates a suspiciously high volume of traffic. He is interested in acting as inconspicuously as possible, nesting in the system and then striking at a critical moment.
The best way to identify an attacker is to look for anomalies. To do this, one must analyze the logs down to the payloads and scrutinize the nature of all circulating data. Likewise, the infrastructure that controls the industrial processes should be examined.
In order to obtain a reliable insight and a professional analysis of all processes, an extensive arsenal of sensors is just as important as 24/7 monitoring and evaluation of all collected data. From a long period of observation, the parameters for the proper functioning of a plant can be determined. Significant deviations from the norm can indicate a malfunction or even a cyber-attack.
The more accurate and up-to-date the overall picture, the better it is possible to respond to critical incidents
A full complement of sensors, as well as intelligent and seamless monitoring of all the data they transmit, is critical to the security of water supply operations. . Hardly any other supply system is as essential to society and as sensitive to disruptions as the water supply. There is a reason why the legal limits for water purity are among the strictest regulations for food in the world.
It’s time to focus on safeguarding against cyberattacks with the same sense of responsibility. Extensive sensor equipment and real-time data monitoring can not only protect against cyber attacks, but also help to detect and correct other malfunctions that could affect water integrity at an early stage.
Image credit: EpicStockMedia/depositphotos.com
Paul Evans is Technical Lead at Nozomi Networks