Security

Municipal Utilities Bolster Their Cyber Defenses

The Albuquerque Bernalillo County Water Utility Authority in New Mexico gains greater visibility into network traffic.

Philadelphia-based writer David Raths has served as managing editor of InfoWorld and the Portland Business Journal. He covers information technology topics for several publications, including Healthcare Informatics, Public CIO, Campus Technology and THE Journal.

In 2021, a hacker remotely accessed a computer controlling the water treatment system in Oldsmar, Fla. According to news reports, the hacker attempted to change the sodium hydroxide in the water supply from about 100 parts per million to more than 11,100 parts per million. A supervisor working remotely saw the concentration being changed on his computer screen and immediately reverted it, according to a story in the Tampa Bay Times.

That breach and the Colonial Pipeline ransomware attack were wake-up calls to the utility sector, which finds itself a major target for malicious acts and ransomware.

At an October 2021 summit of electrical utility officials, Manny Cancel, CEO of the Electricity Information Sharing and Analysis Center, said the E-ISAC saw a nearly ninefold increase in ransomware information sharing via their secure portal, indicating an escalation in threat level.

To stop cyberattacks and physical attacks, the Albuquerque Bernalillo County Water Utility Authority in New Mexico has turned to Internet of Things technologies and cybersecurity solutions to gain visibility into its computer networks and physical infrastructure. The attack in Florida is not what initiated the project, says Kristen Sanders, CISO for the water district, “but the timing definitely was impeccable.”

Click the banner below to get access to a customized cybersecurity content experience.

Convergence of IT and OT Expands Data Sharing

Like a lot of utilities, in 2020 Albuquerque sought to converge its IT and operational technology networks. Sanders recalls that when IT got involved, a lot of the equipment on the network was on “life support.”

“We had some serious concerns: If one of these switches crashes and burns, how would we get a replacement? The technology was so old that none of the new equipment would even be compatible. We realized the equipment definitely needed to be replaced before something broke.”

As the IT team started working with the OT group to upgrade the network, they also realized that they had limited visibility into activity on the network. They didn’t understand how the OT network was connected, what was on it or what normal traffic looked like.

“That was pretty concerning, because we have a lot of security tools that were implemented on our IT side that we did not have on the OT side,” Sanders says.

Albuquerque worked with Cisco to deploy Cyber Vision, which has asset inventory and threat detection tools designed for industrial network equipment.

“The cool thing about Cyber Vision is that the switches we purchased have sensors built into them, so we’re able to view what assets we have,” Sanders says. “It tells us what protocols are running and what’s talking to what. It will actually allow us to do baselining of what normal network traffic looks like. That allows us to set up alerting, so we know immediately if suddenly something starts talking to something new or a new device pops up.”

Feeding Data into Security Tools Empowers Visibility

Sanders’s team can pull all that information into its Splunk enterprise security information and event management tool. The anomaly detection tool can find a threat actor within the network or determine whether something is simply malfunctioning.

“We can now see that there is an issue before a bigger problem occurs,” she says. “That could be a big cost savings, depending on what the problem is. We can go in there and take care of that before there’s an outage.”

The water district also is working on microsegmentation within the data center.

“It’s a very nice way of managing your Windows firewall rules on the servers without going in and manually doing changes to each server,” Sanders explains. “This gives you a nice graphical interface and a way of organizing everything into application groups to say, ‘These servers are part of this application group. These applications talk to these other applications and nothing else.’”

During the pandemic, the water district has used Cisco Webex and Duo Security to allow its employees to work remotely and continue to view networks and water systems.

EXPLORE: Learn how to protect operational technology in smart cities.

Cybersecurity Standards Harden Utilities Against Hackers

Sanders says that public utilities are making progress on cybersecurity standards. The energy industry has the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), a set of requirements designed to secure the assets required for operating North America’s electric system. The water sector has America’s Water Infrastructure Act, which Sanders calls a step in the right direction.

“If you look at how stringent NERC CIP is, I would like to see the water utilities get to that,” she says. “But right now, I feel like it’s up to the individual organization in terms of how far they want to take their security posture. There is no regulatory mandate that they can point to and say, ‘We have to hit this bar.’”

The American Public Power Association has created a Public Power Cybersecurity Roadmap to help public power utilities enhance their cybersecurity programs. The roadmap breaks down into four stages how a public power utility can develop and implement an action plan to improve cybersecurity practices.

APPA also offers a Cyber Incident Response Playbook. Among other things, it offers advice and templates to coordinate messaging about any cyber incidents a utility might experience.

ArtistGNDphotography/Getty Images