Convergence of IT and OT Expands Data Sharing
Like a lot of utilities, in 2020 Albuquerque sought to converge its IT and operational technology networks. Sanders recalls that when IT got involved, a lot of the equipment on the network was on “life support.”
“We had some serious concerns: If one of these switches crashes and burns, how would we get a replacement? The technology was so old that none of the new equipment would even be compatible. We realized the equipment definitely needed to be replaced before something broke.”
As the IT team started working with the OT group to upgrade the network, they also realized that they had limited visibility into activity on the network. They didn’t understand how the OT network was connected, what was on it or what normal traffic looked like.
“That was pretty concerning, because we have a lot of security tools that were implemented on our IT side that we did not have on the OT side,” Sanders says.
“The cool thing about Cyber Vision is that the switches we purchased have sensors built into them, so we’re able to view what assets we have,” Sanders says. “It tells us what protocols are running and what’s talking to what. It will actually allow us to do baselining of what normal network traffic looks like. That allows us to set up alerting, so we know immediately if suddenly something starts talking to something new or a new device pops up.”
Feeding Data into Security Tools Empowers Visibility
Sanders’s team can pull all that information into its Splunk enterprise security information and event management tool. The anomaly detection tool can find a threat actor within the network or determine whether something is simply malfunctioning.
“We can now see that there is an issue before a bigger problem occurs,” she says. “That could be a big cost savings, depending on what the problem is. We can go in there and take care of that before there’s an outage.”
The water district also is working on microsegmentation within the data center.
“It’s a very nice way of managing your Windows firewall rules on the servers without going in and manually doing changes to each server,” Sanders explains. “This gives you a nice graphical interface and a way of organizing everything into application groups to say, ‘These servers are part of this application group. These applications talk to these other applications and nothing else.’”
Cybersecurity Standards Harden Utilities Against Hackers
Sanders says that public utilities are making progress on cybersecurity standards. The energy industry has the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), a set of requirements designed to secure the assets required for operating North America’s electric system. The water sector has America’s Water Infrastructure Act, which Sanders calls a step in the right direction.
“If you look at how stringent NERC CIP is, I would like to see the water utilities get to that,” she says. “But right now, I feel like it’s up to the individual organization in terms of how far they want to take their security posture. There is no regulatory mandate that they can point to and say, ‘We have to hit this bar.’”
The American Public Power Association has created a Public Power Cybersecurity Roadmap to help public power utilities enhance their cybersecurity programs. The roadmap breaks down into four stages how a public power utility can develop and implement an action plan to improve cybersecurity practices.
APPA also offers a Cyber Incident Response Playbook. Among other things, it offers advice and templates to coordinate messaging about any cyber incidents a utility might experience.