Improving Cybersecurity in the Water Industry

At the 2024 Ovation Users Conference, Emerson’s Alejandro Cruz presented Power & Water Cybersecurity Suite (PWCS)—Mapping to the NIST & CISA Cyber Action Recommendations. Here is his presentation abstract:

Top Cyber Action for Security Water Systems. The Power and Water Cybersecurity Suite (PWCS) supports customer practices and compliance needs related to NIST, ISO, ISA and other standards. To develop an effective security program requires documentation of how the customer meets each individual requirement of a particular standard. The purpose of this breakout is to document and explain how various functions within PWCS relate to security requirements and standards related to cybersecurity. The presentation will include a discussion of CISA’s top actions and how Emerson products and services can assist with accomplishing the recommended actions. Alejandro opened by explaining that this presentation has 4 different focuses. For the framework his is referencing the NIST CSF, for standards the IEC 62443-3-3 and ISO27001, and for recommendations, the ones from CISA and EPA.

The IEC 62443-3-3 network and system security standard provides detailed technical control system requirements (SRs) associated with the seven foundational requirements (FRs) described in IEC 62443-1-1. Each control can be defined in up to 4 security levels.

The ISO/IEC 27001 standard enables organizations to establish an information security management system and apply a risk management process that is adapted to their size and needs. It defines ten requirements and relates to ISO 27002: Code of Practice for information security controls.

Entities that provide cybersecurity actions for the water and wastewater industries in the U.S. include the Cybersecurity & Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA). CISA is the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience. In February 2024, CISA released the Top Cyber Actions for Securing Water Systems.

The EPA released five suggestions for managing cybersecurity in the Water Sector.

The Power and Water Cybersecurity Suite (PWCS) fully complements suite modules.

CISA advises you to start with an inventory of your IT and OT assets because you can protect what you don’t know. IT networks may communicate with OT networks, so it is essential to have inventoried both. Emerson offers an asset inventory service to help build this inventory. Tools from Ovation and PWCS can assist in collecting some of the data.

The PWCS Vulnerability Assessment Module enables on-site automated/programmed vulnerability scans on the network. Using the Rapid7 Nexpose, the Emerson team configures the solution tailored to your systems’ needs to perform scans per the requirements of standards or the site’s security policy. This helps you comply with ISO27—1 A8.8 Management of technical vulnerabilities.

CISA recommends utilities conduct cybersecurity assessments regularly to understand the vulnerabilities within OT and IT systems. Assessments enable utilities to identify, assess, and prioritize mitigating vulnerabilities in both OT and IT networks.

The PWCS Cybersecurity Assessment Services are oriented to identify vulnerabilities in the OS or firmware of the resources. Following this action, a mitigation plan for the identified vulnerabilities follows. The service also includes a system configuration review.

CISA recommends mitigating known vulnerabilities and keeping all systems updated with patches and security updates. The Vulnerability Assessment Module identifies vulnerabilities and provides a list of them, along with an analysis of which might be mitigated. This list can be used as a guide in mitigating the patchable areas.

Network monitoring can be performed using Dragos and Nozomi Networks network monitoring applications. These applications continuously identify and inventory network-connected devices using real-time asset mapping to detect changes, such as new or dropped assets. They establish a baseline for known network-connected devices and perform protocol detection to assist in anomalous device and communication detection.

By design, Ovation Networks are designed using network segmentation so that they do not allow the system to be connected directly to the Internet. Other devices, such as PLCs, RTUs, Sensors, and so forth, may be connected to the Internet, and these may even be connected to Ovation via Links, IP switches, or other connection types. Cybersecurity Assessments can assist in identifying risks and misconfigurations of the networks.

It’s important to ensure ICS devices are not connected directly to the Internet or networks exposed to the Internet through the use of DMZ zones and firewalls. Reinforce these connections using Network Security Monitoring solutions.

Default passwords should be immediately updated. Cybersecurity Assessments can help by testing devices for default passwords and a plan for password safe-keeping management.

Another CISA top action recommendation is to conduct cybersecurity awareness training annually, at a minimum, to help all employees understand the importance of cybersecurity and how to prevent and respond to cyberattacks. Emerson can provide consultation services for guidance when creating or reviewing an awareness training plan for company personnel.

The PWCS Antivirus Module is based on the Trellix Endpoint Security real-time virus and malware protection provided to workstations and servers with Microsoft Windows operating systems. It automatically identifies and repairs or quarantines spyware, adware, viruses, and other malicious intruders.

Trellix Application and Change Control allows users to mitigate malware threats effectively. Application Control compensates for the shortcomings of blocked listing technology by “Allow listing” only those programs permitted to operate within servers and workstations.

The PWCS Device Control Module enables secure and centralized management of storage devices associated with Windows-based workstations and servers, such as USB devices.

The PWCS Security Incident and Event Management Module provides automated data recollection, which is parsed to generate security events that can be used in incident response. It uses Trellix ESM, and Emerson configures the solution tailored to the site’s needs to collect Windows Security Events and Syslog data from different assets.

For the CISA Top Action: Develop and Exercise Cybersecurity Incident Response and Recovery Plans, it’s essential to understand incident response actions, roles, and responsibilities, as well as who to contact and how to report a cyber incident before one occurs to ensure readiness against potential targeting. It’s recommended that:

  • Work with corporate to identify any existing processes that might be implemented for the OT networks
  • Ensure to define the roles of the personnel involved in the process
  • Identify any reporting needs per standards or regulatory compliance

The PWCS Backup and Recovery Module provides automated backups for Ovation servers and HMIs. It uses the Acronis Backup and Recovery module, and Emerson configures the solution to back up the Windows Servers and HMIs for Ovation and PWCS. Other methods are used to back up configurations and databases for Ovation databases and OPH.

Visit the Power and Water Cybersecurity Suite page on Emerson.com for more information on each module to help you meet these requirements and harden your cybersecurity posture.

The post Improving Cybersecurity in the Water Industry appeared first on the Emerson Automation Experts blog.