Welcome back to ‘15 Cybersecurity Fundamentals Awareness Month’ (15CFAM), WaterISAC’s supplement to National Cybersecurity Awareness Month (NCSAM). 15CFAM aims to walk through WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. Today we saunter among safeguarding systems from unauthorized access and exposure from cyber and physical threats. If you have missed previous installments, just search ‘15CFAM’ in the Resource Center!
So far, we have covered the utmost importance of beginning every cybersecurity program with a comprehensive asset inventory. We then parlayed into assessing the risks to/from what we now know we have. Now that we know more about the risks, we can begin safeguarding our systems from exposure to hostile networks and unauthorized access.
By effectively segmenting networks and assets, placing traffic restrictions, and encrypting data and communications pathways, we can protect the control system (or any) environment from “hostile,” untrusted networks – which is theoretically everything outside the control system (or any other protected) network. Likewise, applying role-based computer access controls, principle of least privilege, and zero trust models, users can be restricted from accessing critical systems and files they are not authorized to access.
But hostile networks, traffic, data, and unauthorized electronic access are not the only things threatening the safety and integrity of our control systems. Adversaries also seek to gain physical access to equipment to compromise it. Therefore, the implementation of non-technical, physical security controls to inhibit physical access to OT (and IT) environments are just as important to cybersecurity as the use of the aforementioned technology controls.
Resources:
- Industrial security firm, Waterfall Security, provides an interesting perspective on unit segmentation
- For a complete guide on Zero Trust Architecture, access NIST’s Special Publication (SP) 800-207
- The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Department of Energy (DOE), and the UK's National Cyber Security Centre (NCSC) “Cybersecurity Best Practices for Industrial Control Systems” infographic provides some tips on physically securing critical control system assets.
Saunter with us next week with a review on vulnerability management and a special topic on engineering independent safety systems. Members can track ongoing posts through the WaterISAC portal by searching ‘15CFAM’ in the Resource Center.
