View by Author

Most Recent Articles

Securing water facilities top down view

IEC 62443 For Securing Water Utilities

By Published On: 28 October 2021Categories: Critical Infrastructure, Security

Water utilities have been experiencing an increasing string of high-profile cyber attacks. This article discusses how adopting the IEC 62443 standard can help guide cyber security for critical operational systems in the water industry.

Share This Article:

Since 2019 the water utility sector has been experiencing an increasing string of high-profile cyber attacks. Superficially it appears threat actors are noticing that the water sector’s collective cyber security maturity is lower than other highly targeted critical infrastructure sectors such as Energy, Oil & Gas, and Aerospace.

Despite the actors in these events using commonly known and preventable tactics, techniques and procedures (TTPs), the heightened vulnerability of the sector has allowed for significant compromises.

The TTPs that featured heavily according to the U.S Cybersecurity and Infrastructure Security Agency (CISA) were:

  • Spear phishing and ransomware
  • Lack of cyber security awareness
  • Exploitation of remote access capabilities, and
  • Integration of IT with OT systems.

This article focuses on suitable mitigation strategies for the final point, introducing a standards-based approach to risk assessment and countermeasure design.

Introducing IEC 62443

IEC 62443, formerly ISA 99, is an international series of standards developed by the International Society of Automation (ISA), part of the International Electrotechnical Commission (IEC). It defines the security concepts for Industrial Automation and Control Systems (IACS), which are commonly grouped together under the banner of Operational Technology (OT).

The OT security triad (AIC) is reversed to what is defined by corporate systems (CIA), namely:

  • (Safety)
  • Availability
  • Integrity
  • Confidentiality

The IEC standard seeks to enforce these security aspects by dividing the standard into four different sections that describe both technical and process-related aspects of industrial cyber security.

To illustrate the point let us investigate a subset of the standard, 62443-3-2, which assists in securing the integration of OT systems with IT systems. It seeks to achieve this by supporting control system networks segmented physically with zones, conduits and boundaries being defined. At the simplest level, this approach provides a method to target countermeasures on the ingress and egress routes into the target critical systems, and therefore the critical operational function.

Although the standard should not be utilised in a piecemeal manner, using this approach would provide a suitable method of improving the posture of the network integration points between lower-impact (ICT) and higher-impact (OT) networks. It also allows for a more tailored deployment of security solutions across the business and operational networks, each of which has distinct threats, risks, and requirements.

IEC 62443 for Water Utilities

The foundational reference architecture for IEC 62443 is commonly referred to as the Purdue Reference Model – derived from the Purdue Enterprise Reference Architecture (PERA) based on principles established by the Purdue Laboratory for Applied Industrial Control.

IEC 62443 takes on the work completed as part of the Purdue model for OT enterprise architectures, which defines separations within OT systems based on functions distinct from corporate technologies.

This diagram  illustrates a common IACS environment and shows the various levels where the functions reside

 

The diagram above illustrates a common IACS environment and shows the various levels where the functions reside.

Many single-site water utility operations, such as desalination, treatment and local government water distribution, can often be segregated in accordance to IEC 62443 guidelines with very few changes to the supporting telecommunications networks.

I have personally seen a number of water utilities that are designed to have a primary firewall intersecting all available networks. This type of network configuration can benefit from network separation and segmentation, providing the ability to monitor and control the ingress and egress routes from mission critical equipment, such as the Programmable Logic Controllers (PLCs), Pumps, Chlorinators, and other core parts of the water treatment and supply process.

Further to the attack seen in Florida in February of this year, something as simple as having remote access software, which is very common for OT environments, allowed for a malicious actor to adjust the levels of sodium hydroxide (NaOH) in the water to a dangerous concentration – from 100 parts per million to 11,100 parts per million! In low concentrations sodium hydroxide is used to control the acidity of the water, but at high levels the corrosive chemical is known to damage human tissue and presents an unacceptable risk to public health. Fortunately, the change in chemicals was detected and prevented by an astute plant operator, but isolating and limiting access to Human Machine Interfaces (HMIs) using a standards-based approach would have almost certainly ensured this kind of remote access was not available.

Adopting IEC 62443

Although not a trivial activity to adopt the IEC 62443 standard, Anchoram recommends it as a suitable baseline for the protection of mission critical IACS. Across critical infrastructure industries this standard aligns with industry best practice to ensure any OT systems are risk assessed with mitigations and countermeasures put in place, and that system resilience goals are considered.

As with any approach to improving your cyber security posture, there are a number of different methods and strategies to consider. Compared to other available frameworks and guidelines, IEC 62443 features a strong focus on operational impacts rather than high-level capabilities. This is beneficial for organisations wanting to take a risk-based approach to cyber security.

Although, if you are considering additional standards to guide your IT/OT convergence, IEC 62264 is a good place to start. But that is a conversation for another time.

For more information feel free to reach out to any of our team for a no-obligation chat about your cyber security challenges.

Water utilities have been experiencing an increasing string of high-profile cyber attacks. This article discusses how adopting the IEC 62443 standard can help guide cyber security for critical operational systems in the water industry.

By Published On: 28 October 2021Categories: Critical Infrastructure, Security

Share This Article:

Categories

Subscribe

Subscribe to our newsletter and get the latest news and information from Anchoram.

View by Author

Most Recent Articles

Author Profiles