High-Tech Threats: Top Cybersecurity Issues Facing Water Utility Control Systems

Sponsored by

By Andrew Ginter

Recent Department of Homeland Security reports have highlighted poor security among the nation's water utilities, where operations networks and control systems are inadequately protected. The security situation in critical infrastructure is raising ratepayer concerns and prompting utilities to ask hard questions about which actions can truly improve their cybersecurity situations.

Photo courtesy of Waterfall Security Solutions
Photo courtesy of Waterfall Security Solutions

Are firewalls - the most common form of security in the market - capable of combatting modern threats? Would water system utilities be better protected if they completely isolated their control-system networks from public networks? Or is there a third option that would retain the efficiencies and cost savings that come from access to real-time operations information, while also protecting plants from cyber attacks? Technology that routinely protects industrial control networks in power plants and other critical infrastructures can help water utilities answer these questions.

Firewalls and Modern Security Threats

Firewalls are a staple of industrial cybersecurity programs, but they have many inherent flaws that water facilities must identify, consider and address. Firewalls are complex software systems because they are difficult to configure, and their configurations are difficult to understand and verify. The smallest error in these configurations can introduce vulnerabilities. Defects are frequently discovered in firewall software and in the complex operating systems underlying that software, some of which can be exploited as security vulnerabilities. In order to prevent exploitation of known defects and vulnerabilities, firewall vendors issue a steady stream of security updates, which must be applied promptly. Even worse, because the firewalls provide not only real-time data but also online access to mission-critical systems and networks, the firewalls fundamentally expose these environments to numerous types of attacks.

For example, phishing attacks send email through a firewall to persuade recipients to either reveal passwords or to download and run malware. Meanwhile, vulnerabilities as simple as hard-coded passwords and hard-coded encryption keys have been reported in industrial firewalls. In addition, cross-site scripting vulnerabilities in HTTP-based "VPN" proxy servers are difficult or impossible to fix because they are essential to the design of the firewall's features.

Waterfall Security Solutions.
Defects are frequently discovered in firewall software and in the complex operating systems underlying that software, some of which can be exploited as security vulnerabilities. Photo courtesy of Waterfall Security Solutions.

Even if connections through firewalls are initiated from the control network side, once the connections are established, they permit bi-directional data to flow through the firewalls. Any of those flows can be used to launch attacks back to systems on the protected network. This means that utilities cannot deliver any confidence that their operational assets are adequately protected by firewalls. The level of risk is unacceptably high, and water utilities must compensate for it.

Beyond Firewalls: Unidirectional Gateways for Better Cybersecurity

Firewalls are a difficult and costly technology to manage. To keep firewalled connections even somewhat secure, utilities must implement stringent processes, procedures, testing, reviews, audits, documentation, and other activities. Since continuous access to real-time data is essential to controlling costs and serving customers, water utilities should consider unidirectional gateways.

A unidirectional gateway is a combination of hardware and software that securely integrates operations data with business networks and systems. Gateway hardware enforces unidirectional data flows, while the gateway software replicates servers to provide a seamless replacement for firewalls. Users on corporate networks can access real-time data in the replica servers without any threat to, or impact on, the real operations servers. The gateway solution allows information to flow out of the operations network without allowing any attacks, messages or information to flow back into the network.

Unidirectional gateway hardware consists of two appliances: a TX appliance in the operations network and an RX appliance connected to the business network. The two stay connected by a fiber-optic cable but, because the TX gateway hardware contains a laser with no optical receiver and the RX gateway contains a receiver with no laser, the data can only move in one direction. Information can travel from the operations to the business network only, and no attacks from the business network or the Internet can threaten the operations network. Unlike with firewalls alone, a unidirectional gateway puts the burden for operations network security on hardware, not software. The hardware cannot send anything back to the operations network, protecting water plants from any and all attacks originating from the external network, including viruses, denial-of-service attacks, password guessers, and even the most sophisticated "advanced persistent threat" remote-control malware attacks.

Server Replication and the Benefits of Unidirectional Gateways

A common question water systems utilities raise when first considering replacing their firewalls with unidirectional gateways relates to communications protocols. Common protocols such as Modbus, ODBC and OPC are bi-directional, so how can a unidirectional hardware connection carry them? It can't. The gateway solution instead replicates industrial servers in real-time so there is an always-updated exported copy of those industrial servers available for business users.

Unidirectional gateway hardware
Unidirectional gateway hardware consists of two appliances: a TX appliance in the operations network and an RX appliance connected to the business network. Photo courtesy of Waterfall Security Solutions.

Look at the typical historian database as an example. Water utilities use these databases to store detailed, time-sequenced data gathered from a variety of systems in a central and uniformly-accessible repository. Using a unidirectional gateway, users can maintain the business historian as a true replica of the operations historian. The data is forwarded via the gateway solution to a replica historian on the business network. The result is a true, real-time replica on the business network of the operations historian. All the data is in the replica, as far back as history extends in the operations historian. All the real-time data is propagated to the replica immediately after it appears in the operations historian. On the business network, users and applications connect to the replica and use it as if it were the operations historian; business users don't notice any difference.

Many regulations and guidelines are including unidirectional security gateways as a perimeter protection alternative that is stronger than firewalls. At present, the water industry has no cybersecurity standards or guidance specific to the industry. Without specific guidance of their own, many water utilities are looking at the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, which are designed to keep power utilities secure. Unidirectional gateways are deployed widely to protect power plants, and the most recent NERC CIP V5 standards provide strong incentives for power utilities to deploy unidirectional gateways.

Unidirectional gateways make operations systems and data available on the business network without introducing the security risks that accompany communications through firewalls. By solving the top perimeter cybersecurity issues facing water systems utilities, these hardware-software solutions save plants money and improve services.

About the Author: Andrew Ginter is the vice president of industrial security at Waterfall Security Solutions, a provider of Unidirectional Security Gateways for industrial control networks and critical infrastructures. Ginter has 25 years of experience leading the development of control system software products, control

Sponsored by


New USGS publications unveil historical hydraulic fracturing trends and data

The U.S. Geological Survey has announced that two new publications highlighting historical hydraulic fracturing trends and data from 1947 to 2010 are now available.

Contegra Construction to expand, renovate Illinois WTP in $7.9M project

Contegra Construction has been selected to renovate and expand the water treatment plant that serves the city of Roxana, Ill.

American Rivers reports 72 dam removals for 2014, sets goal to 75 for 2015

According to new information from American Rivers, communities in 19 states removed 72 dams in 2014, restoring more than 730 miles of streams for the benefit of fish, wildlife, and people. This year, the organization is setting a goal of 75 dam removals.

EPA awarding $1M in grants to help protect, restore vital U.S. wetlands

The Environmental Protection Agency has announced that it will soon award $1 million in grants to strengthen the capacity of states and tribes to protect and restore vital wetlands across the nation.