- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
TL;DR: There is an urgent need for stronger cybersecurity measures in water utilities, highlighted by a White House warning about potential cyberattacks. StrongDM is working with the National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) on Cybersecurity for the Water and Wastewater Sector: A Practical Reference Design for Mitigating Cyber Risk in Water and Wastewater Systems. This effort provides a means to identify common scenarios among Water and Wastewaters Systems (WWS) sector participants, to develop reference cybersecurity architectures, and propose the utilization of existing commercially available products to mitigate and manage risk.*
The Importance of Water Security
Water is the most essential substance to the existence of everything on the planet. It is not an overstatement to suggest that any threat to our access to clean, usable water is probably our top priority as a species. With that in mind, cyber threats to our nation’s critical water infrastructure demand to be prioritized, and StrongDM is proud to contribute to fortifying the security of our nation’s water infrastructure.
Ars Technica highlighted a recent warning from the White House, which underscores the vulnerability of critical U.S. water systems to the potential of disabling cyberattacks. These threats compromise the security and reliability of water services and pose significant risks to public health and safety.
Strengthening Cybersecurity Frameworks
The National Cybersecurity Center of Excellence's (NCCOE) has started an initiative to bolster the cybersecurity framework for water and wastewater utilities, and within its efforts is a critical challenge: managing vendor access within operational technology (OT) environments. The NCCOE's project underscores the necessity for a more robust cybersecurity strategy, outlining scenarios that expose utilities to risks, including exploiting remote access vulnerabilities and misusing default credentials.
The initiative covers a wide range of vulnerability factors, all relevant to the involvement of vendor access. First, it addresses the vulnerabilities associated with remote access. Vendors frequently require remote entry points to OT systems for maintenance and updates. If not secured and managed, these access points could serve as gateways for bad actors, posing a significant threat to the integrity of the utility's infrastructure. Within its goals, the initiative underscores the risk posed by the misuse of default credentials in OT devices and systems. These default settings, if unchanged, can easily be exploited, offering attackers a foothold into a utility’s environment.
Part of the NCCOE's efforts is the importance of supply chain security. As integral components of the utility's supply chain, vendors can inadvertently introduce vulnerabilities if their access is not rigorously managed. This initiative advocates for stringent access controls and monitoring to mitigate such risks, ensuring that any vendor access is both necessary and securely managed.
Vendors, as are the utilities themselves, are bound by compliance with regulatory requirements. Water and wastewater utilities often operate under strict regulatory frameworks that mandate high levels of cybersecurity. Effective management of vendor interactions not only helps in adhering to these regulations but also in avoiding the potential legal and financial consequences of non-compliance.
The initiative recognizes the importance of incident response and forensic analysis capabilities. In the event of a security breach, having detailed logs and monitoring of vendor access can be invaluable in identifying how the breach occurred and implementing measures to prevent future incidents. This approach to vendor access management is crucial in building a resilient cybersecurity posture, ensuring the continuous and safe operation of these essential utilities. By tackling these challenges, the NCCOE's project aims to significantly reduce the risk of cyberattacks, thereby enhancing the security and reliability of critical water and wastewater services.
The Core Challenges in OT Cybersecurity
One of the pivotal concerns in OT cybersecurity is the management of vendor access. Vendors require remote access to administer systems, traditionally facilitated through VPNs and over-provisioned jump hosts. However, these mechanisms fall short in several ways:
- Inflexibility: Existing systems, bound by strict service level agreements (SLAs) and warranties, often cannot accommodate additional software, making the implementation of new security solutions challenging.
- Ad-hoc Access Management: The inability to seamlessly integrate new software solutions leads to ad-hoc access management practices, leaving vulnerabilities unchecked and exposing utilities to potential breaches.
- Lack of Centralized Access Control: The absence of centralized access management forces the use of individual user credentials, complicating the management process and increasing the risk of unauthorized access.
NCCOE's Vision for Enhanced Security
In response to these challenges, the NCCOE's scenario for remote access outlines the threat landscape, including the potential for credential harvesting and phishing campaigns that compromise network security. The expected cybersecurity outcomes for remote access focus on ensuring the configuration of security safeguards, elimination of shared and default accounts, multifactor authentication, and granular control over access based on responsibility levels.
Protecting Critical National Infrastructure
The work done by NCCOE will enhance the protection of our water utilities from cyber threats. By addressing the nuanced challenges of OT cybersecurity, particularly in the realm of vendor access management, this partnership is poised to set a new standard in infrastructure protection. As utilities move towards implementing these advanced security measures, the vision of a more secure and resilient water utility infrastructure becomes clearer, ensuring the safety and well-being of communities nationwide.
How StrongDM Can Help
The StrongDMⓇ Zero Trust Privileged Access Management can help organizations of all sizes – including water utilities – address critical cybersecurity challenges like those described above. Our technology is uniquely positioned to tackle the vendor access management problem by providing the following:
- Secure and Controlled Remote Access: By facilitating controlled access to OT assets from outside the OT environment, StrongDM ensures that only authenticated and authorized entities can access critical systems.
- Continuous, Actions-Based Risk Assessment: Moving beyond traditional models, StrongDM's approach to ZeroTrust Privileged Access Management (PAM) continuously assesses risk throughout the privileged session, not just at its initiation. This dynamic approach enhances security by adapting to emerging threats in real-time and uses context signals to make real-time assessments of every action that occurs with the users and resources that touch an enterprise’s environment.
- Centralized Policies, Distributed Enforcement: StrongDM's policy engine continuously assesses user activity against set policies, ensuring only actions that fully comply with established security protocols are permitted, thereby significantly enhancing protection against unauthorized access and potential security breaches.
- Centralized Log Management: StrongDM provides comprehensive visibility into network and session activity, facilitating the detection of intrusions or anomalous behavior.
- Support for Everything Old & New: StrongDM's proxy-based solution gives security and compliance teams the flexibility required to integrate with legacy systems and new computing infrastructure, ensuring comprehensive security and access management across the entire technology spectrum without requiring rewrites.
Want to see StrongDM in action? Book a demo.
Notes
*NIST does not evaluate commercial products under this consortium and does not endorse any product or service used. Additional information on this consortium can be found at https://www.nccoe.nist.gov/projects/securing-water-and-wastewater-utilities.
About NCCoE: The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity challenges. Through this collaboration, the NCCoE develops modular, adaptable example cybersecurity solutions demonstrating how to apply standards and best practices using commercially available technology. Information is available at: https://nccoe.nist.gov
About the Author
Shane Stephens, Director of Solutions Architecture, Shane is a seasoned cybersecurity professional with over 20 years of expertise. Shane has assisted numerous government and commercial customers on their Network Access Control journey, offering invaluable guidance and tailored solutions at ForeScout Technologies. He also led incident response and vulnerability management operations at the Defense Information Security Agency Command Center and contributed to data analytics at the National Security Agency. His engineering work at The Johns Hopkins Applied Physics Laboratory focused on developing secure platforms for the modern battlefield. Shane is dedicated to safeguarding the digital future.