Safeguarding Water Systems: How Microsegmentation Protects Critical Infrastructure

How Microsegmentation Protects Waste Water and Water Systems 

The water and wastewater utility sector forms a critical pillar of infrastructure, providing essential services to citizens every day. As these systems become increasingly digitized and connected, the need for robust cybersecurity measures has never been more pressing. Among the most effective tools in the modern security arsenal is microsegmentation - a powerful technique for protecting users, workloads, and devices across networks and critical assets.

Let's explore how microsegmentation is revolutionizing security for water utilities and delivering tangible value to IT teams, IoT/OT engineers, and security leaders.

The Evolving Threat Landscape

Water and wastewater utilities have become prime targets for cyberattacks in recent years. The incidents we've witnessed are not just cautionary tales; they're stark reminders of the very real and present danger facing our critical infrastructure. Consider these notable events:

In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS)

In 2022, Iranian hackers targeted multiple rural water utilities across the U.S. This coordinated campaign demonstrated the global nature of the threat, with state-sponsored actors actively probing for vulnerabilities in our infrastructure. It highlighted the need for even smaller utilities to implement enterprise-grade security measures.

Update September 2024: Arkansas City, a small city in Kansas, says its water treatment facility was forced to switch to manual operations while a cybersecurity incident is being resolved. In response, CISA said it continues to “respond to active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector.” 

These attacks don't materialize out of thin air. They typically leverage common tactics that security teams must be prepared to counter:

Initial Access: Phishing emails and exploiting public-facing applications are common entry points. Utilities must implement robust email filtering, conduct regular phishing awareness training, and ensure all public-facing systems are properly secured and regularly patched.

Execution: Once inside, attackers often use PowerShell or command-line interfaces to run malicious code. Implementing application allow/block lists and restricting PowerShell usage can significantly mitigate this risk.

Persistence: Creating scheduled tasks or modifying startup scripts allows attackers to maintain their foothold. Regular system audits and change monitoring can help detect these unauthorized modifications.

Lateral Movement: Exploiting remote services and valid accounts enables attackers to spread through the network. Implementing strong access controls, multi-factor authentication, and microsegmentation can limit an attacker's ability to move freely east-west across networks.

Understanding these tactics is the first step in building a robust defense. But as the threat landscape evolves, so too must our approach to security.

Regulatory Response and Industry Standards

The frequency and sophistication of these threats have prompted swift action from government and industry bodies. Key cybersecurity mandates and guidelines for the water sector now include:

Safe Drinking Water Act Section 1433: This legislation requires vulnerability assessments and emergency response plans. Water utilities must conduct comprehensive evaluations of their systems, identifying potential weaknesses and developing strategies to address them. It's not enough to simply have these plans on paper; they must be regularly updated, tested, and integrated into daily operations.

America's Water Infrastructure Act: This act mandates risk assessments and resilience strategies. Utilities must take a proactive approach to identifying and mitigating risks, not just to their digital systems, but to their entire operational infrastructure. This includes considering physical security, natural disasters, and other potential disruptions alongside cybersecurity threats.

IEC 62443: This international standard provides a framework for industrial control system security. It offers a comprehensive approach to securing industrial automation and control systems, covering everything from system design to ongoing maintenance. Utilities should use this standard as a roadmap for developing and implementing their cybersecurity programs.

These regulations emphasize several key areas that water utilities must address:

Comprehensive risk assessments: Regular, thorough evaluations of potential vulnerabilities are crucial. These assessments should cover both digital and physical assets, considering interdependencies and potential cascading effects of security breaches.

Network segmentation and access control: Implementing microsegmentation is no longer optional. Utilities must carefully control access to different parts of their network, ensuring that critical systems are isolated and protected.

Continuous monitoring and incident response: It's not enough to simply set up security measures and hope for the best. Continuous monitoring for potential threats, coupled with well-rehearsed incident response plans, is essential for quickly detecting and mitigating security incidents.

Employee training and awareness: Human error remains one of the biggest security vulnerabilities. Regular, engaging cybersecurity training for all employees is crucial for creating a culture of security awareness.

Meeting these requirements demands a coordinated effort across multiple teams and stakeholders. Let's explore the roles and responsibilities involved in this collaborative approach.

Roles and Responsibilities in Water Utility Cybersecurity

Effective cybersecurity for water utilities requires collaboration between various teams, each bringing their unique expertise and perspective to the table:

IT Teams play a crucial role in managing enterprise networks and systems. They're responsible for implementing security controls and monitoring tools that form the first line of defense against cyber threats. Regular vulnerability assessments and patch management fall under their purview, ensuring that known vulnerabilities are addressed promptly. IT teams should work closely with OT teams to ensure that security measures are compatible with operational requirements.

IoT/OT/Process Engineers oversee industrial control systems and SCADA networks, the beating heart of water utility operations. Their primary focus is ensuring operational continuity and safety, which sometimes can conflict with stringent security measures. The challenge lies in balancing security with process efficiency. IoT/OT engineers should be involved in all security discussions, helping to design solutions that protect critical systems without compromising operational reliability.

Security Leaders, such as CISOs, are responsible for developing the overarching cybersecurity strategy. They ensure regulatory compliance, coordinate incident response efforts, and manage overall risk. CISOs must have a deep understanding of both IT and IoT/OT environments, serving as a bridge between these often-siloed domains. They should regularly brief executive leadership on the organization's security posture and emerging threats.

Executive Leadership plays a vital role in allocating resources and budget for security initiatives. They're responsible for driving an organizational culture of security awareness and communicating with stakeholders and regulators. Executives should view cybersecurity not as a cost center but as a critical investment in the utility's resilience and reliability.

This collaborative approach marks a significant shift from traditional security models, which often treated IT and IoT/OT as separate domains. Today's threats require a unified, holistic approach to security.

The Evolution of Water Utility Security

Historically, water and wastewater systems relied heavily on outdated security models that are no longer sufficient in today's interconnected world:

Air-gapped networks: Physical separation between IT and IoT/OT systems was once considered the gold standard of security. While effective in theory, true air gaps are increasingly rare and difficult to maintain in practice. Modern utilities require some level of connectivity for efficient operations and monitoring.

Perimeter-based security: Firewalls and VPNs were the primary tools for controlling access. While still important, perimeter security alone is no longer enough. Today's networks are too complex and dynamic for a simple "castle and moat" approach.

Manual processes: Limited automation, ACLs, and remote access were seen as security features. However, this approach also limited operational visibility and efficiency, making it harder to detect and respond to anomalies quickly.

While these methods provided a degree of protection, they also created significant operational challenges:

Limited operational visibility and efficiency: Lack of real-time data and remote access capabilities made it difficult to optimize operations and respond quickly to issues.

Hindered adoption of beneficial technologies: The rigid security model made it challenging to integrate new technologies that could improve service delivery and efficiency.

Created potential single points of failure: Over-reliance on perimeter security meant that if the outer defenses were breached, attackers could potentially access everything.

As threats have evolved and digital transformation accelerates, a more robust and flexible approach is needed. Enter the era of modern security techniques.

Modern Security Techniques for Water Utilities

Today's water utilities are embracing advanced security concepts that provide more granular control and better visibility:

Zero Trust Architecture is a security model that operates on the principle of "never trust, always verify." This approach requires verifying every access attempt, regardless of its source, implementing least-privilege access controls, and continuously monitoring and validating user behavior.

To implement Zero Trust, utilities should start by mapping out all their assets and data flows. Next, implement strong authentication measures, such as multi-factor authentication, for all users and devices. Finally, use micro-segmentation to create granular security perimeters around sensitive assets.

The benefits of Zero Trust are significant:

• It reduces the attack surface by limiting lateral movement within the network.
• It improves visibility into users, workloads, IoT and OT devices, network activity, making it easier to detect anomalies.
• It enhances the ability to detect and respond to threats quickly.

Least-privilege access is a core principle of Zero Trust, where users are granted only the minimum permissions necessary to perform their job functions. This approach involves regularly reviewing and adjusting access rights and implementing time-based or context-aware access controls.

The benefits of least-privilege access include:

• Minimizing potential damage from compromised accounts
• Simplifying compliance with regulatory requirements
• Improving overall security posture by reducing unnecessary exposure

Microsegmentation is a security technique that involves dividing users, workloads and devices across networks into small, isolated segments. It allows for the application of granular security policies to each segment and controls traffic between segments based on defined rules.

Implementing microsegmentation starts with a detailed mapping of your users, workloads, devices, and network and data flows. In 2024 much of this work can be automated using modern platforms that integrate across your stack. Next, define security policies for each segment based on the sensitivity of the assets it contains. Select a modern microsegmentation platform that is identity-centric and deeply integrated with your network usage metadata, IoT/OT device databases, and EDR risk reporting to enforce these policies dynamically. Finally, implement continuous monitoring to ensure the effectiveness of your segmentation strategy.

The benefits of microsegmentation are numerous:

• It contains breaches and limits lateral movement within the network
• It enables precise policies and controls over critical assets
• It facilitates compliance with segmentation requirements in regulations like AWIA

Implementing these techniques requires a holistic approach encompassing people, processes, and technology:

People are the foundation of any security strategy. Comprehensive security awareness training is essential, ensuring that all employees understand their role in maintaining security. Clear communication of policies and procedures helps everyone understand what's expected of them. Fostering a culture of security consciousness encourages employees to be proactive in identifying and reporting potential security issues.

Processes form the backbone of a robust security program. Regular risk assessments and vulnerability scans help identify potential weaknesses before they can be exploited. Incident response planning, including tabletop exercises, ensures that teams are prepared to react quickly and effectively to security incidents. A commitment to continuous improvement (for example, closing security gaps and gaining visibility for unmanaged devices) and learning from past incidents helps the security program evolve and improve over time.

Technology provides the tools to implement and enforce security policies. Next-generation firewalls and intrusion detection systems offer advanced threat protection. Security information and event management (SIEM) platforms provide real-time analysis of security alerts. Identity and access management solutions ensure that only authorized users can access sensitive systems and data.

At the heart of this modern security strategy lies microsegmentation - a powerful tool for protecting critical water infrastructure. Let's delve deeper into how microsegmentation can benefit water utilities.

The Power of Microsegmentation for Water Utilities

Microsegmentation offers numerous advantages for water and wastewater utilities:

1. Enhanced Protection for Critical Assets: Microsegmentation allows utilities to isolate SCADA systems, PLCs, and other vital components from the rest of the network. By applying tailored security policies to each asset or group, utilities can ensure that even if one part of the network is compromised, critical operations remain protected. These granular controls and dynamic security policies minimize the potential impact of a breach on essential water treatment and distribution processes.
2. Improved Regulatory Compliance: With microsegmentation, utilities can more easily meet the segmentation requirements of cybersecurity regulations like America's Water Infrastructure Act and IEC 62443. The ability to demonstrate granular control over network access simplifies audits and reporting processes. This not only helps avoid potential fines but also builds trust with regulators and the public.
3. Greater Operational Visibility: Most modern microsegmentation platforms provide detailed insights into network traffic patterns, making it easier to automate responses or to identify anomalous behavior quickly. This improved visibility facilitates troubleshooting and performance optimization, allowing utilities to maintain high levels of service reliability while enhancing security.
4. Flexible and Scalable Security: As water utilities increasingly adopt new technologies and hybrid IT/OT environments, microsegmentation offers the flexibility to adapt security policies accordingly. It can easily accommodate growth and evolving operational needs, ensuring that security measures don't become a bottleneck for innovation and improvement.
5. Simplified Policy Management: Centralized security policy creation and network-based enforcement make it easier to maintain consistent security across the entire utility network. Automated policy updates based on predefined rules reduce the risk of manual configuration errors and inconsistencies. This not only improves security but also frees up IT and OT staff to focus on more strategic initiatives.

By implementing microsegmentation, water utilities can significantly enhance their security posture while maintaining operational efficiency. But the journey doesn't end here. As threats continue to evolve, so too must our approaches to cybersecurity.

The Future of Water Utility Cybersecurity

Looking ahead, we can expect to see several emerging trends shape the future of water utility cybersecurity:

1. Increased AI and Machine Learning Integration: Artificial intelligence and machine learning will play an increasingly important role in cybersecurity. These technologies can enable automated threat detection and response, significantly reducing the time it takes to identify and mitigate potential security incidents. Predictive analytics will enhance risk assessment capabilities, allowing utilities to proactively address potential vulnerabilities before they can be exploited. AI-driven systems will also be able to provide intelligent policy recommendations, helping security teams optimize their defenses continuously.
2. Enhanced OT-Specific Security Solutions: As the unique security needs of operational technology become more widely recognized, we'll see a proliferation of purpose-built tools for industrial control systems. These solutions will offer deeper integration between IT and OT security platforms, like Claroty and Armis, providing a more holistic view of the entire utility network. Improved asset discovery and classification capabilities will ensure that security teams always have an up-to-date inventory of all devices and systems on their network.
3. Greater Focus on Supply Chain Security: The interconnected nature of modern utility operations means that supply chain security will become an increasingly important focus. We can expect to see more sophisticated vendor risk assessment and management tools, helping utilities ensure that their partners and suppliers meet stringent security standards. There will also be a greater emphasis on secure software development practices throughout the supply chain, reducing the risk of vulnerabilities being introduced through third-party components.
4. Adoption of Quantum-Safe Cryptography: As quantum computing technology advances, utilities will need to prepare for the post-quantum computing era. This will involve implementing quantum-resistant algorithms to protect sensitive data and communications. Long-term data protection strategies will need to be revisited to ensure that information remains secure even in the face of future quantum computing capabilities.
5. Expansion of Security Automation: Automation will become increasingly central to effective cybersecurity strategies. We'll see more sophisticated orchestration of incident response workflows, allowing for faster and more consistent reactions to security events. Automated security policy enforcement and updates will help ensure that security measures keep pace with evolving threats. Continuous compliance monitoring and reporting will become the norm, simplifying regulatory adherence.

By staying ahead of these trends and continuing to invest in advanced security measures like microsegmentation, water utilities can build resilient, future-proof cybersecurity programs.

Is a Microsegmentation project worth considering for you and your teams?

The water utility sector must remain vigilant and proactive in its approach to cybersecurity. By embracing advanced techniques like microsegmentation, utilities can ensure the continued safety and reliability of our water systems for generations to come.

As Forrester Research recently stated in the Forrester Wave™: Microsegmentation Solutions, Q3 2024 “We're Living In The Golden Age Of Microsegmentation” stands out as a crucial strategy for preventing lateral movement and minimizing the impact of east-west attacks.

The path forward requires ongoing commitment, investment, and collaboration across all levels of the organization. It demands a cultural shift that places security at the heart of every decision and process. But with the right strategies, tools, and mindset, our water utilities can stay one step ahead of emerging threats, safeguarding this most precious resource for all.

When you are ready to enhance your cybersecurity with state-of-the-art microsegmentation, schedule a call or demo with Elisity and learn how our solutions enable water and waste water utilities and their critical infrastructure leaders to ensure compliance and maintain operational excellence in the face of evolving cyber threats.