Our series on cybersecurity for critical water infrastructure now focuses on how to ensure ongoing operation based on vendor agreements, procedures, and workflows. While details like contract negotiation and employee policies might not seem like a strong line of defense, they can make a big difference in whether a utility will remain up and running in a crisis.
Service Level Agreements
Although process control systems should be designed to run independently when necessary, the day-to-day operation of a water utility typically involves quite a bit of third party infrastructure. As with the majority of organizations today, public utilities rely on a range of providers for telecommunications, internet connectivity, power, network capacity, data storage, and other resources. The contracts that govern factors such as availability (uptime), bandwidth, and technical support are referred to as Service Level Agreements (SLAs).
Selecting an appropriate level of support is important for a utility. For critical infrastructure, guaranteed uptime and a fast response time in the event of disruption may be two areas of particular concern. As the AWWA points out, the bandwidth required to run PCS equipment is often not high. But it must meet minimum requirements. SLAs should be negotiated with each contracted vendor based on how emergencies might impact process control systems and related infrastructure. Agreements with third party integrators and companies tasked with servicing the PCS equipment itself should also be reviewed to ensure that the utility is appropriately prioritized as a preferred customer when it comes to response times. Limiting the total number of external vendors involved may help simplify this process.
OPSEC, the formidable acronym for Operations Security, can cover almost any area of procedures and workflows in an organization. Limiting access to information is one important aspect of cybersecurity. For example, a utility might have a social media policy that prohibits workers from posting information about internal procedures online. Such policies should be in writing and the accompanying training might give examples of the types of postings that might seem innocent to employees but that could reveal potential vulnerabilities to hacker or parties interested in doing harm. Cybersecurity training should alert employees to suspicious behaviors—such as people fishing for information about security protocols or other protected information (social engineering).
Within the organization, OPSEC should also cover isolation of PCS functions from other business functions. This includes ensuring that the equipment’s interfaces are blocked from accessing the internet, email, and other remote systems—up to and including removable media. IT staff and other involved personnel should receive ongoing training in cybersecurity for PCS and water utilities in general to ensure best practices are kept up to date. As with all areas of security, change is inevitable.
In next month’s post, we’ll wrap up this series with a look at education and personnel security, since a water utility’s security is only as good as its employees.