Water Cybersecurity: Encrypt, Encrypt, Encrypt!

By Darian Slywka, Western Channel Manager for eWON

No cybersecurity program is 100 percent secure. To expand that thought, no electronic communication can be 100 percent secure. Any vendor that publicizes or offers a guarantee should be immediately looked at with skepticism.  However, as system owners and operators, it is your responsibility and that of your colleagues to reduce the attack vectors in your system to the point that it requires too many resources for potential adversaries to continue looking for vulnerabilities – whereas they can find an easier target elsewhere.

All too often, water system owners are still using legacy communication methods and devices to connect remote sites to central water plants, thus leaving an open pathway to remotely exploit. I have personally visited numerous public water systems within the Western United States that still do not encrypt any data or communications between sites.   In fact, compromising a SCADA system is as easy as knowing the correct dial up phone number to call.

When thinking about connecting and communication security, several action items should be addressed:

1. Regardless of the method of remote site connection – whether it is a satellite, modem, Ethernet, or Wi-Fi, all data needs to be encrypted. There is simply no excuse to use open communication channels. Competitively priced options exist that can facilitate immediate upgrades to incorporate secure, encrypted communications between sites. Stay away from the lowest cost options and unproven technologies.
2. Use secure, public key encryption architecture (or device vendor) that has been peer reviewed with a good track record of managing vulnerabilities, history of operation, reliability, redundancy, transparency, and adhering to accepted industry standards.
3. Stop using spreadsheets (or other easily compromised manual solutions) to manage credentials. I have frequently seen spreadsheets taped under the keyboard at water plants with an easily viewable list of passwords.  A reliable, reputable communication and data system should be able to easily accommodate user and device management with strong password requirements and the ability to scale as system requirements change. Multifactor authentication including additional fields, key fobs, or OTP passwords using items such as Yubikeys can be implemented for additional security.
4. Partner with reputable vendors and providers of cybersecurity and encryption technology and devices. Cybersecurity is generally not a core business product for a water system. Regardless of the amount of effort, a water system will never be able to allocate enough time and financial/personnel resources to create an “in house” solution that exceeds what can be commercially purchased through a dedicated provider of industrial connectivity devices.

Every water system owner wants to deliver safe potable water in a reliable method, while meeting the requirements of both state and federal regulators. Failure to encrypt communications can potentially open an attack vector to compromise the ability of a system owner to provide safe, potable water.  Upgrading or enabling secure, encrypted communications between remote water sites and a central plant may prevent an unscheduled service disruption and further add to the integrity of the system. When in doubt, encrypt it out!

Additional Resources: AWWA Cyber security and Guidance Tool, National Institute of Standards and Technology (NIST) SP800-82 Guide to Industrial Control Systems (ICS) Security

© 2014 Darian Slywka licensed under CC BY-ND 4.0.

About the author: Darian Slywka is the Western Channel Manager for eWON, a Belgium-based industrial remote connectivity company providing secure solutions to OEMs, integrators, and infrastructure projects. His background and education includes environmental engineering, cybersecurity, and business development. He is licensed in water treatment and water distribution and holds numerous certifications in technology, networking, and more. Find him at http://darians.info