Case Study

Cybersecurity Gap Analysis and High-Level Risk Assessment

A water plant approached exida to conduct a cybersecurity gap analysis and high-level risk assessment with the aim of abiding by the AWIA cybersecurity requirements.


Customer:

Water Plant

Challenge:

America's Water Infrastructure Act (AWIA) of 2018 requires community water systems serving 3,300 or more people to conduct a risk and resilience assessment and develop an emergency response plan that has to be updated every five years. Failure to conduct a gap analysis and risk assessment places the plant at a high risk of critical systems being attacked, direct losses, damages, or penalties due to data being exposed, weakened confidence in the organization, and reduced availability of systems or data. The water plant wanted us to deliver a combined gap and High-Level Risk Assessment (HLRA) report, prioritized recommendations, and a roadmap for implementing the solutions. Our team spent two days on the site undertaking a detailed process together with the water plant's personnel and team.

Solution:

Our team is well equipped with control system expertise, experience with practical implementation, provision of advisory services, and tool-based exSILentia CyberPHAx. We readily took up the project with the aim of going above and beyond the AWIA requirements while benchmarking against global best practices. We intended to provide the water plant with a tailored output to facilitate focusing improvement efforts on the higher risk/bigger payback activities.

Results:

A cybersecurity gap analysis revealed the plant's risks and weaknesses. exida developed a plan to prevent attacks and direct losses.


Challenges

Water systems are at risk for many types of cybersecurity attacks, such as ransomware, phishing, and compromise of remote access. Ransomware is when hackers scramble or encrypt plant data, then extort a ransom to release and unlock the code. Phishing is one of the most common ways through which, individuals will con organizations with convincing emails. Although Phishing is extremely common, many organizations are not adequately prepared to prevent it. Lastly, Supervisory Control and Data Acquisition (SCADA) systems for water applications commonly employ remote access based on the often wide physical separation of assets. This offers another pathway to attackers, because if personnel can legitimately gain remote access there is also the potential for hackers to gain illegitimate remote access. To ensure the plant is secure each type of incident needs to be considered.

Process

The first step was to conduct a NIST Compliance Risk Management Assessment; this involved a review of system vulnerabilities and on-site interviews.  We interviewed the employees with access to the system, which included the IT coordinator, the water operations manager, the system operator, and the SCADA network engineer. The IT coordinator provided an overview of the SCADA networks security implementation including internal and external access, past threats, and any prior incidents. The water operations manager helped us review the AWIA cybersecurity requirements. 

The AWIA risk assessment requires the following considerations:

  • The risk of the system from malevolent acts and natural hazards
  • Monitoring practices of the system
  • The resilience of constructed conveyances and pipes, source water, physical barriers, water intake and collection, treatment, pretreatment, storage and distribution facilities, computer, electronic, and other automated systems utilized by the system. 
  • The general financial infrastructure of the system.
  • The operation and maintenance of the system.
  • The use, storage, or handling of various chemicals by the system.

We further conducted an evaluation of the capital and operational needs based on the risk and resilience management for the system in accordance with AWIA requirements, considering the possibility of outsider and insider incidents. 

After reviewing and validating the results of the AWIA risk and resilience study. We then reviewed general policies and procedures to determine any inconsistencies with industry best practice such as the NIST Cybersecurity Framework and IEC 62443 standard. We analyzed the roles, scope, responsibilities, coordination among internal stakeholders, management commitment, and the organization's compliance to ensure consistency and adherence to directives, the executive order, standards, policies, and guidelines.

It's at this point that we reviewed remote access points to identify threat prevention, detection, mitigation, and compensating controls. The following controls were considered;

  • Authentication controls
  • Administration controls
  • User provision controls
  • Organization risk management controls
  • Infrastructure data protection controls
  • Continuity of operations controls
  • Environmental security and data center physical controls.

After analyzing the above controls, the assessment determined that implementing multi-factor authentication was a critical step for securing remote access. 

The final step was to prepare and manage assessment documentation, which is proof of ongoing analysis, monitoring, investigation, and reporting of unauthorized, unlawful, or inappropriate information system activities. Part of the controls under assessment documentation include alerts should the assessment process fail, correlation of assessment review to detect suspicious activities.

High-Level Risk Assessment

We started the assessment by characterizing the system to determine viable threats; we determined the kind of data used by the plant, the external and internal interfaces, the type of systems, and the data flow. We then started to identify any potential threats such as unauthorized access from any party and possibilities of malware infection, assuming a likelihood of one based on the recommended HLRA approach in the IEC 62443-3-2 standard. Next we analyzed all equipment connected to the SCADA network to determine the impact of loss of authorized access or of unapproved use of data and changes made without approval. The third step was determining the consequence severity considering the potential impacts on public health and safety, any environmental non-compliances, and the financial aspects of an incident:

  • Health and safety risks; to water consumers, workers, people on site, those living near the water plant, contractors, use of substances and materials, ill-health and sickness at the workplace, rehabilitation, and surveillance. 
  • Environmental risks; emissions from water processing, disposal of products within the water plant, taxation, and penalties.
  • Financial risks; equipment damage, lost production, insurance and litigation, short-term  and long-term planning.

Figure – exSILentia CyberPHAx Analysis

The risk assessment was conducted after Cyber gap analysis to determine which areas of the facility had the highest risk and prioritize recommendations for correcting non-compliances. 

Training the staff

An important part of improving cybersecurity is to conduct cybersecurity awareness training. A number of activities were conducted as part of the gap assessment to inform the plant personnel of the potential impacts of cybersecurity incidents on the water system. The policy review included an analysis of current training and onboarding requirements regarding cybersecurity. Recommendations were made to ensure staff were aware of malicious emails and be wary of unsolicited emails, especially those asking for a prompt response. 

For companies without a current cybersecurity training program, we offer a one-day overview course that emphasizes the critical elements for personnel with access to control systems and a detailed two-day course that provides an overview of the cybersecurity lifecycle process and helps to ensure that adequate security protections are implemented.

Results

After the cyber gap analysis and high-level risk assessment, the following results were achieved;

  • We helped the water plant develop and maintain an accurate inventory of control system devices and eliminated exposures of equipment to external networks.
  • We delivered a combined gap and highlighted risks report.
  • We issued prioritized recommendations.
  • We provided a road map of implementing the recommendations.
  • We provided recommendations network segmentation and applied firewalls.
  • We provided recommendations secure remote access methods including multi-factor authentication.
  • We recommended measures for detecting compromises and provided input for the emergency response plan (in accordance with AWIA requirements).

The following controls were also reviewed as part of the assessment; authentication controls, administration controls, user provision controls, organization risk management controls, infrastructure data protection controls, continuity of operations controls, environmental security, and data center physical controls.

The response plan is a critical part of any cybersecurity program and should include resources and strategies aimed at improving the resilience of the system, including the physical security and cybersecurity of the system. For water systems, AWIA requirements mandate that it has procedures and plans for responding to a natural hazard or malevolent act that threatens safe drinking water. Practical recommendations were made that supported development of the plans detailed actions and equipment to minimize the impact of a malevolent act or natural hazard, including relocating intakes, alternative water sources, and flood protection barriers, including strategies to detect natural hazards or malevolent acts that threaten the system.

Future projects

In the future, our team will continue to work together with Water plants to:

  • Conduct Cybersecurity Gap Assessments
  • Conduct Noninvasive Vulnerability Scans 
  • Conduct Cybersecurity Risk Assessments (based on AWIA requirements)
  • Develop Emergency/ Cybersecurity Incident Response Plans (based on AWIA requirements)
  • Improve the Security of Water Systems