EPA Cybersecurity Checklist for Water Utilities

Audio Transcript

So the 10-point EPA cybersecurity checklist is largely around uh these are the key things that they’ve called up uh the most important thing is to audit your IT systems and I identify vulnerabilities uh like utilities most ot and other networks many folks don’t know what connected infrastructure that they have that has been laid out in those networks largely because they have been there for the last 20 15 to 20 years or maybe earlier right so knowing what is on that network what those assets are what vulnerabilities what you know what vulnerabilities exist on that on those assets and how those vulnerabilities can be uh you know exploited is a key uh is the first step that the EPA prescribes the second one is to make sure this is an easier one uh all it systems that connect to that ot network have to be patched have to have the latest antivirus and anti-malware updates. EPA cybersecurity checklist all right uh always make sure i mean alerted if that is not the case right uh all patches are installed on i.t systems.

But do you know they don’t specifically call our to systems but that is a fundamental reason why they don’t do that is many times patches are incompatible so if you went to a higher patch this you know the process control systems that interact with that asset may not interact with them so they have not specifically stated ots but it’s for sure they won’t have wanted to be patched uh they have I mean this is a relatively new document so they do uh identify that remote access EPA cybersecurity checklist secure remote access is a critical need so the ability for you know your technicians your operators to connect into that ot facility or into that water plant facility and work or rectify issues as they see is critical but when they when that connectivity is made it should be as secure as possible right uh one of the key ways of doing that is segregating your control axis and you’re other it networks so when you’re talking control access is your ot network making sure that the EPA cybersecurity checklist is followed.

What does the EPA cybersecurity checklist mean for the IT Department?

I mean there is no easy way of hopping into from the i.t world into the ot world there has to be you know an identity an access management system or some kind of a gate that uh that is you know that is preventing anyone or anything from coming from the id world into the ot world okay uh constantly monitoring your network for suspicious activity right uh so this means uh looking at all the traffic that is typically many of the ot systems you may not be able to actually get uh antivirus or an anti-malware you know solutions on them are unlikely because they’re sometimes very small constraints being you know things like plcs or controllers uh they don’t necessarily run an operating system that is conducive to running or running an anti-virus or an anti-malware right so you may want to actually monitor these systems primarily on the network to see what is going in what is going on how are they behaving? The EPA cybersecurity checklist all right uh always make sure i mean alerted if that is not the case right uh all patches are installed on i.t systems but you know they don’t specifically call our to systems but that is a fundamental reason why they don’t do that is many times patches are incompatible so if you went to a higher patch this you know the process control systems that interact with that asset may not interact with them so they have not specifically stated OT but it’s for sure they won’t have wanted to be patched uh they have I mean this is a relatively new document so they do uh identify that remote access EPA cybersecurity checklist secure remote access is a critical need so the ability for you know your technicians your operators to connect into that ot facility into that water plant facility and work or rectify issues as they see is critical but when they when that connectivity is made it should be as secure as possible right uh one of the key ways of doing that is segregating your control axis and you’re other it networks so when you’re talking control access is your ot network making sure that the EPA cybersecurity checklist commands are they descending baselining that behavior and then looking for deviations against that behavior right uh to notice if there’s some uh uh especially to identify there’s some kind of you know attack or some kind of a malicious code being executed in that network application white listing um so this is this goes beyond segregation of network so today uh while the EPA says you segregate the network so that you have specific VLANs uh so uh the VLANs themselves could have systems could have multiple systems that are all talking to each EPA cybersecurity checklist other if you know any system is on a wheel and they today what we’re seeing is a large number of them I mean they can basically communicate to each other on any service that exists so application whitelisting goes to their degree of something like micro segmentation where you are actually specifying that there are only certain applications that can communicate with different assets within the network and going to that granularity and stating that these services at these times can only talk to these assets right uh physical security of all your it equipment and your equipment is a key consideration that they have put together largely because if you i mean there have been numerous studies around throwing USB sticks on i mean on the ground you throw 10 USB sticks six of them find their way to a laptop because EPA cybersecurity checklist the people who find it plug those USB sticks into the laptop to figure out what is in that stick and when they do that if there is a malicious piece of code uh that code goes in so not only having physical access you know restriction or physical access of people but also restricting physical access especially on ports on you know terminals on laptops that EPA cybersecurity checklist uh stop uh any of these type of uh malicious I mean any unknown id equipment to be connected uh to that terminal that then you know infects the whole network one of the key things that they say is segregating the business enterprise and process control systems having a clear demarcation to the fact that even if you have an active directory if you have you know common logins for different applications they are not necessarily shared for the same individual between the enterprise cybersecurity network and the process control systems this improves two things one is there is a deliberate need when there is a deliberate need to connect to a process control system the person has to you know enter new credentials to get in and the second thing is obviously it gives you the ability to audit and monitor anyone who’s coming into the network and you know using specific uh privileges that they have uh mobile network mobile phones have become pervasive almost everyone has mobile I mean almost all networks are today seeing some connection of you know either through wi-fi or Bluetooth you know mobile equipment this these mobile uh mobile system mobile net mobile phones and mobile equipment should be segregated from a network perspective they should have their own plane of action so not necessarily.


The EPA cybersecurity checklist intermingling with either the enterprise network or the process control systems and they are very very uh you know uh they have their own convert and if there is a need for them to interact with any of those uh especially the enterprise or the process control system they come through a gated interface uh developing content contingency and disaster recovery plan for critical i.t systems uh so identifying what are your crown jewels which are the systems that we can’t have down at any time having content contingency plans if they ever come down I mean this is obviously a reference all I mean this is also a call out to what we in the cyber security world say that it’s not whether you’ll get hacked it’s only when you will get hacked and when you do get hacked what is the disaster recovery plan having backups especially in terms of a ransomware attack uh the ability to transfer the quickly revert to that backup and you know to restore the systems are the very important uh standard of operating developing and exercising you know periodically standard operating procedures for manual operations even if your doesn’t work your disaster recovery plan doesn’t work you have the ability to manually override and monitor and you know still have the utility running they do recommend redundancies redundancies are easier said than done largely because especially in the process control system they’re very expensive many folks don’t even know what’s running on them because they’ve been there for so long uh creating another redundant the network is not necessarily the most feasible thing but it’s one of the recommendations that they have out there and constant cyber security training for utility staff and con contractors so this is uh you know something that you can even get funding for so if you want to have uh you know training periodically arranged and they do recommend training periodically range and aside there are a large number of cyber security companies that do provide specific training around i.t security but ot security is a relatively new field and not many people know that so you know there has to be specific training around ot and the type of attacks around

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top