From IT to OT, and navigating the in-between

By Natalie Chew, Assistant Editor

For water utilities and operators, the digital landscape is fraught with potential hazards. Water and Wastewater Asia speaks to Claroty’s Eddie Stefanescu to learn more about what industry players can do to even the playing field.

In 2015, the USA’s Department of Homeland Security (DHS) released a report detailing how the nation’s water grid was vulnerable to attacks by hackers. This is, of course, no surprise to water utilities today, which have in recent years become ever-increasingly reliant on modern technology and the Internet to operate their networks. These digital, virtual tools can help to increase reliability and lower labour costs, but provide one more thing for utilities to worry about – potential cyberattacks.

Eddie Stefanescu, General Manager – Asia Pacific & Japan, Claroty

According to Claroty’s general manager (Asia Pacific & Japan), Eddie Stefanescu, water utilities are especially vulnerable during global crises such at the current COVID-19 pandemic.

“At the start of the pandemic, organisations found themselves rapidly pivoting to a largely remote workforce, which can make it difficult to keep track of remote access activity,” he commented.

“Over the past decade, we have seen a proliferation of internet-connected operational technology (OT), especially industrial control systems (ICS), as part of a broader trend of digital transformation in the water utilities sector and beyond. While this trend brings important benefits such as automation, monitoring and analytics, it is also increasing the possibility of cyberattacks, since breaches in an IT system can spread to the OT systems, and vice versa. Threat actors may take advantage of such periods of uncertainty to launch cyberattacks, which compounds the need to be vigilant, and to safeguard our water and wastewater networks.”

In one such example, Israel’s Water Authority and National Cyber-Directorate (INCD) reported a cyberattack in April this year, which attempted to target the Water Authority’s command and control systems. These systems manage wastewater treatment plants, pumping stations and sewage infrastructure.

A Financial Times report later claimed that the hackers had gained access to some of Israel’s water treatment systems and tried altering water chlorine levels before being detected and stopped. If the attack had been successful and water chlorine levels had been adjusted, attackers could have caused mild poisoning to the local population served by the affected treatment facility.

Stefanescu said, “The Israeli authorities later reported that the incident appeared to be coordinated, but fortunately no damage had occurred other than limited disruptions in local water distribution systems. If, for example, the attackers had successfully tampered with the control systems and say, had added too much chlorine to the national water supply, it may have led to devastating consequences.

The recency of this attack, and its potential for widespread harm, serves as an important reminder to us to keep water and wastewater infrastructure cyber-safe.”

More recently, officials from the Water Authority have reported two more cyberattacks on Israel’s water management facilities in June, which were unsuccessful in causing damage to the targeted organisations.

One important factor in properly securing water utilities is in differentiating IT and OT assets. Stefanescu explained, “IT assets, such as computers and communication devices, are designed for interconnection. Correspondingly, IT security is a mature field, with several decades of development to protect devices from digital threats.

On the other hand, OT assets, which include sensors and control systems for pumping stations, water treatment plants and more, were not designed to be connected, but rather to work in isolation, thus remote attacks on such assets are not a concern. Furthermore, while IT networks use standardised protocols, OT networks typically use proprietary protocols, which are largely unrecognisable by IT security tools.”

In April this year, Israel reported a cyberattack that could have resulted in damaging consequences for the country’s utilities
Photo credit: Adi Goldstein

Stefanescu also said that organisations are realising the importance of securing their OT networks, thanks to an increase in connecting OT devices to IT systems and the internet. OT assets have a long life cycle of several years or more, and their underlying operating systems tend to be more dated compared to IT assets which are routinely updated and replaced. This makes them particularly vulnerable to attacks that arise from IT issues, as the OT system could contain software loopholes that have not been patched.

Another difference Stefanescu pointed out between IT and OT assets was that they have different priorities when it comes to security: With IT, confidentiality is more important than availability, whereas with OT it is the exact opposite and most organisations are unable to afford downtime in their OT systems. For operations such as water utilities, OT downtime could mean bringing the regional or national water supply to a halt.

“Remote access solutions designed for IT are often agent-based and/or use jump servers to connect to OT networks,” he continued. “Agents require OT downtime, while jump servers expand the attack surface by perforating the firewall and increasing unsecured connectivity between IT and OT.”

Expanding on this point, he elaborated that organisations need a remote access solution that can secure and control remote OT access without the risk of downtime or impeding workflows, especially since “IT solutions are not designed to cater for the priorities of OT, and therefore cannot meet these needs.”

It’s in the necessitation of meeting these needs that OT asset visibility comes into play: Stefanescu has likened it to “seeing” into the OT environment, and knowing what assets are existent in the network as well as the function they serve.

“To secure OT assets, it is important to understand the granular configuration information for each asset, how the assets are communicating across the network, and the specific details about the application level process automation ‘conversations’ that are occurring,” he said.

“When it comes to water utilities, it encompasses an entire network of pipelines, pumping stations, water treatment plants, and storage and distribution systems across a geographical area. As water infrastructure often grows in tandem with local population and economic growth, this can lead to inconsistent asset documentation and a lack of full visibility across the OT environment. This means that potential threats and vulnerabilities can go undetected.”

In a worst-case scenario, remote facilities may be compromised.

“In the event of a system infection or breach, organisations should immediately reset every password across the entire OT system or systems, especially those dealing with chemical control. If it is not possible to change the passwords for certain systems, they should be disconnected from the internet,” Stefanescu advised.

Of course, prevention is still better than cure – and Stefanescu emphasised that the onus is on operators to make sure the utilities’ control software is regularly updated.

“Routine password changes are important – and as surprising as it may seem, many industrial control devices are not protected by passwords, which leaves them extremely vulnerable.

According to Stefanescu, the onus is on operators to make sure software is regularly updated
Photo credit: methodshop

Another important part of attack prevention is the use of a cybersecurity solution that is tailored to the needs of OT. A comprehensive solution should offer full visibility into OT assets, detect threats swiftly without false positives, identify vulnerabilities in assets, as well as evaluate and mitigate threats in real time.”

This is where cybersecurity company Claroty comes in, bridging the gap between IT and OT environments. The company offers an OT cybersecurity platform that deploys rapidly and seamlessly integrates with existing IT security infrastructure.

More so than other companies offering OT cybersecurity solutions, Claroty focuses on visibility into the OT environment. The Claroty Platform uses unmatched protocol coverage, scanning, segmentation, and secure remote access capabilities to grant complete visibility across all three OT dimensions critical to risk reduction: assets, network sessions, and processes.

“The Clarity Platform simplifies OT security,” said Stefanescu. “This eliminates the burden of complex deployments, steep learning curves and unfamiliar tools that operators often face. Developed specifically to protect OT environments within enterprises and critical infrastructure, the platform provides comprehensive OT asset and network visibility, segmentation, vulnerability management, threat detection, risk assessment, and secure remote access capabilities—all within a single, agentless solution.

Rapid deployability, a robust API and integrations ecosystem compatible with both OT and IT systems and workflows, and an unmatched signal-to-noise ratio enable the platform to reduce the complexity of implementing fundamental security controls, fulfilling audit and compliance requirements, and protecting OT assets and networks from internal and external cyber threats.”

Stefanescu shared that Claroty had previously worked with a US-based water utilities provider, which had been in the middle of upgrading its IT infrastructure and security architecture at the time.

The company was tasked with assessing and improving security across their expansive and growing OT environment, which includes hundreds of miles of pipeline and more than 20 physically dispersed water facilities such as pumping stations, water treatment plants, and storage and distribution systems.

In fact, while working with the provider, Claroty identified three key challenges for the project:

1. Lack of asset visibility: A large physical footprint, combined with the company’s rapidly growing infrastructure to support population and business growth in the region, resulted in inconsistent documentation of OT assets and lack of full visibility into the OT environment.

2. Remote, unmanned facilities: Many of the company’s pumping stations and other facilities were unmanned. Employees and third-party vendors remotely accessed these systems to perform maintenance and gather operational data – if any authorised party’s systems were to be infected with malware, or if their access credentials were stolen, this could compromise the systems, switches and controllers. The company also had no way of ensuring that only authorised parties were accessing appropriate systems and making agreed-upon changes.

3. Compliance with new regulations: Under America’s Water Infrastructure Act (AWIA), utilities that provide drinking water must conduct risk and resilience assessments and revise emergency response plans. These changes required a detailed understanding of the OT network in order to meet the US Environmental Protection Agency (EPA) deadline in 2020.

By deploying the Claroty Platform, Stefanescu explained, the company was able to greatly improve its operational security.

“Firstly, the company’s IT security, network and OT teams were able to gain full visibility and immediate profiling of all assets across the company’s expansive OT environment. With granular details of all assets, sessions, processes, and corresponding risk levels, they could now identify threats and vulnerabilities in the OT network to mitigate risk and assure continued operations of critical processes.

Next, they were able to secure remote access to OT assets. Security teams have granular control, the ability to audit access, and additional levels of security, such as password vaulting. Unauthorised access is immediately blocked, and unusual network activity triggers an alert to the team.”

The company also ensured its compliance to the AWIA mandate by the deadline given to them, and was able to optimise its IT security, network, and OT teams.

Stefanescu concluded, “The Claroty Platform gave them the tools needed to conduct the appropriate risk and resilience assessment. It also integrated with the company’s ecosystem of OT and IT systems and workflows, allowing all teams to use the solution to strengthen security. This lowered the total cost of ownership while maximising return on investment.”

Article may be found in Water & Wastewater Asia’s September/October 2020 issue: