No Results Found

Try changing the filters or search term

Start Typing To Search

Cart

{{ successMessage }}
{{item.orderingCode}}
Qty: {{ item.quantity }}
{{currencySymbol}}{{item.pricing.totalPrice | intlNumber('pl-PL','USD')}}
Subtotal ({{totalQty}} {{totalQty === 1 ? "item" : "items"}}):
{{currencySymbol}}{{cartSummary.total | intlNumber('pl-PL','USD')}}
View / Edit Cart
TEST SITE
You will not be charged yet.

Water Sector Cybersecurity: Effective IAM Practices

Bottom Line Up Front 

  • IAM solutions can thwart up to 98% of cyber attacks against water management networks.
  • IAM is a defense in-depth measure that helps mitigate threats against aging IT/OT environments.
  • IAM solutions must conform to a clear and applicable policy

Water is a Big, Big Target

According to the EPA, about 70% of water utilities inspected by federal officials over 2023 and 2024 violated standards meant to prevent breaches or other intrusions. Those gaps in protections left the gates wide open for adversaries. There is no lack of examples…

  • October 2024: New Jersey-based American Water, the largest regulated water and wastewater utility company in the United States, had to shut down computer systems due to “unauthorized access” - thus far, no details of the breach have been shared with the public.
  • January 2024: CyberArmyofRussia_Reborn, claimed responsibility for attacks on water facilities in the United States and Poland. In Muleshoe, TX, one breach caused the water system to overflow. This was one successful attack out of nearly 40,000 attempts to gain access via remote login systems.
  • November 2023: The Cyber Av3ngers, a pro-Iran group, allegedly hacked the water authority in Aliquippa, Pennsylvania. The attackers used two weaknesses in a programmable logic controller (PLC) to take control of it–a weak default password that remained unchanged since installation, and exposure to the internet.
  • February 2021: A water treatment plant in Oldsmar, FL, was attacked by a hacker who gained access via the TeamViewer remote access application. After noticing an increase in sodium hydroxide levels in the water, a worker on site shut the access down. A possible path to the attack was a data leak containing the email addresses and passwords with two domains belonging to the Oldsmar facility.

Many more cases have been reported globally, but these have one glaring thing in common–failures in identity and access management (IAM).

What is Identity and Access Management?

As utilities modernize and adopt digital systems, the necessity to have technicians present on-site to oversee operations decreases. Fewer personnel on-site increases the importance of securing and verifying access to all digital points of access. Thus, utilities are challenged with providing secure access consistently across the utility’s digital systems. IAM seeks to solve this challenge by defining roles, storing user identities, and enacting policies that support security.

IAM frameworks ensure the right people access sensitive information through the processes of:

  • Identity verification: IAM checks users’ identities against a database of roles and access levels decided upon by the utility’s management team.
  • Access management: IAM applies access roles and restrictions across the utility’s systems, including databases, software, and cloud storage.
  • Protection for sensitive data: IAM frameworks ensure that data like personally identifying information (PII) is not accessed unnecessarily or able to be leaked to the public.
  • Automated management: IAM provides programmed protections of identities and permissions, and because IAM automates these protections, they are managed in the same way every time, upholding utility security policy.

IAM helps utilities define which workers can access different parts of the utility’s digital landscape based on their role. For example, a field worker may have read-only rights to sensor logs, while managers can see when and where their direct reports have accessed the utility’s digital documents and logs. Role-based security standardizes the types of data each user role can access, allowing the utility’s IT teams to grant further access changes based on exceptional needs rather than individualizing each user’s access.

 IAM in Water Infrastructure Networks

Adversaries view industrial control systems (ICS) as highly lucrative targets. Often neglected internet technology (IT) and operational technology (OT) stacks offer plenty of soft spots. The U.S., for instance, brings water to customers using small utilities, typically interconnected for load balancing in case of outages. Only a small handful of employees tend to run daily operations, often with highly restricted budgets. Customer demands for water dictate service above all else to keep the water flowing. Security is then forced to become a secondary concern. Few small companies have full time security operations centers, or can afford concierge services to monitor their networks.

To curb some of these weaknesses in water infrastructure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Environmental Protection Agency (EPA) address digital security best practices applicable to water utilities of all sizes, often in partnership with the Federal Bureau of Investigation (FBI). A large portion of these best practices argue for secure IAM.

These are the top secure IAM recommendations, drawn from CISA’s cybersecurity advisory addressing ongoing threats to U.S. water and wastewater infrastructure:

  • Require multi-factor authentication for all remote access to the OT network, including from the IT network and external networks.
  • Utilize blocklisting and allowlisting to limit remote access to users with a verified business and/or operational need.
  • Ensure that all remote access technologies have logging enabled and regularly audit these logs to identify instances of unauthorized access.
  • Use manual start and stop features in place of always activated unattended access to reduce the time remote access services are running.
  • Audit networks for systems using remote access services.
    • Close unneeded network ports associated with remote access services (e.g., RDP – Transmission Control Protocol [TCP] Port 3389).
  • When configuring access control for a host, utilize custom settings to limit the access a remote party can attempt to acquire.

These recommendations date to 2021 after a long spate of attacks on water infrastructure. They remain just as effective now as ever, but they must be properly implemented. 

Implementing Effective IAM Measures

Effective IAM relies on consistent processes and procedures. We might argue that the patchwork of utilities in the U.S. and other nations inherently lacks coordination and support for security, leaving smaller networks vulnerable. Small budgets for equipment and upgrades means dependence on outdated hardware and unsupported software. This goes not only for water, but power, gas, chemical, and communication networks as well.

Proper IAM arms these utilities with defense in-depth measures to mitigate, and often eliminate, weaknesses inside the network. The following breakdown of IAM implementation describes the broad steps necessary.

Assess Current Identity and Access Needs

Start by cataloging the software and digital assets that run and support the utility. It’s helpful to ask each department to list the types of software and assets they use and for what purpose. For each tool, have managers identify the current users and levels of access as well as the ideal types of user roles and access levels. Understanding the existing landscape of your utility helps you identify security requirements for each organizational role or department, and begin to build your IAM strategy to address those needs.

Define IAM Policies and Requirements

Once digital systems have been mapped, begin to write clear and concise IAM policies. These policies should define:

  1. Which internal roles require access to each asset.
  2. What conditions require access change.
  3. When to change access rights due to new hires, promotions, employee terminations, or transfers.
  4. How the processes support regulatory or security standards.

Key Point: The utility’s documented IAM policies will speed automation, improve enforcement, and drive consistency.

Clear policies and processes will help IT and administrators automate access to information. Documenting policies also helps management enforce consistency across departments within the utility. 

Select an IAM Solution

IAM solutions are software applications that help manage and secure user identities and their access to IT and OT environments. With proper implementations, businesses can manage user authentication, authorization, and permissions across an organisation. Keep in mind that IAM solutions must be manageable and easy enough that users will not take shortcuts or steps to circumvent them.

Consider the following functions when selecting a solution:

  • User Provisioning and Lifecycle Management: this creates, manages, and deactivates user accounts; these actions can often be automated to ensure compliance with IAM policies.
  • Single Sign-On (SSO): users authenticate just once to access programs and servers without having to log in again.
  • Multi-Factor Authentication (MFA): MFA adds an extra layer of security that often protects user accounts from unauthorized access even after username and password leaks. MFA enhances security by requiring users to verify their identity using two or more factors, such as a password and a phone code. This method is more secure than just relying on a password.
  • Role-Based Access Control (RBAC): assigns rights and access privileges based on user roles and responsibilities.
  • Audit and Compliance: logging and reporting allow users to keep track of their activities, access requests, and authorization modifications.
  • Self-Service Portals: allow users to manage their own accounts, reset passwords, seek access permissions, and update personal data.
  • Integration Capabilities: integrate IAM with directory services like LDAP (Lightweight Directory Access Protocol) and Active Directory, cloud services, social media services, and business applications.

Take the time and do the research. Active Directory synchronization is unhelpful if you do not run a Windows environment, and social identity integration is a bit much for a rural water provider maintained by five or six employees. Regulatory compliance should rank high on the priority list, but do not select an IAM solution that just checks a box.

Implement and Monitor

Ensure the IAM solution is working. Audit the access logs and start keeping records of failed logins or MFA token entry attempts. Talk to users and survey for ease of use, technical issues, or needs to change some controls or policy items. While security is important, it should not impede business operations, and improperly executed IAM solutions should not get in the way.

The Bottom Line

IAM is a defense in-depth measure, combining multiple technical controls with relevant and applicable policies. Coupled with performing basic security hygiene, mandating MFA for all water utility network access can reduce cybersecurity incidents by 98%. The continued successful attacks on water infrastructure should be a call to mandate IAM across water infrastructure. Some due diligence in identifying critical assets across an IT and OT space and honest assessments of required user privileges will help find the right IAM solution for any water utility.

To learn more about any of the information included in this article, please reach out to one of the governmental organizations identified in this post, or email Product.Security@xylem.com or visit xylem.com/security.