Think Your Water Utility Is Immune To Cyber-Attacks? Think again.
Water and Wastewater Utilities are prime cyber targets for those interested in disrupting our country’s critical infrastructure. The pace, sophistication, and cost of these attacks are increasing exponentially. But your infrastructure is only as secure as the technology supporting it.
This whitepaper defines and identifies cybersecurity risks facing water and wastewater utilities, provides destinations for industry best-practices and resources, and details Motorola Solutions products and services built to prevent and mitigate cyber risk.
ACE3600 SCADA Remote Terminal Units (RTUs) handle large volumes of inputs and outputs for critical infrastructure automation and monitoring. Inherently designed with robust security from the start to protect all points of entry and help you operate safer and more productively.
- Security policy enforcement: Ensure users, devices and software tools adhere to your utility’s security policy settings.
- Firewall: Permit or deny data transmissions into your system, system segment, or device based on rules or other established criteria.
- Access control: Verify access to RTU is legitimate from other RTUs or system users with authentication via name, password, and IP address credentials. You also have the option to use a remote authority or authentication server to perform access control or rely on the device itself, such as a RTU or IP Gateway.
- Role-based access control: Assign specific roles and permissions to perform certain operations based on those roles.
- Intrusion Detection System: Automatically monitor events in your control system, looking for malicious activities. The RTU will react in real-time to block such activities, while allowing legitimate traffic to occur.
- Application control software (whitelisting): Block unauthorized applications and code from running on your RTUs in the field by allowing only pre-identified programs to run.
- Encryption: Make data unreadable except with a device that has a specific key to decrypt it. Prevent eavesdropping, spoofing or illegal access with the FIPS-140-2-certified 256 bit AES (Advanced Encryption Standard) algorithm.
- Auditing: Monitor processing in each device and log any suspicious activity or deviations from policy. Attempts of unauthorized access are blocked and logged in the RTU internal security log. Based on the severity, it can trigger an alarm to alert personnel.
- Unused port deactivation: Unused ports can be disabled, reducing vulnerability.
- Time-window commands: To limit the risk of replay attacks or other malicious activities, such as access by a disgruntled employee, a time stamp can be added to the command message. A subsequent “action” message must be received within a designated time window and contain elements that match those in the notification message or the action will be rejected.
- Secured programming: Motorola implements extensive secured programming in our software development processes, including code obscurification to disable reverse code engineering or eliminate encryption of data related to debugging or testing.