Beyond Firewalls

The critical nature of water and wastewater facilities demands more stringent protection of control systems to prevent malicious damage from hackers.
Beyond Firewalls
Water and wastewater facilities need protection against intrusion on their critical networks.

Interested in Instrumentation?

Get Instrumentation articles, news and videos right in your inbox! Sign up now.

Instrumentation + Get Alerts

Securing water and wastewater critical infrastructure from cyberattacks can be a tall order, as any system connected to the Internet, even indirectly, is vulnerable.

To maintain day-to-day functions, facilities must connect control system networks to corporate networks to share operational data or allow remote access for support and maintenance. Because these business networks are connected to the Internet, they can easily be breached, exposing critical control systems to all sorts of cyberattacks.

Research from antivirus company TrendMicro in 2013 showed that even a small water system is a realistic target. It clearly demonstrates that skilled attackers have the ability and the desire to hack our water control systems.

When a control system component or network is compromised, the consequences are much greater than a simple file leak or an employee’s password being stolen on a corporate network. It means someone else is in control of the facility and the process.

That isn’t to say the hacking of a business or personal computer or network is to be taken lightly, as these attacks can have serious consequences to finances and reputation. However, when a control system is taken over, the effects can also be physically devastating. In the case of water and wastewater treatment, a malicious party with full remote control of a system could cause manmade flooding, damage underground infrastructure, cause severe water pollution or contaminate drinking water by altering processes.

More than a firewall

Are firewalls equipped to handle these modern threats? While a firewall is probably enough to deter amateur hackers from accessing vacation photos and music files saved to a personal computer, the same is not true for a critical infrastructure network.

Breaching a firewall can be as easy as looking over the shoulder of someone entering a virtual private network (VPN) password while logging in remotely. Simply use that login to insert a piece of malware on a control system server, and now the machine’s owner no longer controls that machine. And just because VPNs are encrypted doesn’t make them secure, as shown by the recent Heartbleed bug revelation, which exposed a vulnerability that allowed hackers to steal credentials.

There are many ways for a hacker of moderate ability to break through a firewall. Firewall technology is inherently designed to permit interaction. Access is provided to allow clients outside a protected network to send queries and polls to systems inside the protected network.

As you can imagine, there is a serious vulnerability in firewalls in that bad requests can be cleverly disguised as legitimate traffic. For these reasons, and plenty more, it’s surprising that firewalls alone are considered adequate protection for a system that, if compromised, could create havoc for hundreds of thousands of people.

Because the biggest risks of cyberattacks relate to the industrial control system being connected directly or indirectly to the Internet, why not simply disconnect the system from all networks? It turns out that water utilities — from large production plants to small wastewater lift stations — benefit greatly from connecting control systems to business networks to perform business and maintenance functions more efficiently.

Connecting an operations network to a corporate network can make employees more productive at their jobs, give managers more information about business processes and water quality, and help manage operations from the back to the front office.

Although it is technically possible to operate a water or wastewater facility without connecting critical control systems to a business network, it would not be efficient or business-savvy to do so. The benefits of connection for operational efficiency are simply too great. What is truly needed is a way to reduce firewall risks without reducing the benefits of network integration.

Toward stronger security

To reduce firewall risks, water system operators increasingly deploy stronger-than-firewall solutions in the form of hardware-enforced unidirectional security gateways. Firewalls are intended to provide protection adequate for basic personal and business networks, but they are not secure enough for safety-critical assets such as water and wastewater treatment facilities.

Unidirectional security gateways replicate control system databases, devices and servers to business networks where users and business applications can query the replicas and interact with those replicas in any way they wish, without affecting the original industrial equipment.

The gateway hardware allows information to flow in one direction only and thus eliminates the risk of online attacks from external networks. The result is absolute protection from network attacks originating on business networks and indeed on any external network. The gateways safely integrate industrial networks with corporate networks.

In addition, water control systems are notoriously vulnerable to internal attack due to the widespread use of plain-text communications protocols and the often limited use of antivirus signature updates and host-hardening practices. To complement a unidirectional gateway deployment, control system operators and water plant managers need to maintain a high level of suspicion about every piece of data that enters the water control system’s protected network.

This suspicion should extend to everything from software on new machines purchased and installed from third-party suppliers, to every laptop a vendor or integrator brings inside the security perimeter, to even basic data-sharing appliances, such as flash drives. All of these technologies can propagate infections. It was a storage drive, for instance, that ultimately leaked the infamous Stuxnet virus into the Iranian nuclear program’s uranium enrichment facility.

When unidirectional gateway technology is deployed in tandem with company policies and procedures to tightly control all forms of data entering networks, water system operators can rest assured that they have taken strong measures to minimize the threat of cyberattacks to their assets and to public safety.

About the author

Michael Firstenberg is director of industrial security at Waterfall Security Solutions, a provider of unidirectional security gateways for industrial control networks and critical infrastructures based in New York City. He can be reached at  


Comments on this site are submitted by users and are not endorsed by nor do they reflect the views or opinions of COLE Publishing, Inc. Comments are moderated before being posted.