ULTIME NEWS: Gyala riconosciuta Sample Vendor nel documento “Emerging Tech: AI in CPS Security” di Gartner Leggi

Cybersecurity and Aqueducts: a combination that must look at sustainability

In recent years, the cyber security of aqueducts has become a critical issue given the increasing sophistication of cyber-attacks and the vital importance of water infrastructure. In parallel, as a global priority, the theme of sustainability – with the United Nations’ 2030 Agenda – emerged as a reference framework that guides the cybersecurity life cycle.

Great attention, as established and required by the NIS2, DORA and GDPR regulations (just to name a few), is given to cybersecurity by companies that lead the energy transition. This is the case for water, energy and utilities sectors which on the one hand are facing potential infrastructure vulnerabilities due to the long-life cycle of infrastructures and on the other hand have a need to introduce new technologies. This necessary focus on cyber security is intrinsically linked to an additional element: the Cybersecurity from a sustainability perspective.

Cyber security plays a key role in the future of corporate social responsibility. The 2030 Agenda sets out a set of goals for businesses that make it clear that the transition to cyber-resilience of critical infrastructures is crucial for a sustainable future, requiring high levels of cyber security and corporate as well as social responsibility, in order to mitigate risks through the creation of resilient digital and physical infrastructures.

For example, for the aqueducts, in the context of the 2030 Agenda we see the Objective number 6: Ensure the availability and sustainable management of water and sanitation.

Overview of Cyber Security in Aqueducts

The aqueducts are a sensitive target for hackers, precisely because of their critical function and the resonance (also media) that could have the possible attacks.

It was in November 2023 the famous attack on the Municipal Water Authority of Aliquippa in the United States, became famous for its particularity: the objective in this case was not the “classic” exfiltration of data, but to demonstrate that it could compromise the public service, demonstration obtained by hacking a PLC (Programmable Logic Controller) of the upgrading station. All this was done in a context of “geopolitical” attack on the US. The attack was claimed by CyberAv3ngers, an Iranian-based hacker group.

Going back a bit in time, already in 2021 a water plant in Florida had been attacked. The attack, which was fortunately foiled, aimed to increase the levels of sodium hydroxide in the water, with the result that it could expose public health to serious harm.

This new type of attack has alarmed the US federal government, the FBI and the EPA, leading to the publication of a document to support US water companies in rapidly improving their resilience: https://www.cisa.gov/resources-tools/resources/water-and-wastewater-sector-incident-response-guide-0) the Water and Wastewater Sector – Incident Response Guide published in January 2024.

Weaknesses of the sector

Experts working in OT infrastructures have completely different skills than those working in IT. The main reason for this divergence is the speed with which industrial environments, historically distinct from computer environments, have converged with the OT seeing a progressive and exponential improvement in productivity – thanks to the introduction of platforms such as ERP and MES.

At the same time, however, industrial environments have kept their distance from the familiar problems that IT has been facing for decades. Thus, despite the increasing talk of convergence, IT and OT often remain two distinct worlds: the professional skills in the two sectors are very different, with views that do not always coincide between engineers specialised in production and those dealing with communication networks and infrastructures.

The OT universe is also highly regulated and updating a single software requires repeated compliance tests to ensure the type-approval of systems. Paradoxically, the use of newer products can “represent an obstacle to innovation” (for example due to the maintenance of equipment certifications); It is not rare to find, in production lines, operating systems no longer supported by the manufacturer, such as Windows XP and Windows NT. They work, but the lack of support means that they are extremely vulnerable to cyber-attacks and do not guarantee the same security standards as new versions

However, it is clear to all of us that digitalization in the industrial sector cannot be ignored, so standard security protocols on critical infrastructures must be followed.

Standards and regulations

In Europe and Italy, there are several regulations governing OT safety in aqueducts and look at the resilience of infrastructures.

For example, the EU legislation, NIS Directive (Network and Information Systems) imposes safety obligations on operators of essential services, including aqueducts. In Italy, Legislative Decree 65/2018 implements this directive, defining the safety and notification requirements of accidents.

And yet the Water Safety Plan – named in Italy “PSA” – introduced by the World Health Organization, which provides – for the technical information structures – a quality standard aimed at ensuring the safety of the water system, and consequently that of citizens.

The key role is also that of Perimeter of National Cyber Security, introduced by Decree-Law n. 105/2019105/2019, which represents a further step towards increasing cyber resilience by establishing a protection framework for critical infrastructures, including aqueducts. It also requires that “The entities included in the cyber security perimeter are required to prepare annually a list of assets deemed “strategic” for the provision of essential services and essential functions of their respective relevance, and, with reference to these assets, to take measures to ensure high levels of security and report any incidents to the CSIRT (Computer Security Incident Response Team) active at the ACN. “( Security Perimeter (mise.gov.it))

Security strategies

We start from a context that is now quite aware of the need to constantly improve the protection of these infrastructures through a multi-level approach that looks at cyber resilience and simultaneously at risk assessment and management.

And in this context, there are many best practices that can be applied:

  • Network Segmentation: Isolate OT networks from IT networks to limit the spread of attacks, always remembering that an isolated network is not a 100% protected network. The network, even if isolated, is probably subject to intervention by outsiders (for example maintainers, data analysts) who could take actions that could infect it, such as the use of a flash drive.
  • Continuous monitoring: Implement intrusion detection systems (IDS) and perform continuous monitoring to quickly identify and respond to attacks.
  • Immutable backup: Solutions that make data backups unmodifiable by ransomware attacks Training of staff at all levels
  • Training of staff at all levels
  • Detection e Reaction: In cybersecurity strategies, the adoption of technologies that implement real-time detection and reaction is essential, and being able to manage it at the level of individual IT and/or OT endpoints, is a key component in this context.
  • Proactive Detection – Immediate response: A proactive approach, through continuous monitoring, allows for early detection of threats, reducing the risk of significant damage. This means the ability to respond immediately to detected threats – minimizing downtime and potential impact on business operations and is one of the main protection systems.

Gyala’s answer

The OT network – as we have seen – cannot be managed like the IT one. The reaction applied to an attack targeting an OT endpoint must be selectable according to the specificity of that single end point.

In this context, the right choice is Agger, our response to maximise the cyber resilience of IT and OT infrastructures, and which leads into critical infrastructures:

  • End Point & Detection Response with customisable rules also per individual agent – giving the possibility to reflect the specific needs of the end point we protect.
  • Cloud, on-premises and/or on segregated networks or classified – thus covering all types of installation requirements, respecting the architecture of the production lines)
  • Advanced OT defence: a specific protection system for OT infrastructures that remotely controls the availability and integrity of the PLCs and is able to restore them by reloading their original software and configurations, or to react as coded by the Customer.
  • Risk management tool: permette di creare una descrizione formale dell’infrastruttura IT e OT, di calcolare l’impatto sui servizi in base alla probabilità e alla portata dell’impatto di ogni potenziale minaccia e, infine, di definire il piano di mitigazione del rischio valutandone l’efficacia.
Ask an expert

Conclusions:

Protecting water supplies requires a continuous commitment to cyber security and sustainability. Implementing best safety practices, complying with applicable regulations and investing in innovative technologies are essential steps to ensure the resilience of water infrastructure and the consequent well-being of communities. The synergy between cyber security and sustainability not only protects water resources but also supports global sustainable development goals.

The Sustainability and Cybersecurity connection is deepened in research done from the “Fondazione per la sostenibilità Digitale” which has been explored – through in-depth analysis, conducted through focus groups comprising a diverse representation of experts – including CIOs, CISOs as well as university lecturers and researchers – the intersections between digital security and sustainability in its environmental, economic and social dimensions, proposing a framework that leads to a cybersecurity that is both sustainable and driving sustainability.

Download research

The research has identified three main elements of convergence:

  • The Digital Sovereignty, has emerged as one of the key elements of sustainability, linked to the SDGs (SDG8 SDG7 SDG3) that look at the cyber protection of our country as an indispensable tool to protect – in an increasingly complex geopolitical context – the infrastructures and data of Italian institutions, companies and citizens.
  • The IT/OT convergence is the second key element: “To ensure security and resilience of infrastructures, OT infrastructures must be managed with the same flexibility as IT infrastructures; security of supply chains is increasingly important.” It is clear that through the convergence of IT and OT, companies can gain a complete and accurate view of their operations, improve operational efficiency, reduce costs and promote business sustainability.
  • The third crucial element is the privacy, which does not only look at the data of the individual, but more generally at the protection of data throughout their journey through digital. Indeed, most of the sustainable development goals require processing of very large amounts of data relating to very high numbers of individuals and therefore in fact to the processing of personal data.
Contact us