Overview
Our water systems are more interconnected than ever, and this digital evolution has left them more vulnerable to cyber threats than ever. On March 3, 2023, the Environmental Protection Agency (EPA) issued a memorandum expanding state audits of Public Water Systems to include an evaluation of operational technology cybersecurity.
Although this memorandum has since been withdrawn, the EPA continues to stress the importance of cybersecurity best practices for public water systems to ensure safe drinking water, offering support to states and systems while aligning with the Biden-Harris Administration’s focus on cybersecurity and critical infrastructure resilience.
And most importantly, it still underpins the urgent need for water utilities to evaluate their current efforts and take steps to protect their critical infrastructure.
Aligning with the EPA’s recommendations is vital to safeguard your water utility and the community it serves. However, navigating through these guidelines might seem daunting. This is why we’ve distilled the essential EPA recommendations into a clear and comprehensible format for you. Key topics include account security, data security, and vulnerability management, among others.
Keep reading on as we explore the EPA’s guidelines in detail, dissect their implications for your organization, and suggest practical solutions. If you have any questions or need clarity along the way, feel free to engage us via the chat option in the corner of your screen and someone from our team will respond promptly.
Part 1: Account Security
Multi-Factor Authentication
What Does the EPA Say?
Deploy multi-factor authentication as widely as possible for both Information Technology (IT) and Operational Technology (OT) networks. At a minimum, multi-factor authentication should be deployed for remote access to the OT network.
Why Does This Matter?
Multi-factor authentication significantly enhances security by adding an extra layer of protection to your systems. Even if someone acquires a user’s password, they still can’t gain access without the additional factor, such as a code sent to the user’s mobile device. In the context of remote access to your OT network, which controls your critical infrastructure, multi-factor authentication is vital to prevent unauthorized access and potential sabotage.
Recommended Solution
Your organization should adopt a solution that enables the enforcement of multi-factor authentication, not just for all your employees, but also for any third-party vendors. This should even extend to legacy technologies, such as VPNs, that typically do not support multi-factor authentication. Agilicus has helped countless customers deploy multi-factor authentication to secure their systems. In doing so, they protected their critical infrastructure by limiting unauthorized access, reducing the risk of a breach, and ensuring regulatory compliance.
System Administrator Privileges
What Does the EPA Say?
Restrict System Administrator privileges to separate user accounts for administrative actions only and evaluate administrative privileges on a recurring basis to be sure they are still needed by the individuals who have these privileges.
Why Does This Matter?
System Administrator privileges grant substantial access and control over systems and data. By restricting these privileges, you reduce the risk of unintentional changes or malicious actions that could jeopardize your systems or data.
Recommended Solution
Your organization should implement procedures to restrict and regularly review administrator privileges, including removing shared login credentials. This should be combined with a process of regular evaluations to verify whether these privileges are still required by the individuals holding them. Incorporating granular permissions, such as view-only access, can further reduce potential risks. Agilicus achieves this by implementing role-based access controls to limit privileges and enhance security. Our customers maintain an extra layer of security by setting granular permissions, allowing certain users to have ‘view only’ access, and restricting others from making potentially harmful changes. This careful control over permissions has strengthened our clients’ security posture and reduced the potential for internal risks.
Individual Usernames and Strong Passwords for IT and OT Networks
What Does the EPA Say?
Require a single user to have two different usernames and passwords; one set should be used to access the IT network, and the other set should be used to access the OT network.
Why Does This Matter?
This recommendation is crucial because individual user authentication and robust passwords significantly enhance security by making unauthorized access more challenging. By dissuading shared accounts and promoting strong passwords or multi-factor authentication, you can reduce the risk of compromised credentials and potential cascading effects throughout the systems.
Recommended Solution
Your public water system should consider implementing policies and systems that encourage individual user accounts and the use of strong passwords or preferably, dynamic codes used in multi-factor authentication. This will necessitate educating staff on the importance of unique authentication and promoting the use of robust passwords or multi-factor authentication for all users. With Agilicus, organizations are equipped with solutions designed to meet these challenges. Agilicus fosters individual user authentication (even for external vendors), does not have any passwords, and promotes the use of multi-factor authentication. This not only bolsters your cybersecurity posture but also simplifies user access, aligning security and convenience for all involved.
Terminating Network Access
What Does the EPA Say?
Take all steps necessary to terminate access to accounts or networks upon a change in an individual’s status making access unnecessary
Why Does This Matter?
Unnecessary access privileges can lead to security breaches, either through malicious actions or accidental misuse. It’s crucial to keep access controls up-to-date to prevent these scenarios.
Recommended Solution
Your organization should implement a process to review and revoke access when an individual no longer requires it. This could be due to role changes, terminations, or project completion. Agilicus centralizes and automates all of this. Our Zero Trust model constantly evaluates access needs, ensuring that only the necessary individuals have access at any given time. In addition, access can be set to automatically expire and if someone were to leave your organization, their access would be automatically revoked. This has helped our customers maintain a tight security posture and reduce the risk of insider threats.
Part 2: Data Security
Collecting Logs
What Does the EPA Say?
Collect and store logs and/or network traffic data to aid in detecting cyberattacks and investigating suspicious activity.
Why Does This Matter?
Collecting logs helps track user activities, identify anomalies, and detect potential attacks. These logs provide valuable insights in case of a security incident and can help determine what happened and how to prevent it in the future.
Recommended Solution
Your organization should set up systems to automatically collect and store logs and network traffic data. Make sure you have a secure and sufficient storage solution to retain this information. Agilicus supports comprehensive logging with granular auditing capabilities. This allows our customers to monitor who does what, when, and for how long. This capability has proven invaluable in detecting and mitigating threats, providing greater visibility into network activities.
Storing Security Logs
What Does the EPA Say?
Store security logs in a central system or database that can only be accessed by authorized and authenticated users.
Why Does This Matter?
Centralizing security logs in a restricted-access database ensures that crucial data is protected and easily accessible for review and analysis. This also safeguards sensitive log data from unauthorized access, which could potentially be used to hide malicious activities or to gain information about the network.
Recommended Solution
Your organization should establish a secure, central database for storing security logs. Access to this database should be controlled and monitored.
Agilicus aids in centralizing and securing the storage of security logs, enforcing strong access controls, and steaming logs to the destination of your choice. This has simplified log management for our customers, ensuring data is both protected and readily available when needed.
Encrypting Sent Data
What Does the EPA Say?
When sending information and data, use Transport Layer Security (TLS) or Secure Socket Layer (SSL) encryption standards.
Why Does This Matter?
Encrypting data in transit ensures that even if data is intercepted, it cannot be read without the encryption key. This prevents sensitive information from being compromised during transmission, a common point of vulnerability.
Recommended Solution
Your organization should enforce the use of TLS or SSL encryption for all data transmissions. This may require updates to network configurations and additional training for staff. Agilicus provides robust encryption for data in transit as a built-in feature of our platform. This protects our customers’ data during transmission, significantly reducing their risk of data breaches.
Storing Sensitive Data
What Does the EPA Say?
Do not store sensitive data, including credentials (i.e. usernames and passwords) in plain text.
Why Does This Matter?
Storing sensitive data in plain text exposes it to unnecessary risk. If a system is compromised, attackers could easily access and exploit this data. Protecting sensitive information is fundamental to maintaining trust and compliance with regulations.
Recommended Solution
Your organization should implement systems to encrypt sensitive data at rest, including passwords and other credentials. Regular audits should verify compliance with this practice. Agilicus does not store any credentials. Instead, we leverage security tokens passed to our platform by existing identity providers. This level of protection increases data security and regulatory compliance.
Part 3: Vulnerability Management
Exposed Ports and Services
What Does the EPA Say?
Eliminate unnecessary exposed ports and services on public-facing assets and regularly review.
Why Does This Matter?
Exposed ports and services increase the potential attack surface for threat actors. By minimizing these exposures, you decrease the opportunities for attackers to exploit vulnerabilities and gain unauthorized access.
Recommended Solution
Your organization should conduct regular reviews to identify and close unnecessary ports and disable unused services. Agilicus’ Zero Trust approach inherently minimizes exposure by eliminating the use of inbound ports. This proactive security strategy helps our customers maintain a robust defensive posture against potential threats and keep their facilities off the public internet.
Connections to the Public Internet
What Does the EPA Say?
Eliminate OT asset connections to the public internet unless explicitly required for operations.
Why Does This Matter?
Connections to the public internet can expose OT assets, which control critical infrastructure, to potential threats. Eliminating these connections helps safeguard your operations from potential cyberattacks.
Recommended Solution
Your organization should carefully evaluate and minimize OT asset connections to the public internet, making exceptions only when operationally necessary. Agilicus secures OT environments, mitigating unnecessary exposure to public internet threats. This protection has greatly reduced risk and ensured stable, secure operations.
Part 4: OT/IT Connections
Connections Between OT and IT Networks
What Does the EPA Say?
Require connections between the OT and IT networks to pass through an intermediary, such as a firewall, bastion host, jump box, or demilitarized zone, which is monitored and logged.
Why Does This Matter?
An intermediary ensures any connection between OT and IT networks is carefully controlled and monitored. This reduces the risk of threats spreading from one network to another.
Recommended Solution
You should never require connections to the OT network. Instead, you should implement a secure intermediary for connections between OT and IT networks at all times, and ensure these connections are closely monitored and logged. Agilicus supports such secure connections and monitoring. By closing all inbound ports, and only leveraging outbound-only connections, Agilicus securely bridges OT and IT networks. Our customers maintain strong network security while enabling necessary cross-network communication.
Act Now with Agilicus!
In light of these EPA cybersecurity recommendations, it’s important to act decisively and ensure your public water system is protected. We know this can seem daunting, but with Agilicus, your operations can not only align with these guidelines but can also provide enhanced user experiences for both your staff and third-party vendors.
Agilicus’ robust Zero Trust Architecture offers you a secure, user-friendly alternative to traditional VPNs and perimeter-based access tools. Our platform empowers your organization to step up to the challenges of today’s cybersecurity landscape with confidence and efficiency.
Are you ready to fortify your operations and serve your community with confidence? Let our skilled and knowledgeable team help you on this journey. Discover how Agilicus can align your systems with the EPA’s cybersecurity recommendations, safeguarding your public water system and the community that relies on it.
Don’t wait until it’s too late. Get in touch with us today!