NIST researcher CheeYee Tang, with MITRE staff, have started a project to address the cybersecurity needs for water and wastewater utilities. Through development of a reference design and example solutions using commercially available products, the goal of the project is to provide the water and wastewater sector with practical and actionable guidance to implement cybersecurity measures that can safeguard their operations.
The NIST team is currently in the process of developing an adaptable, example solution demonstrating how to secure small and large water and wastewater utilities. Four technical capabilities will be demonstrated in this project: Remote access, Network segmentation, Asset management, and Data integrity. Industry partners on the project include: Association of State Drinking Water Administrators (Asdwa), Bedrock Systems, Cisco Systems, Cyber 2.0, Denver Water, Dragos, I&C Secure, Q-Net Security, Radiflow, Re-Wa, StrongDM, TDI Technologies, US ABB, West Yost, and WSSC
The U.S. water and wastewater systems sector has been undergoing a digital transformation. Many sector stakeholders are utilizing data-enabled capabilities to improve utility management, operations, and service delivery. The ongoing adoption of automation, sensors, data collection, network devices, and analytic software may also increase cybersecurity-related vulnerabilities and associated risks. The project will demonstrate an approach for securing the U.S. water and wastewater sector by using commercially available solutions.
The project is in the build phase and is currently being implemented at the National Cybersecurity Center of Excellence (NCCoE) located in Rockville, Maryland, USA. The lab contains a hybrid network environment that emulates water and wastewater sector environments and will be used to integrate with partners’ solutions.
The result will be documented in a series of freely available NIST publications to be released on a rolling basis. These publications will include a reference design and a detailed description of the practical steps needed to implement the solution based on the NIST Cybersecurity Framework and industry standards and best practices.