City of Raleigh implements ICS monitoring tool for water treatment plants

Asking small municipalities to defend themselves against nation-state adversaries is a tall order, but it all begins with the basics of cybersecurity — the “blocking and tackling” — Steve Worley, SCADA security manager for Raleigh, NC, tells CSO. That means network monitoring. Knowing what’s happening on your network is critical to responding to any undesired activity. However, operational technology (OT) network monitoring tools lag far behind traditional IT solutions, which aren’t a good fit for industrial control systems.

In addition to network monitoring, Worley wanted the ability to actively query programmable logic controllers (PLCs) at water treatment plants to discover any changes in programming logic — by an employee, a systems integrator, or a malicious third party.

City of Raleigh

Rather than develop a solution in-house, he chose to deploy the Indegy network monitoring tool. “We were looking to have more robust network monitoring for our network that spans across a large area of the county,” he tells CSO.

Worley considered developing a solution in-house using open source tools, but concluded that would be too time-consuming. The city published an RFP and considered their options. “We looked at all the major vendors in the realm of network monitoring of SCADA/ICS networks,” he tells CSO by email. “Indegy’s active monitoring of the PLCs and network was a major part of the decision to go with them.” 

The project has since won a CS050 award.

ICS monitoring provides greater visibility

After implementing the solution, Worley says he now has dramatically greater real-time visibility into what’s happening on his network, a step he says other water works around the country should consider taking. “People are hesitant because they fear it’s going to interfere with the operations or cause a PLC to malfunction,” he says. “But there are ways to do network monitoring and even a little bit of active monitoring safely and securely on OT networks.”

Safety has always been a priority when it comes to industrial control systems. Throw security into the mix, and the problem gets more challenging.

Protecting water treatment plants

While Worley is worried about nation-state activity on his network, he’s equally concerned about accidents, malfunctions, operator error, malicious insiders — even hurricanes. “In North Carolina we get some pretty severe weather events every once in a while,” he tells CSO. “We need to know when our equipment is up and running and when it’s not.”

The solution, Worley says, is network monitoring and timely patching. “The basics of cybersecurity you still need to do on the OT side,” he says. “People are scared to do it sometimes and maybe that’s a takeaway.”

“It’s complex. It’s hard to figure out how to patch your systems. It’s hard to figure out how to monitor your systems,” he adds. “Just because it’s a hard problem doesn’t mean you can’t move forward and improve your cybersecurity posture.”

Insider threats are also a concern. After the infamous Maroochydore, Queensland, incident in Australia when a disgruntled water works employee dumped millions of liters of raw sewage into local rivers, water treatment facilities have had to manage the risk of a privileged user abusing their trust to do something malicious.

Since the Indegy solution gives the City of Raleigh real-time, granular visibility into not only the network, but all the PLCs as well, Worley feels confident that such an attack would be discovered and stopped. The monitoring tools creates an audit trail of all changes, making it easy to trace back security incidents to their root cause.

As for nation-state adversaries? Worley says he’s yet to see evidence of such activity on his network. “It is something we keep an eye on,” he says. “One of the reasons we got this tool is to help monitor that better. The more you know about your network the more you can protect yourself.”