Water utilities are increasingly focused on building resilience to cybersecurity threats across their networks. The human-machine interface (HMI) is one of the most common routes through which hackers infiltrate SCADA systems. In the second part of our cybersecurity series, Xylem’s Steven Miller, Product Security Leader and Radhika Upadrashta, Product Security Engineer, discuss best practices for HMI secure deployment and the steps network operators can take to reduce vulnerabilities.
At Xylem we believe that protecting the critical processes that provide clean drinking water, treat wastewater, report on water quality, and measure the consumption of water, gas and electricity require a shared responsibility model – a partnership between technology developers and providers, integrators, asset owners, and all elements of the supply chain. Xylem’s responsibility is to design and build products that include security features. In turn, our customers' role is to understand their processes' inherent risks and take steps to operate and maintain their solutions securely.
Human-machine interface (HMI) is the most vulnerable element of an IT system. HMI refers to a dashboard or screen used to control or monitor machinery, either on-site or remotely. As the primary user interface for controlling equipment or a process, the HMI is among the most targeted aspects of the industrial control system (ICS) infrastructure. Unauthorized access to the HMI can cause havoc: operators can lose the ability to control a process; the breach can lead to asset damage and destruction; and in extreme cases, the incident can result in equipment injuries or even loss of life, during maintenance.
The good news is that operators can take steps to secure the HMI and establish an approach that balances security with the functionality and responsiveness needed for efficient operation.
Layering up with the “security onion”
When designing a security procedure, we recommend a “security onion” approach. This involves thinking through the layers of the system to maximize security. No individual measure is undefeatable; creating security in layers – considering the physical environment, the network, the host and operating system, and finally, the application or HMI itself – is a prudent approach to maximize protection.
Let’s look at each of these layers individually:
Environment: Protecting physical access to the area where the HMI is located (the control room or manufacturing floor, for example) is critical. HMIs are always on, easily accessible and in some circumstances, do not require any form of authentication. Even when password protected, HMIs are still relatively vulnerable. Limiting physical access minimizes the potential for malicious deployment of rogue devices or moving cables, for example.
Network protection: For HMIs with network capabilities, it is vital that additional network infrastructure is in place to protect the wider network. This includes the cabling of the HMI to the network, as well as measures like IP addressing, routers, switches, Wi-Fi network/access points, etc. Segmenting the network using firewalls is a common security measure.
A robust network access control (NAC) policy is recommended. A NAC system can identify new and previously unknown hosts and quarantine them from having broader network access until approved by a network administrator. Having strong (and automated) network access protections significantly reduces the potential for rogue access. Encrypting network traffic can prevent eavesdropping and virtual private networks (VPNs) leveraging MFA for remote connections into the network also reduce risk. Finally, intrusion detection and prevention systems (IDS/IPS) to monitor the network activity is another useful security measure.
Host and operating system protection: This refers to the operating system that is hosting the HMI as well as its hardware, interfaces, and drives. The ability to build protection into this layer will depend on whether the HMIs are installed on a purpose-built host – that is, a closed system that cannot be modified – or viewed from commodity (or off-the-shelf) hardware.
Ideally the hosts should have a minimal attack surface; unnecessary ports (both physical and virtual), as well as unnecessary system services, must be disabled. Unused applications should be removed. Operating system security patches and anti-virus services should be kept up to date and connections for remote HMIs should always be password protected.
Application/HMI protection: Like the host or operating system, the ability to apply protection at the application layer will vary depending on security features incorporated by the HMI manufacturer. Use strong authentication and authorization policies, where appropriate. A user should only have the access credentials necessary and appropriate to their role. The HMI application should use encrypted communication to prevent eavesdropping and limit access to the operating system.
Cybersecurity is a cornerstone of building resilient networks. While cyber threats continue to evolve and expand, water utilities can take steps to reduce risk and protect their critical infrastructure – and they don’t need to go it alone.