The Cybersecurity and Infrastructure Security Agency (CISA) has announced a free (as in beer) service to pro-actively scan water and waterwater systems for vulnerabilities. Agilicus has participated in this scanning (against our infrastructure) for a year now, receiving weekly reports.
In their words:
The Cybersecurity and Infrastructure Security AgencyCISA’s Free Cyber Vulnerability Scanning for Water Utilities
(CISA) can help your drinking water and wastewater system identify and address vulnerabilities with a no cost vulnerability scanning service subscription. CISA, the Water Sector Coordinating Council, and the Association of State Drinking Water Administrators encourage drinking water and wastewater utilities to use this service
More information on how to get started, and some information on how to use the reports can be found in their datasheet: FREE CYBER VULNERABILITY SCANNING FOR WATER UTILITIES.
The key points:
- This is a public-endpoint scan
- Identifies public assets, endpoints
- Identifies vulnerabilities at the layer 3, 4, and some layer 7 level
- Identifies poor cryptographic practices
- trending of recommendation progress
- nothing to install
A public-endpoint scanner such as this one is a valuable part of an over all security program, helping to identify forgotten systems, inadvertent configuration errors or changes, etc. The ideal stance would be the report would show empty, nothing accessible, and, use a Zero Trust outbound-only product to facilitate identity-based access to specific systems as needed, in a domain-specific fashion (PLC, HMI, SCADA aware). Defense in Depth, Industrial Micro-Segmentation, IEC-62443 zones and conduits.
Waste Water Treatment Case Study
For more information see the case study on how the Agilicus AnyX platform allowed a municipal water treatment facility to safely, securely, simply, facilitate remote maintenance and management.