Case study: Securing the water supply
Sutton water trench
SESW supplies from 160 million to 220 million litres of water per day via an asset rich infrastructure of reservoirs, pipes and pumping spread over an area of 835 square kilometres (322 square miles) in East Surrey and parts of West Sussex, West Kent and South London. Cock explains that the organisation has historically taken an investment approach of ‘let's go out and buy it, own it, and manage it,' while keeping operational cost to a minimum.
But that approach is now being challenged by cloud rental models, and the organisation is being encouraged to take a total expenditure approach rather than capital expenditure and operating expenditure approach, looking at total costs of any expenditure over the life span of that investment.
Two big areas of concern are security and availability. Pushing some security controls out to a third party, or in the cloud, requires reassurance that the same level of security is achieved as when managed internally. The other big question is about availability.
Cock comments: “If you were starting from scratch, how much would you continue to do onsite and how much would you use cloud? Would you go out and buy an exchange server, or use Office 365? We've been challenging our status quo. But there are still some interesting ongoing cases regarding the ownership and location of data. So the thought of putting CNI (critical national infrastructure) control data in the cloud is not even on the radar.”
Physical security is crucial, with assistance and guidance coming from the government through the CPNI (Centre for the Protection of National Infrastructure). But it is recognised that control systems are now as important as physical security - with appropriate network security and application security for all the various layers.
Cock notes: “We historically focussed more on our perimeter than our internal networks. You make sure your electronic face to the world is well protected. We are aware that internally there are still a number of security risks. Number one, it's all about a layered network security approach, so should the perimeter be breached in any way, you want to have a set of measures in place that will identify the perimeter has been breached, and for any inappropriate activity to be detected. Then there is always the internal threat, whether its disgruntled employees or someone who has physically breached the external security.”
One of the approaches taken was to enhance network visibility and control. SESW approached its long-standing IT integration partner, BlueFort Security, which recommended ForeScout CounterACT which works interoperably with McAfee.
The ForeScout system ‘picks up anything and everything that accesses the network, including anything untoward,' and while Cock says it didn't pick up anything they were unaware of, he adds: “We were surprised about the ages of some of the operating systems. We picked up that we had several devices - print management tools, management sitting in a panel running an operating system, and some of the control systems for laboratory devices, that were running older operating systems. It was a surprise how many were in place and we've now put in a programme to resolve that. In some cases we cannot get rid of that bit of control hardware and operating system so we are looking at how we can remove it from the network, and limit the risk of having older machines on the network.
“And we have actually found some things that were unconnected that we thought would be quite useful if they were connected. We have a building management system, a totally separate network that allows us to see our heating, ventilation and air conditioning, which we recently upgraded. It then had the ability to email alerts, if say the air conditioning stopped working, it would email us.”
We scanned a piece of hardware prior to connecting it to the network and found that it had an early virus that had been in place over 10 years, but because it was physically isolated, it was never noticed. The surprise was that something potentially dangerous to the organisation had been there for so long.
“For all of those control systems we constantly have that debate about connected or not connected. There are clearly limitations on (air walls), in that if you want to see what is going on in that area then you need to have connectivity. So we currently have limited access to that SCADA information from the corporate network. Clearly it's a risk that we continue to manage and reassess.”