Protecting the water supply from cyberattacks was the subject of a recent White House initiative, and New Mexico’s largest water utility recently showed how it can be done. Working with Cisco, the utility replaced its legacy system and gained visibility and real-time alerts across its information and operational systems.

The Albuquerque-Bernalillo County Water Utility Authority has more than 650,000 users and operates a dual ground/surface water supply system with over 3,000 miles of piping. 

Like many utilities and critical infrastructure, the county's water utility started to see the convergence of IT and OT. “Traditionally, those were air-gapped networks; they were maintained separate from IT,” the utility's CISO Kristen Sanders told SDxCentral. “When we started looking, we realized that the existing network equipment that we had was very antiquated” and without any fault tolerance. 

To address its aging infrastructure, the utility partnered with Cisco to “do a complete forklift of that network infrastructure” for the surface-water plant, she said.

The utility deployed Cisco’s industrial Ethernet-switching systems to connect water sensors throughout its infrastructure. To segment the OT network, improve visibility, and isolate threats, it also deployed the vendor’s industrial security appliances, firewalls, and Cyber Vision products.

The upgrades are part of a larger shift to a zero-trust architecture, Sanders said. The utility has already enabled microsegmentation throughout its data centers and rolled out two-factor authentication on all applications. 

“There's a big focus on prevention and making sure that we have that segmentation within the network,” she added. “Obviously, you don't want your OT side going out talking to the internet. That's a big no, no. So proper segmentation is huge.”

The county now plans to upgrade its wastewater facility as well, Sanders told SDxCentral.

The upgrades recently won the water utility a Safety & Security award from Smart City Expo World Congress. 

“The work that we did with securing our critical infrastructure and adding visibility… definitely is a big focus right now for critical infrastructure,” Sanders said. “So I'm glad that we could partner with Cisco to lead the effort on that.”

Sanders hopes their experience can help other organizations trying to improve visibility and secure their networks.

The water system has to operate 24/7, and there are safety concerns associated with new security controls or patches that haven't been properly tested. So, the biggest challenge for water authorities is “the fact that you have to wait until you can have an outage at the plant, to sit there and start taking on equipment,” Sanders explained.  

The replacement is methodical and takes a lot of teamwork, she added. “As long as you have the communication going on and have been really working together, you can get it done.”

Last year, at least two incidents highlighted the importance of building a stronger cyberdefense for water systems. 

Hackers gained access to a Florida water treatment facility last February and tried to poison the water supply. And late last spring, another hacker made a similar attempt to a water treatment plant in the San Francisco Bay Area.

To better protect public water systems, the Biden administration announced the extension of the Industrial Control Systems Cybersecurity Initiative to the water sector last month. 

The voluntary initiative outlines surge actions that take place over the next three months. Similar to the action plans for other critical infrastructure, federal agencies will help water authorities to deploy system-monitoring technology that provides near-real-time alerts, and the plan also allows for cyber-information sharing with the government and other stakeholders. 

The federal government also proposed more investment in the water sector. Especially with the infrastructure bill, Sanders hopes facilities “will start having money for cybersecurity.”

“I would love to see that, for these different utilities, to have full visibility into their network,” she said.