Back
Tales From the Road: Establishing a Common Language Using NIST
Getting a wastewater utility’s OT and IT departments on the same page to address vulnerabilities they didn’t know they had.
Wastewater utilities are among some of the most targeted industries for cyber attacks, and the implications can be devastating as operational interruptions or shut-downs could directly affect public health.
The Environmental Protection Agency (EPA) does not currently have technical cybersecurity requirements for wastewater treatment plants. However, the recently released Water System Cyber Assessment Tool (WSCAT) includes a list of approximately 30 questions covering both IT and OT systems, based on the Department of Homeland Security (DHS) Core Performance Goals.
To assist utilities in securing their connected infrastructure, the National Institute of Standards and Technology (NIST) has developed several cybersecurity guidelines. These include the Cybersecurity Framework 2.0, SP 800-52, and SP 800-82, which provide frameworks and best practices for cybersecurity planning and management.
Conducting a NIST SP 800-52 Assessment
The NIST SP 800-82 Rev 3 Guide to Operational Technology Security was created by the Federal Government as an overlay for NIST SP 800-53 Rev 5 Security and Privacy Controls for Information Systems and Organizations.
800-53 focuses on IT, and 800-82 takes the controls from 53 and modifies the requirements specifically for OT systems. NIST 800-53 and 800-82 support baseline controls for low, moderate and high impact systems.
Our consultants recently worked with a wastewater facility to get these standards off the ground as there had been several “false starts” that left the organization unprepared for a cybersecurity incident. NIST SP 800-82 focuses on process control systems, allowing us to see how people, processes, and technologies interact within the utility.
Many organizations follow the NIST Cybersecurity Framework (CSF) to manage cybersecurity risks, though it primarily focuses on IT systems. Our client, seeking to outperform other water and wastewater utilities in securing its OT environment, chose to adhere to the NIST 800-82 guidelines. The assessment was led by the IT department, which faced challenges due to new staff members unfamiliar with the OT environment and its terminology. The IT team selected the 800-82 assessment because of its alignment with NIST 800-53, a framework they were already familiar with.
We executed this NIST 800-82 assessment in three phases:
- Information gathering and documentation review
- Conducting interviews using specific questions to gauge cybersecurity maturity
- Reporting findings and recommending mitigation strategies
What we uncovered were significant disconnects between IT and OT, specifically in the understanding and use of different process control systems, so our primary goal was getting the departments on the same page.
Getting IT and OT to Speak the Same Language
During the information gathering and documentation review phase, we found a glaring vulnerability – or rather, three of them.
We leveraged the utility’s IT department to conduct an assessment of the OT department, during which we found three different process control (SCADA) systems despite IT being under the impression that there was only one.
These three systems were being independently managed and maintained by three different groups, and as we consider a SCADA system to be a critical function, using one without proper security controls opens up significant vulnerabilities to the environment.
One of those surprise SCADA systems was controlling unit areas of the facilities, and the other controlled numerous field devices that employees were accessing via their cell phones, adding another layer of vulnerability to the situation.
This assessment acted as something of a training exercise for IT to better understand the operational technology side of the facility and “speak the language” to know how each SCADA system is being used, and what it is being used for.
With this new understanding, the next step was developing a roadmap that would lay out the language around process control system functionality for all three SCADA systems, and a list of priorities for secure management and maintenance of those systems.
The Importance of Documentation
We often find during these assessments that even if companies have cybersecurity maturity, they’re lacking proper documentation.
Like with any utility or business, documentation ensures that if the head of IT, for example, suddenly doesn’t show up to work anymore, anyone else at the company can follow instructions to execute their role in the interim.
With no clearly-defined response, recovery, and remediation plan, lacking or poor documentation puts a company in more peril in the face of a cyber attack. During the interview phase of our NIST 800-82 assessment, we observed disjointed and inconsistent documentation with varying degrees of maturity. Crucially, there was no documentation for management or monitoring of the OT process control systems.
The baseline for must-have documentation includes:
- Business Impact Analysis: This document identifies critical assets and primary threats to an organization, whether it be a supply chain interruption, proximity threat, cyber attack or natural disaster. Understanding what impact different incidents would have and what the recovery sequence would look like is crucial for preparedness. Organizations should know the maximum allowable downtime and how to respond to get the utility back online as soon as possible.
- Risk Assessment: This document lays out how often each threat is likely to happen. For example, an earthquake may be far less likely to occur than a cyber attack depending on where the business is located. Risk is measured by combining impact and likelihood, and more resources should be allocated to mitigate risks that exceed the organization’s risk appetite.
- Business Continuity Plan: This document dictates the steps to bring the business back online during the incident with alternative business processes. Who is responsible for what actions? Which part of the business should be prioritized to bring back first?
- Disaster Recovery Plan: This document is specific to IT and OT as it identifies who is responsible for bringing the utility technologies back online, and restoring internet and wireless connectivity.
- RACI Chart: Specifies those Responsible, Accountable, Consulted, and Informed during an incident. RACI charts ensure everyone knows who is involved and to what degree, so no overlap, confusion, or miscommunication can cause greater damage in the response and recovery processes.
We walked our client through this documentation with an overarching recommendation to create a System Security Program (SSP) that would detail the entire process outlined above.
Always Do Something – Preferably the Harder Thing
While we almost always uncover gaps and vulnerabilities during these types of security assessments, we would also be remiss not to acknowledge the big “win” here, which is conducting a NIST 800-82 assessment in the first place.
As mentioned, there are no IT or OT compliance requirements for wastewater utilities at the federal level, and although many of these organizations are doing the NIST cybersecurity framework, it’s far less complex than NIST 800-82- and NIST 800-53-based assessments.
Making the effort to hire an MSSP to conduct a NIST 800-82 assessment is a commendable effort, achieving that much more security in the face of growing cyber attacks.
We recommend to always do something to be more secure, but it’s better to do the harder thing. Our client rightfully was pleased to choose a hard standard and go above and beyond to meet the guidelines and better protect themselves from a cyber attack.
The reality is that any industry is at risk of a cyber attack, and some industries like wastewater utilities are at even greater risk. Doing the bare minimum isn’t nothing, but as threat actors levy more sophisticated and damaging attacks against utilities, the bare minimum may seem like nothing.
With reputations on the line, companies are wise to choose the hard standard and make the effort to meet it. After all, there’s no requirement to go to the doctor, but you do it to be healthier and to know if there is anything wrong. Guessing at a problem or hoping it just goes away on its own is often fruitless – and the same is true for cybersecurity.
This client chose us for the assessment due to our Connected Systems team’s extensive experience, including former employees from water/wastewater and electrical power utilities who understand the requirements of NIST 800-53 and 800-82. We bridge these standards with practical, real-world solutions. Our expertise in supporting both IT and OT departments at utilities ensures seamless collaboration and enhances cybersecurity across all systems.
Contact Us Today!
If your organization is looking for MSSP services, or if you want a routine security assessment, we’re ready to help. Visit directdefense.com or call 1 888 720 4633.
03.25.25