It’s a big job, but somebody must clean Silicon Valley’s wastewater—and protect its crucial operations and the region’s economic engine. This task falls to the San José-Santa Clara Regional Wastewater Facility, which operates the largest, advanced treatment facility on the West Coast and processes an average of 110 million gallons of wastewater per day (mgd), with a capacity of up to 167 mgd.
Because the region is a prime target for cyber-attacks, the city’s leadership knew it needed to keep updating the plant’s cybersecurity, and recently enlisted ABB to modernize its wastewater system, implement a cybersecurity infrastructure, deploy required security controls, apply more than 2,000 security patches, conduct a cybersecurity assessment, and do it all in five days.
Consequently, during one business week, ABB revamped San José-Santa Clara’s legacy DCI controllers with its HPC 800 Symphony Plus controllers, installed ABB Ability Cyber Security software, and customized the plant’s cybersecurity to protect it from malware and other cyber-threats. To build a strong security foundation, the plant implemented ABB Ability’s:
- Cybersecurity Updates to ensure the automated deployment of validated Microsoft security updates to system nodes.
- Cyber-Malware Protection to enable automated deployment of validated McAfee updates to the nodes.
- Cybersecurity Backup & Restore to provide a commercial backup solution configured to safely take backups from the DCS system.
- Cybersecurity Fingerprint to get a report of the current cybersecurity posture of the system, detect any gaps in the protection, and have a baseline for future reference.
The wastewater facility adds that a cyber-attack could lead to significant downtime, which could result in wastewater polluting the local environment. However, with its new cybersecurity controls, the city is confident that the plant has sufficient cybersecurity controls to continue producing clear water and protecting public health. “By implementing solutions to improve efficiency at the wastewater treatment facility, ABB has enabled us to protect the environment, public health and safety of our citizens,” says Jerry Au, network engineer at City of San José Wastewater.
Pillars of protection
Robert Putman, global manager of cybersecurity products and services in ABB Group’s Process Automation business area and Energy division, adds that it defines two cybersecurity macrosegments. The first is security for its System 800xA distributed control system (DCS) and other products, and making sure their software, connectivity and reference architecture have enough cybersecurity to make their environment defensible. Once this is achieved, the second macrosegment is seeking out and adding whatever additional cybersecurity software or mechanisms are needed by users, but weren’t baked-in earlier.
“Commercial cybersecurity has three procedural pillars,” says Putman. “The first is identifying and assessing risks, and deploying antivirus and whitelisting capabilities; adding backup and restore software such as Quest, Acronis and Veeam; and performing orchestration of patch updates for HMIs and engineering workstations. We can do all three with ABB Cybersecurity Workplace (CSWP), Version 2.0, that was released earlier this year.”
ABB is also working with Nozomi Networks and Forescout to develop advanced asset inventory software to help users prepare for their cybersecurity programs. This package combines network host information and combines it with node-level detail collected from the DCS system itself. The combined network and DCS node details are then summarized in the CSWP 2.0 web-based frontend.
“This approach enables the user to view node-level details and scale up to a fleetwide summary,” explains Putman. “For example, one chemical manufacturer has 135 System 800xAs in one location distributed across 2.5 square miles with approximately 2,400 nodes, so when an antivirus event fires, they need to know ‘where’ details of this event and coordinate a response. We can deliver this monitoring and automate patch updates, so operators don’t have to deploy them manually, node by node.”
Putman reports the second cybersecurity pillar is maintenance and service, and the challenge of having the internal staff with the capacity and expertise to do it, or contracting with ABB or a similar provider. “The patch update service enables operators to orchestrate validated updates securely downloaded from a remote repository or uploaded to a local directory,” says Putman. “How the validated patch is made available depends on the customer’s policy on remote connectivity.”
The third pillar is operations and data, and securing them as operations technology (OT) and information technology (IT) converge. “This is our highest potential growth area with IT coming into OT environments,” adds Putman. “The automation environment is largely deterministic, and can be characterized by ‘what must always work’ and ‘what must never happen.’ Passive network analysis provides good information, and is easy to implement, but falls short of providing actionable, deterministic detail needed to prioritize and mitigate process disruption. We can do better with the combined approach of automation system event analysis and passive network insights. The goal is to provide a far lower rate of false positive events and prescriptive process run books to accelerate response.
To help users track events like setpoint changes and log activity more effectively—and ask more useful questions—Putman explains they must be able to look at multiple sides of process disruptions, including component failure, cybersecurity and safety. As a result, ABB has launched its ABB Ability Cybersecurity Event Monitoring service that collects data from automation systems environments and surface events that may lead to process disruption.