Itās a big job, but somebody must clean Silicon Valleyās wastewaterāand protect its crucial operations and the regionās economic engine. This task falls to theĀ San JosĆ©-Santa Clara Regional Wastewater Facility, which operates the largest, advanced treatment facility on the West Coast and processes an average of 110 million gallons of wastewater per day (mgd), with a capacity of up to 167 mgd.
Because the region is a prime target for cyber-attacks, the cityās leadership knew it needed to keep updating the plantās cybersecurity, and recently enlisted ABB to modernize its wastewater system, implement a cybersecurity infrastructure, deploy required security controls, apply more than 2,000 security patches, conduct a cybersecurity assessment, and do it all in five days.
Consequently, during one business week, ABB revamped San JosĆ©-Santa Claraās legacy DCI controllers with its HPC 800 Symphony Plus controllers, installed ABB Ability Cyber Security software, and customized the plantās cybersecurity to protect it from malware and other cyber-threats. To build a strong security foundation, the plant implemented ABB Abilityās:
- Cybersecurity Updates to ensure the automated deployment of validated Microsoft security updates to system nodes.
- Cyber-Malware Protection to enable automated deployment of validated McAfee updates to the nodes.
- Cybersecurity Backup & Restore to provide a commercial backup solution configured to safely take backups from the DCS system.
- Cybersecurity Fingerprint to get a report of the current cybersecurity posture of the system, detect any gaps in the protection, and have a baseline for future reference.Ā
The wastewater facility adds that a cyber-attack could lead to significant downtime, which could result in wastewater polluting the local environment. However, with its new cybersecurity controls, the city is confident that the plant has sufficient cybersecurity controls to continue producing clear water and protecting public health. āBy implementing solutions to improve efficiency at the wastewater treatment facility, ABB has enabled us to protect the environment, public health and safety of our citizens,ā says Jerry Au, network engineer at City of San JosĆ© Wastewater.
Pillars of protection
Robert Putman, global manager of cybersecurity products and services in ABB Groupās Process Automation business area and Energy division, adds that it defines two cybersecurity macrosegments. The first is security for its System 800xA distributed control system (DCS) and other products, and making sure their software, connectivity and reference architecture have enough cybersecurity to make their environment defensible. Once this is achieved, the second macrosegment is seeking out and adding whatever additional cybersecurity software or mechanisms are needed by users, but werenāt baked-in earlier.
āCommercial cybersecurity has three procedural pillars,ā says Putman. āThe first is identifying and assessing risks, and deploying antivirus and whitelisting capabilities; adding backup and restore software such as Quest, Acronis and Veeam; and performing orchestration of patch updates for HMIs and engineering workstations. We can do all three with ABB Cybersecurity Workplace (CSWP), Version 2.0, that was released earlier this year.ā
ABB is also working with Nozomi Networks and Forescout to develop advanced asset inventory software to help users prepare for their cybersecurity programs. This package combines network host information and combines it with node-level detail collected from the DCS system itself. The combined network and DCS node details are then summarized in the CSWP 2.0 web-based frontend.
āThis approach enables the user to view node-level details and scale up to a fleetwide summary,ā explains Putman. āFor example, one chemical manufacturer has 135 System 800xAs in one location distributed across 2.5 square miles with approximately 2,400 nodes, so when an antivirus event fires, they need to know āwhereā details of this event and coordinate a response. We can deliver this monitoring and automate patch updates, so operators donāt have to deploy them manually, node by node.ā
Putman reports the second cybersecurity pillar is maintenance and service, and the challenge of having the internal staff with the capacity and expertise to do it, or contracting with ABB or a similar provider. āThe patch update service enables operators to orchestrate validated updates securely downloaded from a remote repository or uploaded to a local directory,ā says Putman. āHow the validated patch is made available depends on the customerās policy on remote connectivity.ā
The third pillar is operations and data, and securing them as operations technology (OT) and information technology (IT) converge. āThis is our highest potential growth area with IT coming into OT environments,ā adds Putman. āThe automation environment is largely deterministic, and can be characterized by āwhat must always workā and āwhat must never happen.ā Passive network analysis provides good information, and is easy to implement, but falls short of providing actionable, deterministic detail needed to prioritize and mitigate process disruption. We can do better with the combined approach of automation system event analysis and passive network insights. The goal is to provide a far lower rate of false positive events and prescriptive process run books to accelerate response.
To help users track events like setpoint changes and log activity more effectivelyāand ask more useful questionsāPutman explains they must be able to look at multiple sides of process disruptions, including component failure, cybersecurity and safety. As a result, ABB has launched its ABB Ability Cybersecurity Event Monitoring service that collects data from automation systems environments and surface events that may lead to process disruption.
