Unauthorized access control in water utility computer networks

Abstract

Virtual tampering in water utility systems can lead to highly dangerous real-world situations such as shortages and permanent damage to infrastructure. While cybersecurity guidelines do exist for Romanian companies like ApaNova, they are inadequate for protecting the water supply chain. Evaluating the potential vulnerabilities such systems have and presenting open-source methods to improve them is critical for the cybersecurity sustainability of utility services. Building on previous research regarding network cybersecurity, Kali Linux was used as a penetration testing platform in conjunction with an OPNSense-based network configuration. Initially the test included just the Apa Nova-mandated security settings (focusing on ransomware & database access protection), after which additional protective layers were added. The first extra layer was VLAN network segmentation, in compliance with Environmental Protection Agency (EPA)’s America's Water Infrastructure Act (AWIA) guidelines. Afterwards, additional settings were added, such as: Intrusion Detection Systems (IDS) & Intrusion Prevention Systems (IPS); Employee access only via Virtual Private Network (VPN) and Medium Access Control (MAC) address filtering for all employee Wi-Fi devices. A monitoring solution in OPNSense was also implemented, in order to be informed of any suspicious activity on the network. In conjunction with this, a patching strategy was created, which would minimize downtime, while ensuring the system is kept up to date. This is facilitated by the open-source nature of OPNSense, which does not need costly license upgrades to remain secure. The results showed that while protection against ransomware/viruses is important and relatively easy to implement, testing confirmed the findings of previous articles that malicious internal actors are an even greater threat than viruses. This requires constant protection and monitoring against privilege misuse by even authorized personnel. A wider view is offered on how easy it is to gain access to current systems and several off-the-shelf open-source software solutions are highlighted that can prevent water utility shutdown or misuse by malicious actors.