on this page
-
Markets
Water
Campbell Hayden
Managing Consultant, CNI & OT Cyber Security, Aberdeen, UK contact form+44 1224 26 4302
Our client, a major water company, engaged AtkinsRéalis to help it implement the requirements of the Network and Information Systems Regulations (NIS-R). A key part of this work is to have a detailed and up-to-date picture of the assets on operational sites, in order to be able to detect anomalies, for example changes and cyber-attacks on these assets, including those which exploit vulnerabilities which are specific to the Operational Technology (OT) used for water treatment.
The challenge
The dynamic and aggressive marketplace for anomalous detection products is relatively immature and changing quickly, with new players developing and others being acquired by larger companies. Understanding the long-term plans of the product vendors is therefore a key element in product selection. The immaturity of the space also means that there are no recognised benchmarks for these products.
In addition to the core requirements around asset management and anomaly detection, these products typically provide additional features relating to vulnerability management and details of the communications in the environment. These are also valuable in demonstrating the organisation meets the requirements of NIS-R so need to be given some weighting in the evaluation.
The time available for the evaluation was limited and coordinating the vendors, site staff and AtkinsRéalis’ subject matter experts (SMEs) required some effort.
Please note that you are now leaving the AtkinsRéalis website (legal name: AtkinsRéalis Group inc.) and entering a website maintained by a third party (the "External Website") and that you do so at your own risk.
AtkinsRéalis has no control over the External Website, any data or other content contained therein or any additional linked websites. The link to the External Website is provided for convenience purposes only. By clicking "Accept" you acknowledge and agree that AtkinsRéalis is not responsible, and does not accept or assume any responsibility or liability whatsoever for the data protection policy, the content, the data or the technical operation of the External Website and/or any linked websites and that AtkinsRéalis is not liable for the terms and conditions (or terms of use) of the External Website. Further, you acknowledge and agree that you assume all risks resulting from entering and/or using the External Website and/or any linked websites.
BY ENTERING THE EXTERNAL WEBSITE, YOU ALSO ACKNOWLEDGE AND AGREE THAT YOU COMPLETELY AND IRREVOCABLY WAIVE ANY AND ALL RIGHTS AND CLAIMS AGAINST ATKINSRÉALIS, AND RELEASE, DISCHARGE, INDEMNIFY AND HOLD HARMLESS ATKINSRÉALIS, ITS OFFICERS, EMPLOYEES, DIRECTORS AND AGENTS FROM ANY AND ALL LIABILITY INCLUDING BUT NOT LIMITED TO LIABILITY FOR LOSS, DAMAGES, EXPENSES AND COSTS ARISING OUT OF OR IN CONNECTION WITH ENTERING AND/OR USING THE EXTERNAL WEBSITE AND/OR ANY LINKED WEBSITES AND ANY DATA AND/OR CONTENT CONTAINED THEREIN.
Such waiver and release specifically includes, without limitation, any and all rights and claims pertaining to reliance on the data or content of the External Website, or claims pertaining to the processing of personal data, including but not limited to any rights under any applicable data protection statute. You also recognize by clicking “Accept” that the terms of this disclaimer are reasonable.
The information provided by Virtua Research cited herein is provided “as is” and “as available” without warranty of any kind. Use of any Virtua Research data is at a user’s own risk and Virtua Research disclaims any liability for use of the Virtua Research data. Although the information is obtained or compiled from reliable sources Virtua Research neither can nor does guarantee or make any representation or warranty, either express or implied, as to the accuracy, validity, sequence, timeliness, completeness or continued availability of any information or data, including third-party content, made available herein. In no event shall Virtua Research be liable for any decision made or action or inaction taken in reliance on any information or data, including third-party content. Virtua Research further explicitly disclaims, to the fullest extent permitted by applicable law, any warranty of any kind, whether express or implied, including warranties of merchantability, fitness for a particular purpose and non-infringement.
The consensus estimate provided by Virtua Research is based on estimates, forecasts and predictions made by third party financial analysts, as described above. It is not prepared based on information provided by AtkinsRéalis and can only be seen as a consensus view on AtkinsRéalis' possible future results from an outside perspective. AtkinsRéalis has not provided input on these forecasts, except by referring to past publicly disclosed information. AtkinsRéalis does not accept any responsibility for the quality or accuracy of any individual or average of forecasts or estimates. This web page contains forward-looking statements based on current assumptions and forecasts made by third parties. Various known and unknown risks, uncertainties and other factors could lead to material differences between AtkinsRéalis' actual future results, financial situation, development or performance, and the estimates given here.
Our client is now reaping the benefit of increased visibility of its critical assets and receiving alerts in real-time when suspicious behaviour within its OT environment is detected. This goes some way to help reducing the risk of an interruption to the supply of water caused by a cyber security incident and helps meet the client’s obligations to the NIS Regulations.
Campbell Hayden
Managing Consultant (CNI and OT Cyber Security)
The solution
We were engaged to carry out the following activities in support of this work:
- Generate functional and non-functional requirements for an OT anomalous detection product
- Conduct a market survey of suitable products
- Develop a process to evaluate the identified products, reducing to a list of three to be tested against the functional and non-functional requirements
- Develop and execute a test process to evaluate the chosen products in a live operational environment, to identify the preferred product
- Assist with the procurement of the preferred product
- Manage the implementation of the chosen product at the client’s most critical sites, integrating it with enterprise-wide security and configuration management systems
- Embed the use and maintenance of the solution into the client’s ‘business as usual’ teams.
The AtkinsRéalis team has significant experience with products of this type and this, coupled with searches of publicly available sources, allowed us to identify a list of eight potential vendors. Each was invited to complete a pre-qualification questionnaire (PQQ) developed specifically around the client’s requirements. The completed PQQs were scored, and the three highest scoring vendors were invited to take part in the live production environment testing.
A detailed test specification containing functional and non-functional requirements was developed, with each of the three selected vendors attending site and submitting their product for test. In some areas where the product lacked the required functionality (e.g., configuration management database integration) the vendors were asked to commit to providing the required functionality, should their product be selected. The three products were then tested in the live production environment and scored against the test specification. On this basis a preferred product was selected and commercial negotiations were entered into between the client and the product vendor.
A programme was then developed to survey the target sites and make the required changes to the network infrastructure to accommodate the solution. Following this, the rollout across all critical water treatment sites was managed by AtkinsRéalis, resulting in a successful implementation of the solution to all of the client’s critical water treatment sites, together with integration into the client’s enterprise-wide security information and event management (SIEM) and configuration management database systems.
Please note that you are now leaving the AtkinsRéalis website (legal name: AtkinsRéalis Group inc.) and entering a website maintained by a third party (the "External Website") and that you do so at your own risk.
AtkinsRéalis has no control over the External Website, any data or other content contained therein or any additional linked websites. The link to the External Website is provided for convenience purposes only. By clicking "Accept" you acknowledge and agree that AtkinsRéalis is not responsible, and does not accept or assume any responsibility or liability whatsoever for the data protection policy, the content, the data or the technical operation of the External Website and/or any linked websites and that AtkinsRéalis is not liable for the terms and conditions (or terms of use) of the External Website. Further, you acknowledge and agree that you assume all risks resulting from entering and/or using the External Website and/or any linked websites.
BY ENTERING THE EXTERNAL WEBSITE, YOU ALSO ACKNOWLEDGE AND AGREE THAT YOU COMPLETELY AND IRREVOCABLY WAIVE ANY AND ALL RIGHTS AND CLAIMS AGAINST ATKINSRÉALIS, AND RELEASE, DISCHARGE, INDEMNIFY AND HOLD HARMLESS ATKINSRÉALIS, ITS OFFICERS, EMPLOYEES, DIRECTORS AND AGENTS FROM ANY AND ALL LIABILITY INCLUDING BUT NOT LIMITED TO LIABILITY FOR LOSS, DAMAGES, EXPENSES AND COSTS ARISING OUT OF OR IN CONNECTION WITH ENTERING AND/OR USING THE EXTERNAL WEBSITE AND/OR ANY LINKED WEBSITES AND ANY DATA AND/OR CONTENT CONTAINED THEREIN.
Such waiver and release specifically includes, without limitation, any and all rights and claims pertaining to reliance on the data or content of the External Website, or claims pertaining to the processing of personal data, including but not limited to any rights under any applicable data protection statute. You also recognize by clicking “Accept” that the terms of this disclaimer are reasonable.
The information provided by Virtua Research cited herein is provided “as is” and “as available” without warranty of any kind. Use of any Virtua Research data is at a user’s own risk and Virtua Research disclaims any liability for use of the Virtua Research data. Although the information is obtained or compiled from reliable sources Virtua Research neither can nor does guarantee or make any representation or warranty, either express or implied, as to the accuracy, validity, sequence, timeliness, completeness or continued availability of any information or data, including third-party content, made available herein. In no event shall Virtua Research be liable for any decision made or action or inaction taken in reliance on any information or data, including third-party content. Virtua Research further explicitly disclaims, to the fullest extent permitted by applicable law, any warranty of any kind, whether express or implied, including warranties of merchantability, fitness for a particular purpose and non-infringement.
The consensus estimate provided by Virtua Research is based on estimates, forecasts and predictions made by third party financial analysts, as described above. It is not prepared based on information provided by AtkinsRéalis and can only be seen as a consensus view on AtkinsRéalis' possible future results from an outside perspective. AtkinsRéalis has not provided input on these forecasts, except by referring to past publicly disclosed information. AtkinsRéalis does not accept any responsibility for the quality or accuracy of any individual or average of forecasts or estimates. This web page contains forward-looking statements based on current assumptions and forecasts made by third parties. Various known and unknown risks, uncertainties and other factors could lead to material differences between AtkinsRéalis' actual future results, financial situation, development or performance, and the estimates given here.
AtkinsRéalis has developed a deep agnostic understanding of products on the marketplace and has now assisted multiple CNI operators to select, test and implement the best fit OT anomalous detection solution for their environment.
Campbell Hayden
Managing Consultant (CNI and OT Cyber Security)
The result
AtkinsRéalis’ experience in selecting and deploying solutions of this type into an OT environment was key to the success of the project. Leading all stages of the project, we ensured that key steps, including stakeholder engagement and integration with the wider business were given proper emphasis. This has allowed the client to quickly reap the full value of its investment, and map the benefits to the requirements of NIS-R.
The solution has provided all the intended benefits and the client now has an up-to-date picture of the assets on each site. This picture includes details including IP address and host name, operating system or firmware version, model, serial numbers, and protocols used. For the Programmable Logic Controllers (PLCs) further detail is provided, including details for each card in the PLC chassis and the status of the physical key switch on the PLC. This detailed asset picture is forwarded on to the client’s CMDB system, making it accessible to a wide corporate audience which does not have other visibility of site systems.
Assets added to the network are rapidly detected, including maintenance laptops. This allows for the traceability and auditing of site activities and enables the detection of devices connected to the network for nefarious reasons. The solution’s ability to understand OT protocols, including the protocols used for PLC programming, permits a detailed record of the changes to PLCs to be captured, including who made the changes. Some common configuration errors (such as not changing passwords from the manufacturer default setting) are also detected.
The selected solution ‘learns’ the normal pattern of network traffic and creates a viewable (and editable) rule set. This details which devices talk to which other devices and how they talk. After a period (which can be determined automatically or manually) the solution can be switched into operational mode, after which any traffic which does not conform to the rule set is alerted on. The product also contains a set of rules which detects known bad traffic and thus functions as a traditional Intrusion Detection System (IDS). This rule set is updated by the vendor but can also be augmented by rules developed by or provided to the client.
The detailed picture of communications delivered by the product also addresses some of the requirements of NIS-R, and provides a good understanding of the way that devices on site talk to each other and with servers in the corporate network. Inherently insecure protocols such as FTP and older versions of SMB are also flagged up.
Understanding operating system and firmware versions allows the product to map many of the vulnerabilities that exist at each site. In the event of a malware outbreak, in the client’s network or in the world at large, this kind of information allows for a rapid assessment of the vulnerability of the client’s assets to that attack.
All alerts generated by the solution are sent to the client’s SIEM. The alerts include changes to the configuration of the site systems or the way that devices are communicating, as well as alerts relating to suspected malicious traffic. The alerts can be fairly easily categorised into low priority items relating to routine system changes, which are detailed in reports generated by the SIEM, through to high priority alerts requiring immediate investigation.
Please note that you are now leaving the AtkinsRéalis website (legal name: AtkinsRéalis Group inc.) and entering a website maintained by a third party (the "External Website") and that you do so at your own risk.
AtkinsRéalis has no control over the External Website, any data or other content contained therein or any additional linked websites. The link to the External Website is provided for convenience purposes only. By clicking "Accept" you acknowledge and agree that AtkinsRéalis is not responsible, and does not accept or assume any responsibility or liability whatsoever for the data protection policy, the content, the data or the technical operation of the External Website and/or any linked websites and that AtkinsRéalis is not liable for the terms and conditions (or terms of use) of the External Website. Further, you acknowledge and agree that you assume all risks resulting from entering and/or using the External Website and/or any linked websites.
BY ENTERING THE EXTERNAL WEBSITE, YOU ALSO ACKNOWLEDGE AND AGREE THAT YOU COMPLETELY AND IRREVOCABLY WAIVE ANY AND ALL RIGHTS AND CLAIMS AGAINST ATKINSRÉALIS, AND RELEASE, DISCHARGE, INDEMNIFY AND HOLD HARMLESS ATKINSRÉALIS, ITS OFFICERS, EMPLOYEES, DIRECTORS AND AGENTS FROM ANY AND ALL LIABILITY INCLUDING BUT NOT LIMITED TO LIABILITY FOR LOSS, DAMAGES, EXPENSES AND COSTS ARISING OUT OF OR IN CONNECTION WITH ENTERING AND/OR USING THE EXTERNAL WEBSITE AND/OR ANY LINKED WEBSITES AND ANY DATA AND/OR CONTENT CONTAINED THEREIN.
Such waiver and release specifically includes, without limitation, any and all rights and claims pertaining to reliance on the data or content of the External Website, or claims pertaining to the processing of personal data, including but not limited to any rights under any applicable data protection statute. You also recognize by clicking “Accept” that the terms of this disclaimer are reasonable.
The information provided by Virtua Research cited herein is provided “as is” and “as available” without warranty of any kind. Use of any Virtua Research data is at a user’s own risk and Virtua Research disclaims any liability for use of the Virtua Research data. Although the information is obtained or compiled from reliable sources Virtua Research neither can nor does guarantee or make any representation or warranty, either express or implied, as to the accuracy, validity, sequence, timeliness, completeness or continued availability of any information or data, including third-party content, made available herein. In no event shall Virtua Research be liable for any decision made or action or inaction taken in reliance on any information or data, including third-party content. Virtua Research further explicitly disclaims, to the fullest extent permitted by applicable law, any warranty of any kind, whether express or implied, including warranties of merchantability, fitness for a particular purpose and non-infringement.
The consensus estimate provided by Virtua Research is based on estimates, forecasts and predictions made by third party financial analysts, as described above. It is not prepared based on information provided by AtkinsRéalis and can only be seen as a consensus view on AtkinsRéalis' possible future results from an outside perspective. AtkinsRéalis has not provided input on these forecasts, except by referring to past publicly disclosed information. AtkinsRéalis does not accept any responsibility for the quality or accuracy of any individual or average of forecasts or estimates. This web page contains forward-looking statements based on current assumptions and forecasts made by third parties. Various known and unknown risks, uncertainties and other factors could lead to material differences between AtkinsRéalis' actual future results, financial situation, development or performance, and the estimates given here.