As the primary supplier of water and wastewater to more than 60 cities throughout Texas, the Trinity River Authority must ensure that its services are always available and running smoothly. Since its inception in 1955, it has been working to maintain availability and efficiency, even as demands, technologies, projects and potential threats have changed.
In the past several years, the Authority has made significant upgrades to both its enterprise network, which handles the business side of the organization, and its industrial control system (ICS) networks, which run in each individual water plant. Enterprise network upgrades have included moving to a more virtual infrastructure, reducing the server footprint and adopting more hosted cloud-based solutions. To help improve security, the enterprise network now uses an endpoint detection and response platform as a service as part of its cybersecurity approach.
For the industrial control network, the Authority started with its largest water plant, implementing the Dragos Platform for network mapping and asset identification, as well as traffic monitoring alerts. The goal, said Trinity River Authority CIO Doug Short, was to ensure that anything unusual on the network, whether a misconfiguration or malware, would be flagged so the IT team can fix it.
Over the past four years, the system had been doing its job well. At the same time, leadership at Trinity River Authority believed the plants should have even more protection to defend against growing cyberthreats.
“We had accomplished our goal of segregating our industrial control system network from our business network and the internet. While that gave us a certain level of security, we knew it wouldn’t protect us from all threats and hazards,” Short said. The biggest problem was lack of visibility into the ICS network. That meant that his team couldn’t see changes in traffic or incidents. The system also didn’t have effective threat intelligence based on current threats, or an efficient way to deal with issues such as insider threats.
Neighborhood Watch Cybersecurity Approach
The IT team communicated its concerns to Dragos, which, over time, incorporated the Dragos Platform into a new managed services offering specifically for industrial control systems. The service, called Neighborhood Watch, gives the Authority access to ICS analysts, who essentially act as eyes and ears on the network, ready to provide threat hunting and detection.
With this service, the Dragos team looks for anomalous network traffic, including indicators of compromise and evidence of activity, called threat behaviors, that are associated with known cyber threat activity groups on the plant’s control system network. If something comes up, which Short says happens a few times a month, the Dragos team will investigate further. If an actual malicious incident occurs, the Dragos team provides expertise along with playbooks for specific attacks and a checklist of what to do when the Authority IT team reaches the site.
While the system hasn’t detected any malicious acts yet, it provides significant peace of mind to the Authority team in other ways. It has, for example, identified misconfigurations in some network-connected devices, which have been corrected. The system also has vastly improved physical network asset tracking in general, replacing a manual spreadsheet with a more accurate, automated tracking system that alerts if anything new is added to the network.
The fact that Neighborhood Watch keeps a constant eye on the system onsite was important to Short, who said his entire IT staff of 18 is stretched very thin. “I don’t have to dedicate somebody specifically to the ICS network. Instead, I can have them working the larger attack surface on our business network, which is connected to the internet 24/7,” he said. “Then, if Dragos identifies an incident, I can dispatch my team to respond to it.”
That’s especially important, considering the large geography the Trinity River Authority covers. The Authority serves 25 counties spanning about 18,000 square miles and provides services to 60 contracted parties. Because it covers so much land, it’s not unusual for IT staff to be as much as four hours away from a potential incident by car. With Neighborhood Watch, the Dragos team can take initial actions, working with the incident response team by phone, as the team travels to the facility from the main office in Arlington, Texas.
The Neighborhood Watch system also gives the Authority a better sense of the security of data interfaces and communication with its customer cities, which are responsible for supplying the water to end users from water towers, which the cities own. For example, it is important for customers to know that the water tower they use is full at 6 a.m. when people wake up, and it’s equally important for the water plant to keep tabs of the readings from the water towers to know whether it should increase flow or production, or whether it can change the flow over to a different city if necessary.
“Having that shared data connection provides a risk; there could be malware or malicious code coming across that connection,” Short explained. “Having the assurance from the Neighborhood Watch platform that it is looking for anomalous traffic and monitoring new connections helps us sleep at night.”
While the Trinity River Authority is currently using Neighborhood Watch only for its largest water plant, it has plans to add another location next year. By including additional plants, Short said the information will become even more valuable because it can search for problematic assets and network configurations between plants.