In 2020, SATEC was assigned with the supply, installation, and maintenance of the perimeter security system of the peripheral facilities of the supply network of the Consorcio de Aguas Bilbao Bizkaia (CABB). Following, we analyze the current security problem in OT environments, the need of the client and how SATEC has contributed its knowledge and experience to solve it.
About CABB
The Bilbao Bizkaia Water Consortium is the company responsible for managing the primary network, both for the supply of drinking water and for the sanitation of wastewater. Established in 1967, the consortium that initially was made up by nineteen municipalities of Bizkaia and the now defunct Greater Bilbao Administrative Corporation, has today become a highly relevant institution that includes 81 municipalities (in blue in the picture bellow), the Provincial Council of Bizkaia and the Basque Government, without prejudice to maintaining collaboration agreements with other local entities
The CABB serves a population of more than one million inhabitants, which represents 91.26% in Bizkaia and 48.20% within the Autonomous Community of the Basque Country.
Among its responsibilities, the primary network water supply stands out, for the collection, reservoir, transport, treatment, and conduction to big final users or to the head reservoirs of the distribution network. additionally, it is responsible for sanitation in the primary network, which includes the collectors and interceptors that connect the sewers with the stations, the wastewater treatment plants, and the outfalls that return the treated water to the receiving aquatic environment. Finally, within its competences is also the control of industrial spills and relations with the clients of all the consortium municipalities.
Safety in industrial enviroments / OT
Traditionally OT environments have been isolated, even though right now is the day when paradigms such as digitization and Industry 4.0 are changing the needs and priorities of the industry. Industrial organizations tend to prioritize the collection of data from their production environments to obtain key advantages that allow them to differentiate themselves and / or maximize their efficiency. All of this is becoming increasingly viable thanks to both enabling technologies and continuous advances in connectivity.
This connectivity, although it opens a new world of possibilities, also exposes us to new and dangerous threats, such as all those linked to the logical security of our organization’s assets, and therefore forces us to interpose mechanisms to protect our assets. most precious resources, both in the IT world (information technology) and OT (operation technology).
Industrial organizations cannot lose the train of digitization, although they must be aware of the risks to which they are exposed, risks that can and should be minimized by considering mechanisms to identify, analyze, prioritize, monitor and protect their most precious assets, such as comprehensive security plans, which include security methodologies, processes, tools and procedures, without neglecting people and their training and awareness in this area.
Needs and purposes
The CABB, well aware of the criticality of its activity and the risks, has established security as one of its priorities, working to provide, as part of its global strategy, state-of-the-art protection systems to all its infrastructures, always with the purpose of offering the best service and guaranteeing its availability.
Within the scope of this project, the CABB has identified the need to secure its peripheral facilities, which are highly critical, highly exposed, and highly vulnerable to possible attacks or security breaches. Each of them has particularities, so they cannot be approached as an installation with unique characteristics but must be analyzed individually.
Aware of the importance of defining a strategy that guarantees acceptable levels of security, they establish a series of general requirements to meet the minimum standards. Among other aspects, this includes the implementation of solutions with advanced security capabilities, such as: application control, antivirus, protection against threats, double authentication factor, verification of signatures in real time, elimination of dynamic contents of a document, dynamic routing configuration, web browsing control, DLP control, SSL inspection, etc.
The project, granted in 2020, requires the securitization of two dams and twelve Drinking Water Treatment Stations (ETAP) which are those of Oleta, Lekue, San Miguel, Salinillas, Gartxeta, Jarralta, Gorozika, Iparraguirre, Garaizar, San Cristobal, San Salvador and Sollano, along with the Undurraga and Ordunte dams.
Resolution of the need
To achieve the proposed goals of securing the above mentioned facilities, the implementation of the necessary equipment has been proposed to provide visibility of the traffic between the different networks and CABB branches and allows the examination of the mentioned traffic at level 7 (applications, antivirus, IPS), apart from entitling the facilities with firewalls to control access, filter IPS threats and control applications at level 7. Likewise, the security of the CABB is reinforced by segmentation of the internal networks of its facilities in different layers, to apply the measures of security and review the traffic of critical services for the CABB.
SATEC, as the successful beneficiary/bidder of the project, is responsible for undertaking all the necessary work to approach the securization of the network through the supply, installation, configuration, commissioning and subsequent assistance of the security equipment, as well as the necessary equipment for administration and network segmentation.
Additionally, being responsible for the turnkey project, SATEC must ensure before the CABB, the operation of the equipment and the correct configuration of the global communications network. To this effect, it assumes among its responsibilities the pre-existing network elements and not only those provided within the contract with the CABB, showing its adaptability and providing added value as a solutions and systems integrator. Also, the client has been accompanied in the optimization of the parameterization of the equipment, defining or modifying the most appropriate security policies between the centers.