NJ WEA 2025 - Securing Critical Infrastructure: Challenges and Controls - 4th Talk

About the NJ WEA Conference

The New Jersey Water Environment Association (NJWEA) Annual Conference is the premier gathering for water and wastewater professionals in New Jersey. The 110th John J. (Jack) Lagrosa Conference (May 5-9, 2025, Harrah’s Atlantic City) brought together operators, engineers, regulators, and vendors focused on protecting water quality and critical infrastructure.

Water utilities have become prime cyber attack targets. The 2021 Oldsmar, Florida attack—where a hacker attempted to poison the water supply—and numerous ransomware incidents affecting municipal systems have made cybersecurity a top priority. Presenting at NJWEA allowed me to address the operators and engineers responsible for securing water infrastructure serving millions of New Jersey residents.

Talk: Securing Critical Infrastructure: Challenges and Controls

Talk Overview

Water and wastewater systems are foundational to public health, environmental protection, and economic stability. When compromised, consequences include health risks, environmental damage, economic disruption, and loss of public trust.

I examined recent attacks on critical infrastructure including Colonial Pipeline (2021), Oldsmar water treatment plant attack, and widespread ransomware targeting municipal utilities—demonstrating that these threats are active, not theoretical.

Key ICS Security Challenges

Legacy Systems: Equipment designed 20-30 years ago without security controls, running outdated OSes (Windows XP/7), with long replacement cycles

IT/OT Convergence: Increasing connectivity, remote access requirements, IoT sensors, and inadequate network segmentation

Limited Resources: Small budgets, staffing constraints, competing priorities (compliance, aging infrastructure, rate pressures)

Threat Landscape: Nation-state actors, ransomware groups, insider threats, and supply chain vulnerabilities

Operational Constraints: 24/7 uptime requirements limit patching windows; changes must not introduce operational risks

Practical Security Controls

Network Segmentation: DMZs between IT/OT, firewalls with strict ACLs, data diodes, VPNs with MFA for remote access

Asset Management: Comprehensive ICS/SCADA inventory, OT-specific vulnerability assessments, risk-based patching, compensating controls

Access Control: Eliminate default credentials, strong passwords, MFA for admin access, least privilege

Monitoring: ICS-specific IDS, anomaly detection, centralized logging, baseline normal operations

Incident Response: ICS-specific plans, tabletop exercises, communication protocols, offline backups

Security Awareness: Train staff on phishing, social engineering, physical security; foster culture where security is everyone’s responsibility

Shared Responsibility

Security requires collective effort across all levels: - Operators: Monitor for anomalies, follow procedures, report issues - Engineers: Design in security, evaluate vendor capabilities - Management: Allocate resources, support training - Everyone: Practice good cyber hygiene

Regulatory Context

Key requirements: America’s Water Infrastructure Act (AWIA), EPA Cybersecurity Guidance, CISA support. The goal isn’t just compliance—it’s resilience: preventing, withstanding, and rapidly recovering from cyber incidents.

Slides can be found here: View Slides