Cybersecurity For Detroit Water

Protecting Water Utilities From Evolving Cyber Threats
Cybersecurity For Detroit Water
Customer/ Partner:

Detroit Water and Sewerage Department.

Customer Requirement:

Protect safe and reliable water utility operations while enabling access to real-time data for equipment monitoring, cell-phone-based field data validation, hydraulic analysis and other applications.

Waterfall’s Unidirectional Solution:

Unidirectional Security Gateways protect industrial control systems, including SCADA systems, individual controllers and PLCs with an impassable physical barrier to external network threats, while enabling enterprise-wide access to real-time production data.

Water Processing Modernisation And Containing Remote Cyber Threats

Detroit Water and Sewerage Department (DWSD) provides water service to the entire city of Detroit and several neighboring counties making up approximately 40 percent of the state’s population. For many years, DWSW had contracted a communications supplier to provide a pair of firewalls to serve as the sole security solution for IT/OT network integration. In early 2011, DWSD carried out a risk assessment of the security of the firewalls between the operations networks and the business network and determined that the risk of a security compromise of the operations network from the utility’s enterprise network was unacceptably high.

The Challenge icon
The challenge

Secure the safe & reliable operation of process control systems from external threats, while enabling real-time access to operations data for enterprise users and applications Important hydraulic analysis and optimization applications must run on the enterprise network as they require access to Internetenabled GIS applications. These applications also rely on access to real-time reservoir levels, pressures and pump status indications from the operational network. Equipment status information, wastewater treatment billing information and other readings must also be pushed from the OT network to the enterprise network.

Waterfall solution - icon
Waterfall solution

Detroit Water replaced the IT/OT firewall with a Unidirectional Security Gateway. The gateways replicate an OSIsoft PI historian from the OT network to the IT network. The IT PI replica provides enterprise users and applications with real-time access to all operations data authorized to be shared with the enterprise. The enterprise hydraulic analysis application draws real-time reservoir levels, pressures and pump indications from the replica historian. A secure web portal accesses equipment status information, billing information and other readings from the replica as well. This data IS available to utility management, end users and field personnel.

Results and benefits - icon
Results & benefits

Security: Waterfall Unidirectional Gateways eliminate all possibility of threats penetrating operations from all external networks.

Visibility: The utility benefits from a wide variety of customer-service-enhancing integrations between OT and IT networks.

Cost: Every month, the utility saves the $10,000 it spent on firewall security management before the Waterfall deployment. Web-based applications dramatically improve field technician effectiveness and reduce technician wait times. The hydraulic optimization application is estimated to save the utility $7 million/year in electric power costs for operating the utility’s distributed network of water pumps.

vertical red line
Theory of Operation
Water Utilities – Detroit Water - Diagram
Click to enlarge

“We can see that this solution eliminates external networks as threats to the safety or availability of our operations."

Waterfall Unidirectional Security Gateways replace firewalls in industrial network environments, providing absolute protection to control systems and industrial control networks from attacks emanating from external less-trusted networks. Waterfall Gateways contain both hardware and software components. The hardware is physically able to send information in only one direction. The software replicates servers and emulates devices. At Detroit Water, the gateway software produces an accurate, timely replica of an operations OSIsoft PI server. Enterprise, web-based and cloud-based IIoT applications and users use the replica server exclusively.

Unidirectional Gateways enable control-system intrusion detection, vendor monitoring, industrial cloud services, and visibility into operations for modern enterprises and customers. Unidirectional Gateways replicate servers, emulate industrial devices and translate industrial data to cloud formats. Unidirectional Gateway technology represents a plug-and-play replacement for firewalls, without the vulnerabilities and maintenance issues that accompany firewall deployments. Replacing at least one layer of firewalls in a defense-in-depth architecture breaks the attack path from the Internet to critical systems.

vertical red line
Unidirectional Security Gateways Benefits:

arrow red right Safe, continuous monitoring of critical systems.

arrow red right Disciplined, on-demand and scheduled updates of plant
systems, without introducing firewall vulnerabilities

arrow red right Simplifies audits, change reviews, and system documentation
Protects product quality, personnel safety, rotating equipment, and the environment. 

arrow red right Replaces at least one layer of firewalls in a defense-in-depth
architecture thereby breaking the chain of infection and
preventing pivoting attacks


Stay up to date

Subscribe to our blog and receive insights straight to your inbox