Cybersecurity Is Not About Investing In Tools, It’s About Changing Culture

Our water infrastructure is one of the most important aspects of our daily lives. National security, economic stability, public health, and safety all rely on access to clean water. 

That makes cybersecurity a critical safety issue for water utilities. Outdated automation systems, networks, and applications are vulnerable to cybersecurity attacks. In addition, many utilities lack the proper policies and procedures for mitigating these types of threats.

Protecting a critical resource, such as water, requires more than just implementing tools to comply with a set of standards. It’s about creating a culture of awareness of threats that exist and developing resiliency in infrastructure by implementing the right set of tools that enables productivity and minimizes adoption risks.

Many water and wastewater utilities understand the importance of cybersecurity but fail to act. Many either lack the expertise or investment to address cybersecurity risks or fear that implementing security measures will impede productivity. 

A Gartner 2022 study found that spending on security products and services is forecast to grow 11.3% in 2023. According to the study, spending will reach $188.3 billion because more companies are willing to  invest in security and risk management. However, if not implemented correctly, these tools can do more harm than good. 

The Threat to Water 

In OT environments, cybersecurity risks are no different than occupational safety or health risks. Tools can create more vulnerability for organizations. They can become an attack vector if they aren’t actively managed, patched, and maintained. 

Numerous recent examples of attempts to damage infrastructure, contaminate or disrupt the supply of drinking water and wastewater treatment services by exploiting weaknesses in water utilities’ infrastructure. 

An example of consequences due to lack of planning is the attack at the Georgia Drinking Water Plant back in 2013. In this attack, an individual tampered with the chemical settings at the water treatment plant which resulted in over 400 customers losing access to drinking water. If appropriate security measures were in place, such as proper monitoring, this issue could have been avoided. 

The water facilities in Maine, California, and Nevada all experienced ransomware attacks in the past few years. These hacks went beyond disabling computers, and paralyzed the specialized supervisory control and data acquisition (SCADA) devices that send commands to equipment.

In Florida, hackers were able to gain access to the computer system and increase the amount of sodium hydroxide being distributed into the water supply. 

Why Tools Fail

Verizon Wireless released its 2022 data breach findings and found that 82% of breaches involved the human element. On top of that, ransomware breaches were up 13% from previous years, more than in the last five years combined. 

In most water and wastewater organizations, cybersecurity is identified as important, but seen as an afterthought. This thinking often leads companies to implement tools that address gaps in compliance without fully understanding the risks or potential threats that are present. Implementing controls should align with the broader organizational strategy and with end-user behavior in mind.  

If not done correctly, tools are a burden for the end users and operators alike, who then seek ways to work around them, creating more risks for utilities.

What Steps Can an Organization Take to Change Company Culture Around Cybersecurity?

Organizations need to change their cultures to become more cybersecurity aware. 

Like all company policies, building a culture of operational resilience and cyber readiness starts at the top. Cybersecurity must be discussed, prioritized, and championed by leadership in order for it to flow down to employees. 

Here are some internal shifts to make:

  • Include cybersecurity as part of your overall business strategy
  • Focus on leadership buy-in 
  • Develop awareness training for employees
  • Prioritize usability when selecting and implementing new tools

The Importance of Leadership 

In order to enact any internal changes, leaders must lead the charge. It’s important for Utility board members and executive leaders to champion cybersecurity initiatives. 

When leaders make it a point to create a culture around security and safety, it becomes part of every day instead of an afterthought. 

Communicating these practices regularly also builds customer trust. When customers see how ingrained cybersecurity is in the culture of an organization, it shows how their data is valued and protected.

Awareness Training

Once leadership has introduced security practices, continued training is necessary. 

Adoption is key. 

The best way to ensure adoption is to make cybersecurity a priority that aligns with the utilities’ overall strategy. This includes making sure the right people in each department buy into the new tools and see their value. 

Implement the Right Tools

Tools are designed to help enhance security, but organizations run into challenges when these tools are not used to their full capabilities. Some common mistakes we see when it comes to cybersecurity tools:

  • They don’t get properly or fully configured
  • Organizations don’t have the resources to manage the tool over its useful lifecycle
  • Tools can negatively impact productivity

The Future of Water Security

The Biden administration recently announced a new initiative to secure U.S. water systems from cyberattacks. The plan includes new technology recommendations for water utilities to help detect cyber threats. On top of that, water utility operators and federal officials will be encouraged to share more information with one another when it comes to potential threats. 

In order to keep control of our drinking water and wastewater, it’s important to adopt and change as threats get more sophisticated. This includes bringing in new technologies when necessary, but factoring in human buy-in is the most valuable part of the process to ensure the effectiveness of any new technologies. People are our most critical asset. 

We all have the same goal, so why is it so hard to work together?

Finance, Engineering, and Operations. These are three groups that notoriously have a difficult time working together. But why? We all have the same goal: execute a task quickly and in the most cost-effective way possible. 

Each group has its own approach to problem-solving, so it’s difficult to see the other point of view. It may be a challenge, but there is a path forward where these three teams can work together to create more functional processes that benefit everyone. 

When new projects arise, each team plays a critical role in determining the best path forward. Issues emerge when each team does not completely understand how their work may impact another team. 


A Real World Example

For example, engineers are given a scope of work from finance. They work to take bids from contractors to find the right team for the job. Given tight budgets and tight timelines, they are limited in the contractors they can choose from. After a long search, the engineering team identifies three options:

  1. The most expensive option, which is time efficient and will do the job right 
  2. A financially good choice, but one that can’t get the job done within time constraints
  3. The cheapest and fastest option

Guess which team finance is going to choose? Cheap and fast. Almost every time. 

Finance is working off the assumption that anyone the engineers recommend can get the job done, so why not go with the cheapest in order to stay under budget and on time? 

We see it happen all the time. Engineering feels like their hands are tied by finance. Finance is trying to stay within budget for the highest ROI. So the best contractor for the job is rarely chosen. Now, who takes the brunt of these bad decisions? 


The operations team is left with a product that doesn’t work well. The chosen solution is not helping productivity and will often require additional parts to function properly with the current equipment. 

The maintenance required to keep the machines in good working order has also increased, yet the engineering team has a difficult time understanding why metrics can’t be met. So Operations has to explain how the new equipment isn’t quite right. 

They’re often told to just deal with it because truly fixing it would go over budget in time, labor, and maintenance when the goal of the project was to cut costs.  


Where do we go from here?

Let’s work together. The best thing we can do to improve efficiency is to get alignment from the key people influencing the project. Sometimes this means setting our egos aside — which means coming to terms with the idea that maybe you don’t know everything.

When decisions are being made, Finance, Engineering, and Operations all need to be involved in each step of the process. This is important because each team brings a unique perspective that can help prevent issues from arising before it’s too late.

Yes, this will require more meetings and a more open line of communication between each group. It also may accentuate other issues and challenges that each team needs to address. 

Is it worth all the drama? Yes. The answer is always yes. 

Once communication lines open, amazing things can happen. After the initial investment and hardships, a partnership between these groups will make way for more efficiency, fewer patch jobs, and an increase in returns.