6 Things The Water Industry Should Know About Cybersecurity

1. Cybersecurity Guidelines Exist for the Water Industry

Recognizing that public water sector companies often have limited financial and human resources, American Water Works Association (AWWA) has outlined specific guidelines that provide a prescriptive approach to cybersecurity for Water, Wastewater, and Water Management Systems. 


2. Online Risk Assessments are a Good Place to Start

To build a secure infrastructure, you must understand where you are vulnerable, and AWWA offers a Cybersecurity Risk Management Tool to help you do that. Through a series of multiple choice questions, you’ll be asked to consider the different access points to your network. 

This tool is a high-level assessment that doesn’t take into account the intricacies of your organization, but provides great value in gaining an awareness of the areas your organization may be at risk. 


3. Cyberthreats Come From Many Departments 

When assessing risks to water utilities, the tendency is to focus on OT systems. While securing your control system is essential, it is important to realize that your network could be infiltrated through unrelated systems, such as accounting software or a document storage system. 

When performing your risk assessment, it’s important to look at the entire organization, not just your PCS environment.


4. Secure Remote Devices

As OT systems allow for greater remote access, the risk of a breach increases. It may be convenient to check on the control system while you’re in Starbucks, but that one action can undermine an entire cybersecurity program. In fact, one study found that unsecured networks accounted for 72% of security breaches

Any remote device used to access the control system should always be protected by a VPN, especially if public WiFi networks will be used. 


5. Every Network is Vulnerable

A lack of direct internet connectivity does not automatically guarantee a network’s security. The reality is, every network comes with its own set of vulnerabilities. The key is to assess the severity of these vulnerabilities, and develop a comprehensive plan to mitigate associated risks.

Water utilities should establish a robust network security infrastructure, which includes:

  • deploying firewalls
  • intrusion detection and prevention systems
  • network segmentation to separate critical systems from non-critical ones
  • regular network traffic monitoring and analysis to identify potential threats and vulnerabilities


6. Secure By Design

Cybersecurity and Infrastructure Security Agency (CISA) promotes the concept of Secure By Design, in which every technology provider ensures that their products are secure by default. Keep this concept in mind when you source new technology to ensure security features are built in without the need for extra configuration or cost. <   Having tools that are secure by design will help organizations avoid some risk exposure, but it is important to realize that a cybersecurity program is not just about security features. You must also account for the human element and build a culture of security. 

If creating a strong cybersecurity program is a challenge for your organization, please get in touch. Luminary A.C.E. specializes in helping water utilities create efficient and secure OT systems.

Cybersecurity Is Not About Investing In Tools, It’s About Changing Culture

Our water infrastructure is one of the most important aspects of our daily lives. National security, economic stability, public health, and safety all rely on access to clean water. 

That makes cybersecurity a critical safety issue for water utilities. Outdated automation systems, networks, and applications are vulnerable to cybersecurity attacks. In addition, many utilities lack the proper policies and procedures for mitigating these types of threats.

Protecting a critical resource, such as water, requires more than just implementing tools to comply with a set of standards. It’s about creating a culture of awareness of threats that exist and developing resiliency in infrastructure by implementing the right set of tools that enables productivity and minimizes adoption risks.

Many water and wastewater utilities understand the importance of cybersecurity but fail to act. Many either lack the expertise or investment to address cybersecurity risks or fear that implementing security measures will impede productivity. 

A Gartner 2022 study found that spending on security products and services is forecast to grow 11.3% in 2023. According to the study, spending will reach $188.3 billion because more companies are willing to  invest in security and risk management. However, if not implemented correctly, these tools can do more harm than good. 

The Threat to Water 

In OT environments, cybersecurity risks are no different than occupational safety or health risks. Tools can create more vulnerability for organizations. They can become an attack vector if they aren’t actively managed, patched, and maintained. 

Numerous recent examples of attempts to damage infrastructure, contaminate or disrupt the supply of drinking water and wastewater treatment services by exploiting weaknesses in water utilities’ infrastructure. 

An example of consequences due to lack of planning is the attack at the Georgia Drinking Water Plant back in 2013. In this attack, an individual tampered with the chemical settings at the water treatment plant which resulted in over 400 customers losing access to drinking water. If appropriate security measures were in place, such as proper monitoring, this issue could have been avoided. 

The water facilities in Maine, California, and Nevada all experienced ransomware attacks in the past few years. These hacks went beyond disabling computers, and paralyzed the specialized supervisory control and data acquisition (SCADA) devices that send commands to equipment.

In Florida, hackers were able to gain access to the computer system and increase the amount of sodium hydroxide being distributed into the water supply. 

Why Tools Fail

Verizon Wireless released its 2022 data breach findings and found that 82% of breaches involved the human element. On top of that, ransomware breaches were up 13% from previous years, more than in the last five years combined. 

In most water and wastewater organizations, cybersecurity is identified as important, but seen as an afterthought. This thinking often leads companies to implement tools that address gaps in compliance without fully understanding the risks or potential threats that are present. Implementing controls should align with the broader organizational strategy and with end-user behavior in mind.  

If not done correctly, tools are a burden for the end users and operators alike, who then seek ways to work around them, creating more risks for utilities.

What Steps Can an Organization Take to Change Company Culture Around Cybersecurity?

Organizations need to change their cultures to become more cybersecurity aware. 

Like all company policies, building a culture of operational resilience and cyber readiness starts at the top. Cybersecurity must be discussed, prioritized, and championed by leadership in order for it to flow down to employees. 

Here are some internal shifts to make:

  • Include cybersecurity as part of your overall business strategy
  • Focus on leadership buy-in 
  • Develop awareness training for employees
  • Prioritize usability when selecting and implementing new tools

The Importance of Leadership 

In order to enact any internal changes, leaders must lead the charge. It’s important for Utility board members and executive leaders to champion cybersecurity initiatives. 

When leaders make it a point to create a culture around security and safety, it becomes part of every day instead of an afterthought. 

Communicating these practices regularly also builds customer trust. When customers see how ingrained cybersecurity is in the culture of an organization, it shows how their data is valued and protected.

Awareness Training

Once leadership has introduced security practices, continued training is necessary. 

Adoption is key. 

The best way to ensure adoption is to make cybersecurity a priority that aligns with the utilities’ overall strategy. This includes making sure the right people in each department buy into the new tools and see their value. 

Implement the Right Tools

Tools are designed to help enhance security, but organizations run into challenges when these tools are not used to their full capabilities. Some common mistakes we see when it comes to cybersecurity tools:

  • They don’t get properly or fully configured
  • Organizations don’t have the resources to manage the tool over its useful lifecycle
  • Tools can negatively impact productivity

The Future of Water Security

The Biden administration recently announced a new initiative to secure U.S. water systems from cyberattacks. The plan includes new technology recommendations for water utilities to help detect cyber threats. On top of that, water utility operators and federal officials will be encouraged to share more information with one another when it comes to potential threats. 

In order to keep control of our drinking water and wastewater, it’s important to adopt and change as threats get more sophisticated. This includes bringing in new technologies when necessary, but factoring in human buy-in is the most valuable part of the process to ensure the effectiveness of any new technologies. People are our most critical asset.