Cybersecurity Is Not About Investing In Tools, It’s About Changing Culture

Cybersecurity is not about investing in tools it's about changing culture

Our water infrastructure is one of the most important aspects of our daily lives. National security, economic stability, public health, and safety all rely on access to clean water. 

That makes cybersecurity a critical safety issue for water utilities. Outdated automation systems, networks, and applications are vulnerable to cybersecurity attacks. In addition, many utilities lack the proper policies and procedures for mitigating these types of threats.

Protecting a critical resource, such as water, requires more than just implementing tools to comply with a set of standards. It’s about creating a culture of awareness of threats that exist and developing resiliency in infrastructure by implementing the right set of tools that enables productivity and minimizes adoption risks.

Many water and wastewater utilities understand the importance of cybersecurity but fail to act. Many either lack the expertise or investment to address cybersecurity risks or fear that implementing security measures will impede productivity. 

A Gartner 2022 study found that spending on security products and services is forecast to grow 11.3% in 2023. According to the study, spending will reach $188.3 billion because more companies are willing to  invest in security and risk management. However, if not implemented correctly, these tools can do more harm than good. 

The Threat to Water 

In OT environments, cybersecurity risks are no different than occupational safety or health risks. Tools can create more vulnerability for organizations. They can become an attack vector if they aren’t actively managed, patched, and maintained. 

Numerous recent examples of attempts to damage infrastructure, contaminate or disrupt the supply of drinking water and wastewater treatment services by exploiting weaknesses in water utilities’ infrastructure. 

An example of consequences due to lack of planning is the attack at the Georgia Drinking Water Plant back in 2013. In this attack, an individual tampered with the chemical settings at the water treatment plant which resulted in over 400 customers losing access to drinking water. If appropriate security measures were in place, such as proper monitoring, this issue could have been avoided. 

The water facilities in Maine, California, and Nevada all experienced ransomware attacks in the past few years. These hacks went beyond disabling computers, and paralyzed the specialized supervisory control and data acquisition (SCADA) devices that send commands to equipment.

In Florida, hackers were able to gain access to the computer system and increase the amount of sodium hydroxide being distributed into the water supply. 

Why Tools Fail

Verizon Wireless released its 2022 data breach findings and found that 82% of breaches involved the human element. On top of that, ransomware breaches were up 13% from previous years, more than in the last five years combined. 

In most water and wastewater organizations, cybersecurity is identified as important, but seen as an afterthought. This thinking often leads companies to implement tools that address gaps in compliance without fully understanding the risks or potential threats that are present. Implementing controls should align with the broader organizational strategy and with end-user behavior in mind.  

If not done correctly, tools are a burden for the end users and operators alike, who then seek ways to work around them, creating more risks for utilities.

What Steps Can an Organization Take to Change Company Culture Around Cybersecurity?

Organizations need to change their cultures to become more cybersecurity aware. 

Like all company policies, building a culture of operational resilience and cyber readiness starts at the top. Cybersecurity must be discussed, prioritized, and championed by leadership in order for it to flow down to employees. 

Here are some internal shifts to make:

  • Include cybersecurity as part of your overall business strategy
  • Focus on leadership buy-in 
  • Develop awareness training for employees
  • Prioritize usability when selecting and implementing new tools

The Importance of Leadership 

In order to enact any internal changes, leaders must lead the charge. It’s important for Utility board members and executive leaders to champion cybersecurity initiatives. 

When leaders make it a point to create a culture around security and safety, it becomes part of every day instead of an afterthought. 

Communicating these practices regularly also builds customer trust. When customers see how ingrained cybersecurity is in the culture of an organization, it shows how their data is valued and protected.

Awareness Training

Once leadership has introduced security practices, continued training is necessary. 

Adoption is key. 

The best way to ensure adoption is to make cybersecurity a priority that aligns with the utilities’ overall strategy. This includes making sure the right people in each department buy into the new tools and see their value. 

Implement the Right Tools

Tools are designed to help enhance security, but organizations run into challenges when these tools are not used to their full capabilities. Some common mistakes we see when it comes to cybersecurity tools:

  • They don’t get properly or fully configured
  • Organizations don’t have the resources to manage the tool over its useful lifecycle
  • Tools can negatively impact productivity

The Future of Water Security

The Biden administration recently announced a new initiative to secure U.S. water systems from cyberattacks. The plan includes new technology recommendations for water utilities to help detect cyber threats. On top of that, water utility operators and federal officials will be encouraged to share more information with one another when it comes to potential threats. 

In order to keep control of our drinking water and wastewater, it’s important to adopt and change as threats get more sophisticated. This includes bringing in new technologies when necessary, but factoring in human buy-in is the most valuable part of the process to ensure the effectiveness of any new technologies. People are our most critical asset.