1. Cybersecurity Guidelines Exist for the Water Industry
Recognizing that public water sector companies often have limited financial and human resources, American Water Works Association (AWWA) has outlined specific guidelines that provide a prescriptive approach to cybersecurity for Water, Wastewater, and Water Management Systems.
2. Online Risk Assessments are a Good Place to Start
To build a secure infrastructure, you must understand where you are vulnerable, and AWWA offers a Cybersecurity Risk Management Tool to help you do that. Through a series of multiple choice questions, you’ll be asked to consider the different access points to your network.
This tool is a high-level assessment that doesn’t take into account the intricacies of your organization, but provides great value in gaining an awareness of the areas your organization may be at risk.
3. Cyberthreats Come From Many Departments
When assessing risks to water utilities, the tendency is to focus on OT systems. While securing your control system is essential, it is important to realize that your network could be infiltrated through unrelated systems, such as accounting software or a document storage system.
When performing your risk assessment, it’s important to look at the entire organization, not just your PCS environment.
4. Secure Remote Devices
As OT systems allow for greater remote access, the risk of a breach increases. It may be convenient to check on the control system while you’re in Starbucks, but that one action can undermine an entire cybersecurity program. In fact, one study found that unsecured networks accounted for 72% of security breaches.
Any remote device used to access the control system should always be protected by a VPN, especially if public WiFi networks will be used.
5. Every Network is Vulnerable
A lack of direct internet connectivity does not automatically guarantee a network’s security. The reality is, every network comes with its own set of vulnerabilities. The key is to assess the severity of these vulnerabilities, and develop a comprehensive plan to mitigate associated risks.
Water utilities should establish a robust network security infrastructure, which includes:
- deploying firewalls
- intrusion detection and prevention systems
- network segmentation to separate critical systems from non-critical ones
- regular network traffic monitoring and analysis to identify potential threats and vulnerabilities
6. Secure By Design
Cybersecurity and Infrastructure Security Agency (CISA) promotes the concept of Secure By Design, in which every technology provider ensures that their products are secure by default. Keep this concept in mind when you source new technology to ensure security features are built in without the need for extra configuration or cost. < Having tools that are secure by design will help organizations avoid some risk exposure, but it is important to realize that a cybersecurity program is not just about security features. You must also account for the human element and build a culture of security.
If creating a strong cybersecurity program is a challenge for your organization, please get in touch. Luminary A.C.E. specializes in helping water utilities create efficient and secure OT systems.