Maintain water infrastructure cybersecurity while going digital
Dr Kenneth Crowther, Xylem’s Applied Water Product Security Leader (PSL), outlines five ways to help ensure that water and wastewater infrastructure can benefit from the opportunities digitalisation offers while maintaining robust cybersecurity.
Digital transformation in the water and wastewater infrastructure space offers incredible value in the face of increasing challenges – from ageing infrastructure to stretched resources. Moving to the cloud and using new platforms to integrate and leverage data shouldn’t feel scary. In fact, when implemented thoughtfully, digital solutions can help bolster data and infrastructure security. Here are five tips to help you navigate the digital landscape securely
Understand cybersecurity standards and risks
Knowledge is power – and water infrastructure cybersecurity is no exception. First, it pays to keep up to date with local and global regulations around cybersecurity standards for utilities. While it may seem overwhelming, most local standards are derived from international standards like ISO 27001 and IEC 62443, so familiarising yourself with those is a good place to start. The US Cybersecurity and Infrastructure Security Agency (CISA) recently published a helpful tool titled “Secure by Demand”. Developed in collaboration with over a dozen international government organisations, it provides tips to help organisations implementing water technologies or other operational technology (OT).
Equally important is staying up to date with threat activity. Understanding bad actors’ latest techniques and activities can help you stay one step ahead. Organisations like the Water Information Sharing & Analysis Center (WaterISAC) and the Dragos Community Defense Program (CDP) are bringing utilities together to bolster security and share knowledge.
Both organisations allow utilities to report incidents (anonymously, if preferred) so that the full water infrastructure community can be aware of recent activity. Users of these platforms can also get free resources and training. In fact, Dragos provides utilities with under $100 million in annual revenue free access to cybersecurity training and toolkits, and both AWWA and NRWA provide free training and resources.
System visibility enables security awareness
Cyberattacks are increasing as more utilities embrace cloud-based systems. But there’s another side to that coin: without sophisticated digital monitoring and control technologies, it may be difficult to detect attacks or suspicious activity until it’s too late. Traditionally, data is often siloed – even in organisations that have embraced digital technology. This makes it harder for operators to fully understand what’s happening in their system. But the right digital applications can remove silos and create a holistic, streamlined view of the entire operation.
Make sure cybersecurity is built into your tech
Each element of your tech stack has the potential to strengthen your security – or be the weak link vulnerable to attack. This is why water infrastructure cybersecurity shouldn’t be an add-on to existing and new digital implementations; instead, it must be built into the core of your chosen technologies.
It’s also important to implement additional layers of security – what experts call the ‘security onion’ or the ‘security layered cake’ approach. This involves considering security at multiple levels, from the physical environment to the network, host systems and applications themselves. No single measure is undefeatable, but creating security in layers maximises protection.
Have a response plan
Even with the best preventive measures in place, cyberattacks can occur. That’s why it’s crucial to have a robust incident response plan. With thorough training and a good plan, utilities may be able to stop hackers and suspicious activity in their tracks or at least mitigate the damage.
EPA and CISA programs have free tools and resources to help you create and implement these plans, but it also pays to build your response into your digital platforms. Ask each vendor how they will support you in the event of suspicious activity or attacks. Then, you can work together to formulate a process specific to their systems.
Remember, the most effective response begins long before an incident occurs. Many cyberattacks are still a result of phishing – a testament to human vulnerability rather than that of digital systems. That’s why it’s crucial to train employees regularly on how to avoid cyberattacks and how to respond to suspicious activity.
Select expert partners
Cybersecurity is an ongoing joint effort between an organisation’s internal team and technology partners. Since many utilities operate without large IT and cybersecurity teams, identifying the most competent solution providers with technology and water expertise is vital.
For example, Xylem Vue is a digital solution built to help utilities bolster operational efficiency and cost savings, all with best-in-class security protocols in place. The Xylem Vue team stays updated with evolving water infrastructure cybersecurity standards and updates the platform accordingly. This includes regular security testing to ensure all existing and new deployments are completely secure. What’s more, utilities using this platform get a built-in product security incident response team, and every cloud service is monitored around the clock for real-time threat detection.
Digital transformation offers immense opportunities for water utilities to optimise operations, reduce costs and improve service. By following these tips and partnering with the right experts, you can embrace these opportunities while maintaining robust cybersecurity.
