All water utilities in the U.S. must provide an inventory of all their service lines (regardless of active status) to the EPA and make it publicly available or accessible upon request to meet the Lead and Copper Rule Revisions (LCRR) regulations. The countdown for LCRR compliance has already begun, and water utilities have different ways to show compliance.
Water utilities are balancing the pros and cons of building their own solution to manage the required data, or selecting a commercial solution that integrates data management and reporting. In this article, we’ll discuss the pros and cons of these two options and the importance of implementing cybersecurity controls to protect the data.
What’s the difference between building your own inventory and buying a cloud-based software solution?
On the surface, when going the do-it-yourself or DIY route, you have almost complete freedom in how you choose to build your own system — you can create a custom system that’s tailored to your utility, simply use an Excel spreadsheet in integration with other systems such as GIS or hire a consultant to create a system for you from scratch.
When buying software, you get more of a plug-and-play system that can fulfill your initial regulatory needs (submitting an inventory), perform automated updates, and take you through the entire lifecycle of a regulatory program (including sampling, replacing lead pipes, and reporting) as needed. These two options have their pros and cons, including several cybersecurity implications.
Cybersecurity issues to look for when building your own inventory system
EPA has recently released a memo, for states, emphasizing the need to assess cybersecurity risk for drinking water systems. Cybersecurity is becoming increasingly important for water utilities, and if ignored, the situation will only get worse. If you’re thinking of building your own system, it is important to plan the resources required to build and maintain a system and consider how cybersecurity will be managed. Several critical components should be considered when building a system, including data security, backups, and cybersecurity controls to protect the system and customer data. Here are a few pitfalls one could fall into when not planned successfully.
Security threats: The project team should include a cybersecurity expert to implement cybersecurity controls, including active monitoring to properly secure the system you are building, ensuring you are not susceptible to security threats.
Vulnerability to attacks: You can be susceptible to various kinds of incidents due to lack of planning or oversight. Your cybersecurity plan should include:
- Dedicated resources to thoroughly test and monitor the system for security vulnerabilities
- Investigating third party components that may have security vulnerabilities, and active monitoring to ensure the latest versions of these components are being used
- Dedicated resources to maintain your system and keep it up to date with the latest security patches
- Scanning and logging tools that allow your team to actively monitor any threats to the infrastructure and systems
Ensure you are aware of regulations — old and new
Depending on the type of system you're building, you will need to comply with certain security regulations or standards. If you're not familiar with these requirements, you could unintentionally build a system that is not compliant, which could lead to fines and other penalties.
The Trinnex cybersecurity team identified the following topics that should be of highest priority for your utility:
- Leveraging tools for security testing: There is no single tool or approach that can guarantee complete security of an application, it requires a multi-faceted approach. Some common tools that are used are static application security testing (SAST). SAST tools look at the source code for any vulnerabilities that are present before deploying the source code. Dynamic application security testing (DAST) tools will test the application while it is in a running state. This is important to help find vulnerabilities that may not have been identified in the development phase. Container security tools will scan and secure containerized applications in a cloud environment. Software composition analysis tools will inspect the versions of packages being used and notify when any outdated, vulnerable packages are being used.
- Code development process: Your secure code development process should include at least peer review, testing, scanning, and use processes that highlight security as a priority. Not utilizing these principles can lead to unsecured code getting pushed into a development and production environment.
- Continuous cyber training: Cybersecurity is the responsibility of everyone in the organization. There should be continuous cybersecurity training and resources available to everyone. Every person plays a key role in securing an organization. Complete 360-degree protection requires team effort.
- Human resources: It takes a commitment to have dedicated staff focused on security. These staff can continuously monitor traffic, coordinate remediations, conduct risk assessments, and respond to incidents, minimizing the risk of loss of data and downtime of your systems and IT infrastructure.
It's important to consider these items and the investment in people and systems when building your own system. You could also consider an off-the-shelf purpose-built solution, but there are still many things to consider when buying such solutions.
Cybersecurity protections to look for when buying an inventory software
Third-party software can bring many benefits to your business, such as increased efficiency and access to specialized tools. However, you should evaluate common protections when considering commercial tools:
- Preventing unpatched vulnerabilities: Ensure that your vendor's software is regularly updated and patched. This will prevent potential vulnerabilities, if any, from being abused.
- Boosting data privacy: Ensure that your vendor's software complies with privacy regulations and has robust security measures in place to protect your data. It's also a good idea to have a contract with the vendor, which outlines their responsibilities of your data privacy
- Establishing secure integration with other systems: When integrating third-party software with your existing systems, understand how it interacts with the rest of your infrastructure — assess potential risks to your network and ensure that the integration is secure.
- Planning software updates: Understand your vendor’s software update process and have a plan in place to manage updates. This will ensure that the changes are compatible with other systems, prevent the introduction of new vulnerabilities in your system and disruption of your business operations.
- Avoiding malware: Regularly scan your vendor's software with antivirus and download software only from trusted sources to avoid malware.
- Having dedicated security personnel: Make sure your vendor has certified and trained in-house cybersecurity staff to bring in best practices (CSOonline.com)
Trinnex’s measures against cyber attacks
At Trinnex, cybersecurity is a priority and leadCAST includes layers of cybersecurity controls to protect client data and isolate the application from enterprise software in use at the utility.
Some of the controls we use at Trinnex include:
- Password security: Poor user and password protection represents one of the most common vulnerabilities. leadCAST enforces password complexity, maintaining password history, and implementing lockout configurations to enforce brute force protection.
- Application security: Application security is enforced by a number of application testing tools. All applications undergo continuous testing against threats annotated in the Open Worldwide Application Security Project (OWASP) Top Ten and more. Annual penetration tests are also performed within the infrastructure to identify flaws and misconfigurations. Public endpoints and networks are scanned continuously to identify and remediate vulnerabilities. Trinnex runtime environments are monitored and configured to alert appropriate personnel if any indicators of compromise are identified across our network and applications.
Our infrastructure is backed up and tested to ensure the reliability of those backups.
We believe in following a defense in depth approach across our infrastructure. By having security as a main priority through all stages, we ensure that our applications are created, hosted, and used to promote confidentiality, integrity, and availability.
Ready to learn more about a secure LCRR software solution?
Learn more about leadCAST — your one-stop-shop for LCRR compliance. Our experienced developers have been doing this for a long time and have invested in security testing applications to ensure the code is secure.
If you would like to learn more about us, feel free to reach out to our team of experts. You can also download our buyer’s guide to learn about your inventory options, or attend a live demo to learn more about leadCAST.