Cybersecurity continues to grow as a critical initiative for water utilities, with certain trends helping to drive and even accelerate digital transformation. Becoming a smart water utility goes beyond operational technology such as smart sensors or remote monitoring. Information technology or IT also plays a critical role, with future-thinking leaders seeking how to safely and efficiently harness the data available around them.
Key cybersecurity trends driving digital transformation
#1: Cybersecurity awareness has become more mainstream
Recent events such as the rise of cybersecurity incidents at public utilities and a shifting global political landscape (the White House recently asked all businesses to heighten cybersecurity protocols) have made cybersecurity top of mind for many communities. Just the mention of Oldsmar is enough to trigger a quick check of the most critical operating systems. In a recent survey, a whopping 80% of organizations in the critical infrastructure industries such as water and electric utilities had a ransomware attack within the last year.
#2: Utilities have access to funds and resources, now more than ever
In January 2022, the Biden-Harris administration revealed a new cybersecurity initiative for the water industry. The Water Sector Action plan is “a collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technologies and systems that provide cyber-related threat visibility, indicators, detections, and warnings...”, according to the White House statement. The Infrastructure Investment and Jobs Act (IIJA) provides further support for cybersecurity initiatives, with about $2 billion set aside to help strengthen critical infrastructure systems.
#3: The COVID-19 pandemic drove digital adoption to new levels
While not so new of a trend, the COVID-19 pandemic drove several water utilities to adopt new technologies to enable capabilities such as remote operations. An April 2021 water industry report by SWAN and Bluefield Research shows a shift in comfort levels with technology before and after COVID-19, with digital spending expected to reach nearly $12 billion by 2030.
Top cybersecurity resources for water utilities
Water utilities do not have to approach cybersecurity on their own. Several resources exist to support, educate, and update utilities around cybersecurity:
- Join an Information Sharing and Analysis Organization. ISAOs provide real-time knowledge transfers on cyber threats, with several local chapters available. An industry-specific security network also exists called the Water Information Sharing and Analysis Center (WaterISAC).
- Use AWWA’s Cybersecurity Assessment Tool. The American Water and Wastewater Association or AWWA cybersecurity assessment tool scores participants based on how they use technology and provides a list of security controls most applicable to mediate system vulnerabilities.
- Follow some basic cybersecurity best practices. Follow some of the suggestions in WaterISAC’s Cybersecurity Fundamentals such as reporting incidents to warn others, enforcing user access controls, and avoiding sharing passwords (no matter how harmless it may seem). The Environmental Protection Agency (EPA) also offers an extensive list of cybersecurity best practice resources for the water sector.
- Hire cybersecurity experts. The National Association of Regulatory Utility Commissioners or NARUC offers a cybersecurity workforce guide to help utilities understand everything from building the right team to evaluating alternatives to in-house cybersecurity. The guide also offers sample job descriptions for several levels of cybersecurity roles.
Becoming A Digital-First Resilient Utility
As utilities begin to explore and introduce new digital solutions into their organizations, so too will cybersecurity activities such as vetting software before purchasing or using new tools. Some larger utilities have a dedicated IT department or resource helping to vet and implement software purchases. The vetting process can involve verifying if and how a vendor does application security testing or AST, which means they check for bugs and fix security gaps in their software.
The most thorough vendors follow a complete AST process which involves three types of testing: static testing (evaluating the software in its static form), dynamic testing (evaluating running software), and software composition analysis (looking at all the tools used to create and run the software).
Work with a partner that understands digital-first resiliency in all its forms
Trinnex helps clients to help them advance through their digital journey and follows all three levels of AST, including API security scanning, penetration testing, and security information and event management. Reach out today for a free consultation on how we can support your digital-first resiliency goals.