Cybersecurity continues to grow as a critical initiative for water utilities, with certain trends helping to drive and even accelerate digital transformation. Becoming a smart water utility goes beyond operational technology such as smart sensors or remote monitoring. Information technology or IT also plays a critical role, with future-thinking leaders seeking how to safely and efficiently harness the data available around them.
The importance of cybersecurity for water utilities
Water utilities face unique challenges in protecting their infrastructure and operations from cyber threats. Here are some reasons why cybersecurity for water utilities matters:
- Critical infrastructure: Water utilities have critical infrastructure. A disruption to their operations could have significant consequences for public health, safety, and the economy.
- Vulnerable control systems: Many water utilities use control systems to manage their operations, such as monitoring water quality, controlling pumps, and regulating flow. These systems can be vulnerable to cyber-attacks, and an attack could result in loss of control over these critical operations.
- Sensitive information: Water utilities manage sensitive information, such as customer data, water quality data, and financial information. Cybercriminals can steal this information for financial gain, or to cause harm to the utility or its customers.
- Aging infrastructure: Many water utilities have aging infrastructure, which may not have been designed with cybersecurity in mind. Upgrading these systems to be more secure can be expensive and time-consuming but is essential to protect against cyber threats.
The Cybersecurity & Infrastructure Security Agency (CISA) offers additional information on cyber risks for the water industry. Utilities must protect their systems by implementing strong cybersecurity measures and training employees on safe cyber practices; this will ensure the security and reliability of utilities’ operations, protect public health, boost public safety, and help utilities retain their customers’ trust.
Key cybersecurity trends driving digital transformation
#1: Cybersecurity awareness has become more mainstream
Recent events such as the rise of cybersecurity incidents at public utilities and a shifting global political landscape have made cybersecurity top of mind for many communities. In 2022, the White House asked all businesses to heighten cybersecurity protocols and recently released a memo specifically emphasizing the need of cybersecurity for water utilities. Just the mention of Oldsmar is enough to trigger a quick check of the most critical operating systems. In a recent survey, a whopping 80% of organizations in the critical infrastructure industries such as water and electric utilities had a ransomware attack within the last year. The 2022 official cybercrime report hints that the cost of cybercrime can reach $8 trillion USD in 2023.
#2: Utilities have access to funds and resources, now more than ever
In January 2022, the Biden-Harris administration revealed a new cybersecurity initiative for the water industry. The Water Sector Action plan is “a collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technologies and systems that provide cyber-related threat visibility, indicators, detections, and warnings...”, according to the White House statement. The Infrastructure Investment and Jobs Act (IIJA) provides further support for cybersecurity initiatives, with about $2 billion set aside to help strengthen critical infrastructure systems.
#3: The COVID-19 pandemic drove digital adoption to new levels
While not so new of a trend, the COVID-19 pandemic drove several water utilities to adopt new technologies to enable capabilities such as remote operations. An April 2021 water industry report by SWAN and Bluefield Research shows a shift in comfort levels with technology before and after COVID-19, with digital spending expected to reach nearly $12 billion by 2030.
Top cybersecurity resources for water utilities
Water utilities do not have to approach cybersecurity on their own. Several resources exist to support, educate, and update leaders on important topics related to cybersecurity for water utilities:
- Join an Information Sharing and Analysis Organization. ISAOs provide real-time knowledge transfers on cyber threats, with several local chapters available. An industry-specific security network also exists called the Water Information Sharing and Analysis Center (WaterISAC).
- Use AWWA’s Cybersecurity Assessment Tool. The American Water and Wastewater Association or AWWA cybersecurity assessment tool scores participants based on how they use technology and provides a list of security controls most applicable to mediate system vulnerabilities.
- Follow some basic cybersecurity best practices. Follow some of the suggestions in WaterISAC’s Cybersecurity Fundamentals such as reporting incidents to warn others, enforcing user access controls, and avoiding sharing passwords (no matter how harmless it may seem). The Environmental Protection Agency (EPA) also offers an extensive list of cybersecurity best practice resources for the water sector.
- Hire cybersecurity experts. The National Association of Regulatory Utility Commissioners or NARUC offers a cybersecurity workforce guide to help utilities understand everything from building the right team to evaluating alternatives to in-house cybersecurity. The guide also offers sample job descriptions for several levels of cybersecurity roles.
Becoming A Digital-First Resilient Utility
As utilities begin to explore and introduce new digital solutions into their organizations, so too will cybersecurity activities such as vetting software before purchasing or using new tools. Some larger utilities have a dedicated IT department or resource helping to vet and implement software purchases. The vetting process can involve verifying if and how a vendor does application security testing or AST, which means they check for bugs and fix security gaps in their software.
The most thorough vendors follow a complete AST process which involves three types of testing: static testing (evaluating the software in its static form), dynamic testing (evaluating running software), and software composition analysis (looking at all the tools used to create and run the software).
Work with a partner that understands digital-first resiliency in all its forms
Trinnex helps clients to help them advance through their digital journey and follows all three levels of AST, including API security scanning, penetration testing, and security information and event management. Reach out today for a free consultation on how we can support your digital-first resiliency and compliance goals.