EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Related article
If tech powers the future, who powers the tech?
As they juggle the demands of decarbonization and digitization, utilities need both people and tech to power transformation.
Identify critical assets
A large portion of the water utility sector does not have full visibility of its OT and IIoT assets, which can lead to increased unknown vulnerabilities and tolerating risk outside of risk appetite thresholds on an ongoing basis. Although initially challenging, protecting those critical physical processes that underpin water infrastructure – including water transfer, purification and distribution – should be front and center in a cybersecurity strategy. Water utilities should identify the greatest vulnerabilities within these processes, their likelihood of being exploited (and by whom) and the impact of exploitation, so these can form the basis of a risk-driven security program.
Assess key risks and threats
Water utilities cannot respond to cybersecurity threats without first understanding what they are. Building a threat profile that considers critical assets, the threat actors who may target them and the threat scenarios in which they may do so is an important step. With threat actors varying widely – from nation states to disgruntled former employees and random “lone wolves” – the water utility sector should conduct a comprehensive threat and risk assessment that can help identify those most likely to pose a threat.
Fill control gaps
The rapid evolution of technology transforming critical national energy and resources assets, including those in the water utility sector, has sometimes left regulators struggling to keep up with change. For example, while smart meters are being adopted at pace within the water industry, some countries currently have no security standards specific to industrial control systems (ICSs). Water utilities should therefore act to fill control gaps by considering local and global industry benchmarks, standards and best practice, e.g.:
- Universally adopted standard ISA/IEC62443, which helps organizations reduce the risk of exposing ICSs to cybersecurity attacks
- The US Government’s National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity and its guide to control system security, NIST Special Publication 800-82
- The Regulation (EU) 2019/881 (Cybersecurity Act), which establishes a EU cybersecurity certification framework for ICT products, services and processes
Ensure you have the ability to execute
Knowing which risks, regulatory drivers and critical assets to focus on is only the start. Water utilities must then be realistic about their ability to execute against a cybersecurity strategy and road map. Are budgets adequate? Do they have the right skills in-house? Do governance mechanisms exist to enable business leaders to make decisions and support the cybersecurity strategy?
For many in the sector, getting these resource and governance structures in place will be critical to ensuring any cybersecurity strategy delivers true resilience. In its simplest form, the operating model defines where and how critical work gets done across an organization. It serves as a crucial link between the cybersecurity strategy and the detailed organization design that is in place to deliver on the strategy.
To make sure that any cybersecurity strategy and road map is realized, water utilities should develop a target operating model. This helps communicate the interplay of governance, resourcing, processes and organizational structure required to facilitate delivery of a cybersecurity road map and its capabilities to service consumers both within and outside the organization.