An effective cybersecurity strategy is comprehensive and considers a wide range of both internal and external factors but, at the same time, it must be focused — knowing where to prioritize effort and resources to achieve the most value.
2. Do you have the capability to manage a security incident that could impact critical operations?
Today’s cybersecurity ecosystem is increasing both the complexity and efficacy of attacks on the water utilities – and some are struggling to adapt to the rapidly evolving threat landscape. In February 2021, for example, a water utility in Florida suffered a major cyber incident. Cyber attackers were able to gain access to systems in the water treatment facility and sought to add a dangerous level of additive to the water supply. If successful, this could have impacted the lives of nearly 15,000 residents.
The incident highlights that the sector can no longer approach cybersecurity with the mentality that attacks are unlikely or foreseeable. Instead, utilities must tackle the evolving environment by developing an incident response (IR) plan that includes granular threat-driven playbooks to better analyze, detect and contain threats; involve third parties where necessary; and recover from cybersecurity attacks with limited impact on operational continuity.
3. Are you ready for a converged approach to IT and OT cybersecurity service delivery?
IT, IIoT and OT domains are becoming more integrated, and responsibility for security is becoming more blurred, especially in physical asset-intensive organizations such as water utilities. The business value in ever-increasing connectivity and machine-to-machine interaction creates the growing need for a trusted, resilient and reliable environment to enable robotics, automation and digitized upstream operational services such as smart meters.
A converged IT/OT approach to cybersecurity resilience is not a new concept, but it’s one that water utilities continue to struggle with for several reasons, including the prevalence of technical skills shortages and organizational cultural resistance.
A common starting point for convergence could be the establishment of an IT and OT security operations center. This would provide a common operating platform that helps to monitor and analyze an organization’s IT and OT security posture on an ongoing basis, and facilitates a common set of people, process and technology practices to help detect and respond to cybersecurity incidents.
Related article
4. Can you adapt to changing regulation?
As technology transforms and continues to impact water utilities on a global scale, regulations governing the cybersecurity of organizations within the sector continue to adapt to the changing environment.
In addition to the US and EU legislation highlighted above, in December 2020, the Australian Government released the Exposure Draft of the Security Legislation Amendment (pdf) (Critical Infrastructure) Bill 2020 (the Bill). The Bill seeks to amend the Security of Critical Infrastructure Act 2018 to implement an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure. In its current state, the Bill includes a number of obligations for water utilities, e.g.: (i) to have, and comply with, a critical infrastructure risk management program; (ii) mandatory reporting of certain types of cybersecurity incidents to a relevant Commonwealth body; and (iii) for assets of national significance, to work with Australian Signals Directorate (ASD) to conduct cybersecurity exercises.
The challenge for water utilities will be the need to find mechanisms to comply with all of these regulations cost-effectively and efficiently. According to the EY Global Information Security Survey (GISS) 2021, 55% of power and utility respondents agree that in the next few years, regulations will become more fragmented and time-consuming to manage.
5. How have you responded to increased third-party risk and remote working since COVID-19?
Water utilities have long worked with multiple third parties, outsourcing operational work to external contractors, sometimes with confusion around which supplier is working on a particular piece of infrastructure. This use of third parties is increasing as the sector forms collaborations to pool knowledge and skills to better serve customers and accelerate innovation. And while this brings huge benefits, it also amplifies risks, particularly as remote working has become more commonplace due to the COVID-19 pandemic.
For many organizations, including water utilities, third-party risk management (TPRM) processes have not kept pace with increased threat levels. A recent EY survey (pdf) found that, while 64% of companies said that recent data breaches or losses were caused by third parties, only 34% have reassessed the inherent risk profile of their third parties. And 40% are still using manual processes to validate third parties’ risk profiles.
The innovation that the sector requires to stay competitive relies on partnering with a diverse group of suppliers, so the answer is not to avoid working with third parties. Instead, organizations should enhance TPRM capabilities and ask suppliers for independent assurance, including through service organization controls reporting, as to the soundness of their controls.
6. Do you have a security-by-design approach to adopting disruptive technologies?
Advancing technologies, including the IoT, smart meters, analytics and artificial intelligence, allow the sector to enhance performance while improving efficiencies and saving costs, but they also present an exponential vulnerability to prominent cybersecurity threats.
While some companies in the sector have been quick to adopt disruptive technologies, many have neglected to consider the adverse cybersecurity consequences that come with them. This exposes them to new risks, including hacking that results in data breaches, privacy intrusion through eavesdropping, and even the risk of technology failures putting water quality at risk or shutting down operations altogether.
As the sector moves to adopt technological innovation, security should be front of mind rather than an afterthought. A security-first approach that builds cybersecurity resilience into the design and architecture of all new system implementations, then thoroughly tests it before going live, helps companies to mitigate the risks that disruptive technologies may bring into the operating environment.
Strengthening today to make the most of tomorrow’s opportunities
With a number of regulators around the world likely to set tougher requirements around cybersecurity, the sector must act now to ensure it is ready to fend off attacks and demonstrate resilience. A strong cybersecurity strategy should set priorities that consider all critical IT and OT assets, allocate adequate resources to manage them, and build the agility for effective incident response. It should also be ready to adapt to changing regulation, and ensure that TPRM is keeping up with the increased use of third parties and remote working.
Summary
As data and technology continue to reshape the sector, water utilities must keep cybersecurity at the forefront of all digital transformation projects. Greater resilience will not only help protect critical water assets but also give companies the capabilities and confidence they need to make the most of new technologies and drive innovation.
