Purifying Water of Cybersecurity Threats
Potable water and wastewater management is a top priority for cybersecurity professionals and the Biden administration alike. With new regulations and funding, companies must find the best way to implement and manage cybersecurity to protect these systems.
As the U.S. federal government begins to focus on securing more of its critical infrastructure against the rising risk of large-scale cybersecurity attacks, a late January statement from the White House has zeroed in on securing water facilities.
The U.S. Environmental Protection Agency (EPA), the National Security Council (NSC), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Water Sector Coordinating Council and Water Government Coordinating Council (WSCC/GCC) all are taking part in president Biden’s industrial control systems (ICS) initiative. This is part of National Security Memorandum 5, Improving Cybersecurity for Critical Infrastructure Control Systems.
The Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan concentrates on high-impact activities that can be surged within 100 days to protect water resources by improving cybersecurity across the water sector. The federal government and critical infrastructure community will help facilitate the deployment of technologies that provide cybersecurity-related threat visibility, indicators, detections and warnings.
Prior to this, the federal government set out to create new standards and regulations, beginning with the American Water Infrastructure Act of 2018 (AWIA 2018), which called for water utilities to perform an assessment and response plan.
Management of Water and Utilities
The United States relies on a decentralized water utility network, putting state, municipal and city governments in charge of managing their own utilities. While some private companies cover vast regions, it is common to see individual towns and cities manage their own water for their residents.
While these standalone utility authorities allow communities more autonomy and flexibility in their operations, they commonly struggle to pool together the critical resources needed to secure their operations against the ever-evolving face of cybersecurity threats. Lack of standards and regulation presents opportunities for hackers looking to disrupt their delicate operational technology (OT) and industrial control systems (ICS). This is especially true at a time when these facilities are facing the need for remote access and operations to remain resilient during natural disasters and pandemics, beyond cyberattacks.
These fragmented systems open new attack vectors for competitive nation-states, criminals and terrorists to exploit vulnerabilities in a far more distributed infrastructure. This means water districts and municipalities sharing reservoirs also share risks. An example of this is the reality that water asset owners are located in rural areas, although they may have large water supplies. Being on the periphery makes them less likely to receive government funding early on, relative to larger providers, even though they are more susceptible to cybersecurity attacks because of lack of regulation due to their smaller size.
Part of the AWIA-2018 recommends monitoring the operational networks at water utilities. Continuous monitoring, anomaly detection, incident management and reporting and remediation planning are vital to remaining compliant. These clearly defined deliverables will aid in protecting the water infrastructure for people throughout the country. An effective ICS/SCADA protection plan requires comprehensive identification and mapping of all devices, connections, ports and other network assets. Only then will utility providers be able to detect vulnerabilities and exposures while assessing them in terms of severity and potential impact if compromised.
Devising an ICS protection plan can be a daunting task. There’s no one-size-fits-all solution, and in many cases, operators have incomplete visibility into their networks.
Partner With an MSP Organization
It’s critical to partner with a managed services provider (MSP) organization to save time and resources in implementation. This allows the water utilities to harden vulnerabilities that they face in their systems immediately. This strengthening of a facility’s cybersecurity posture is not just a large technical load but also introduces a significant risk of project failure without the right mixture of partner and toolset. Resources are too critical to rely on the educated guesswork of industry veterans and experts.
Some companies in the field are working around the globe and facing similar issues. While some systems and regulatory protocols may vary by region, the global cybersecurity threat landscape demands the same level of protection regardless of location. This golden opportunity presented by the current administration in the U.S. is a once-in-a-lifetime opportunity for managers of critical utility sites to secure themselves today and into the future.
