Water and Wastewater Facilities are facing a crucial time in their journey to modernization, as Digital Transformation is bringing about a shift in risk. For those of us who specialize in cybersecurity and critical infrastructure, it was no surprise that cybersecurity recently moved up from number 16 to number 12 in top risks facing the water sector (American Water Works Association). As industry modernization projects like smart water systems and advanced data analytics are rolled out, we can only expect this trend to rise, with cybersecurity’s taking centerstage as the number one concern. Cybersecurity is a growing concern not just within the water sector, but across all industries. Solving an issue of this magnitude is going to take a community and partnership approach to help water facilities create a culture of cybersecurity that includes addressing fundamentals, assessing risks, openly sharing threat intelligence, managing vulnerabilities, monitoring networks, and securing supply chains.
Is There a Shortcut?
Building a successful cybersecurity program takes real effort and commitment. Long gone are the days that an effective cybersecurity defense was a basic firewall, anti-virus software installed on a few workstations, and an outdated security policy sitting in a drawer. Today’s threat landscape is riddled with advanced attackers who are backed by hostile nation-states and deliver business-crippling ransomware that costs millions to clean-up. In the most recent report from AWWA, only “20% of survey participants said that their utility had fully implemented or was accessing its plan to address cyber intrusions”. That is a shockingly low number, but is – again – unsurprising. This metric reflects the realities of building and maintaining an effective security program. Few utilities (or larger, established companies for that matter) have the budget and resources to fully implement a security program by themselves. Building strategic partnerships with security-first vendors and the wider community are essential to fully develop a security strategy. How effectively water facilities identify the right partners decides whether they delay or accelerate their IT-Security goals and plans. Experienced partners will help conserve budget, streamline efforts, and maximize ROI. At True Digital Security one of our mottos is Security is a Team Sport. Tackling the challenges of cybersecurity will require a whole team of industry peers, partners with expertise, and the wider IT and cybersecurity communities.
The Fundamentals
In 2019, the WaterISAC (the international security sharing network created by and for the water & wastewater sector) published updated cybersecurity guidance that outlines 15 fundamental security controls to help guide utilities and organizations in developing a security program. (It should here be noted that these controls are not ranked by priority, and all organizations should consider each control as a vital component of their overall strategy.)
- Perform Asset Inventories
- Assess Risks
- Minimize Control System Exposure
- Enforce User Access Controls
- Safeguard from Unauthorized Physical Access
- Install Independent Cyber-Physical Safety Systems
- Embrace Vulnerability Management
- Create a Cybersecurity Culture
- Develop and Enforce Cybersecurity Policies and Procedures
- Implement Threat Detection and Monitoring
- Plan for Incidents, Emergencies, and Disasters
- Tackle Insider Threats
- Secure the Supply Chain
- Address All Smart Devices (IoT, IIoT, Mobile, etc.)
- Participate in Information Sharing and Collaboration
When you are just starting to build a new cybersecurity strategy, this list can sound daunting. You are probably asking yourself, How do I prioritize all these? Where do I even start? These are legitimate questions and ones that a good strategic partner is equipped to help you answer. Listening to experts will only accelerate your efforts by helping you identify which pieces should be offloaded for the greatest efficiency, with less cost, to achieve greater impact (aka ROI). To realize this ROI, your strategic partnerships should include organizations who truly know cybersecurity and the challenges associated with managing and securing critical infrastructure.
If you would like to talk about decisions your organization is facing with technology, you can request a consultation with us any time. We are here to help!
