Future Water has a vision centred on ‘Shaping the Future of the Water Sector’ – therefore the organisation brings together experts to look at issues facing the sector.
Cyber Security is often seen in the water sector as an IT issue, paramount in the areas of Customer Service and billing. Overseen by the GDPR legislation (in Europe) and the proposed CDPA in America; the risk of a breach through ransomware or other cyber-attack can be expensive in downtime and lead to large fines. British Airways £186million and subsequent fines being a case in point.
Too often across internal departments, the impact of OT (Operational Technology) cyber security is misunderstood. With the geopolitical tensions across the globe, grasping how APT* cells operate, and why, is perhaps a stone many would wish to leave unturned.
When an APT with Nation State resources or global crime syndicates get involved – then the research prior to attack can take months, if not years. It is one thing to hold your customer data for ransom but consider the impact of holding the water supply to a neighbourhood to ransom, or the impact of releasing wastewater into rivers or oceans as a form of environmental ransom.
In 2014 the global illicit drugs market was estimated to be worth $426bn – $652bn (*2). It is estimated that Cybercrime will inflict global damages totalling $6 Trillion in 2021. It is important to understand the volume of resources – people and machines, involved in an activity of that scale.
One person or one department in a water company cannot compete against APT resources, which is why it is important all departments and personnel, receive awareness training. Only through education and training, is it possible for all staff to understand how they can innocently assist an APT. This of course does not just apply to the water company – it impacts across the whole water industry supply chain.
For example, LinkedIn has details of job roles and can be searched by company. Individuals and peer groups can be identified. This is useful for Phishing exercises with attachments containing malware – looking like invitations to industry events, purportedly sent by an identified peer group member. The e-mail address formats are easily identifiable for organisations and Twitter often comprises details of contracts won – sent by marketing departments. What’s more, technical departments often have service/maintenance documents online with easy access logins and design departments may manufacture to a cyber security standard with a threat level suitable for a basic hacker but not against an APT.
With water companies embarking on a journey of big data and AI for operational intelligence -leading to leak reduction and ultimately cost reduction (with a desire to be net carbon neutral). Will OT Cyber security be an inhibitor to innovation?
Its work looks at the draft European Union Ai regulations, which covers: Unacceptable- risk Ai systems; High-Risk Ai Systems and Limited – and Minimal risk Ai Systems.
High – Risk AI Systems; include safety-critical systems, (e.g. systems that would put the health of citizens at risk due to failure).
It is often not understood in a head office or when working from home, that at some point a colleague will go out in the dark and in the rain to resolve an operational issue. Is it not the duty of all the company employees to ensure they can trust the information read on HMI screens?
OT cyber security is about much more than money – it’s about all our health and safety.
With the UK government launching the new cyber security strategy in December 2021, some key impacts will include businesses and organisations effectively managing their cyber risks, and proposing improvements to corporate reporting of resilience, including cyber risks. Never has it been more important to include all departments in the risk analysis process. It can no longer be left to finance departments alone.
Commenting on the new Cyber security newsletter from Cyber@futurewaterassociation.com, Future Water CEO, Paul Horton, said:
“Standards are a vital part of the water industry, ensuring that we deliver excellence in projects and use the best equipment. They help to drive new ideas and innovations across products and services and the Future Water group is all about understanding and unlocking potential that standards bring to the water sector”.
In the area of OT Cyber Security, IEC 62443 and ISO 31000.2018 risk management; are vital when taking in our risk assessments for PR24, I fully recommend consulting the excellent IET code of practice for cyber security and safety.
Only by being fully cyber aware can our industry ensure Innovation does not stagnate.
*An Advanced Persistent Threat (APT) uses continuous, clandestine, and sophisticated hacking techniques to gain access to a system. – Kaspersky
*2 Global Financial Integrity’s Transnational Crime and the developing world report.
Read more Future Water Association Articles and News on H2O Global News. Do you have an article or video that you would like to contribute? Submit your contribution here or keep up with the latest news from the water industry and wastewater industry by subscribing to our weekly newsletter
