Cyberattacks have presented threats to water utilities for years; however, with the rise in global conflicts and creative warfare tactics, breaches have become more complex and damaging than ever before. The Florida City water utility breach, where levels of sodium hydroxide levels were increased to dangerous levels, is a key example of how a cyberattack can significantly damage a water utility’s infrastructure and, as a consequence, the communities it serves.
While digital and remote work has become essential for convenience and efficiency, it also provides malicious actors with yet another avenue to manipulate chemical amounts to dangerous levels, posing a direct threat to consumers. Faced with limited resources and a shortage of cybersecurity expertise, utility managers must explore comprehensive approaches to fortify their defences against cyber threats.
Enhancing Security and Expertise with Restricted Budgets
A proactive and creative approach is crucial in navigating cybersecurity risks with a restricted budget. Utility managers can take steps today without significant financial investments or extensive expertise using the following tips.
Leveraging Free Resources for Budget-Conscious Utilities
Free online resources can help utilities to stay informed and educated on cybersecurity. Training platforms like KnowBe4, as well as NSF’s channel on YouTube offer free educational videos. NSF also offers an on-demand CyberSecure webinar series for additional security information. With so much free information available online, it is important to leverage trusted sources to better verse yourself and your staff on cybersecurity practices.
The digital landscape continuously changes as emerging technologies become more widespread and hackers improve their tactics. Brushing up on data protection and safeguards for water utilities is never a bad idea and managers should do so multiple times per year to stay updated and informed.
Strengthening Access Controls and Passwords
In a digital world, most of us already know that having a strong password is crucial; however, it is more important to implement and mandate recurring best practices to secure and refresh strong passwords. Passwords should include special characters, numbers, and upper and lowercase characters. All team members should use multi-factor authentication (MFA), especially on highly sensitive platforms to ensure an extra level of security. Managers can educate team members on this practice and require it from the top down.
Systems should be quickly patched and updated, either through a qualified internal team member or an external party to help create a solid foundation against unauthorised access attempts. Lastly, implementing robust access controls is fundamental in fortifying cybersecurity. This involves managing who in the utility has access to critical controls, ensuring only essential employees have access.
Focusing on Employee Training
Recognising employees’ pivotal role in data security, regular training sessions encompassing both physical and digital security aspects are essential. This includes educating employees on risks associated with public Wi-Fi use and implementing measures including security cameras and guards to address physical security threats. Be particularly cautious and have heightened security around holidays as those days have the highest rate of cyberattack attempts. Cultivating awareness of both digital and physical hacking possibilities reduces the likelihood of human errors compromising cybersecurity.
Preparing for Breaches with Cybersecurity Plans
It is crucial to have a well-defined cybersecurity plan to minimise the impact of a breach. Even if you believe that this will not happen to your plant and that you have strong cybersecurity practices in place, you should always plan for worst-case scenarios and be prepared to act quickly. Hold regular drills to ensure team members are confident and effective in executing their roles during a real incident. Be sure to have specific team members and their roles in a crisis outlined in the plan, so there is no question of who should do what in the case of a breach, and ensure it is regularly updated.
Investing in Infrastructure for Enhanced Protection
Updating outdated technology usually involves a large upfront cost, but it is essential to maintain strong protection against evolving cybersecurity threats. It can reduce costs down the line if the system is breached as hackers often ask for ransom money or damage systems during their breach. If a full technology update is not feasible for the water utility, regularly updating current technology and systems to the latest software can help protect against hackers using the latest tactics.
External Support for Strong Cybersecurity
Water utility experts may not have the cybersecurity expertise necessary to properly secure their utility, so seeking third-party support may be the best option to help protect the utility. This is especially true as utilities commonly use software tools like the Internet of Things (IoT), Geographic Information Systems (GIS), and supervisory control and data acquisition (SCADA) systems. A new tool that water utility managers can utilise is NSF’s CyberSecure tool. It is powered by artificial intelligence (AI) and is a great first step. The tool reviews an organisation’s information security policy and tailors cybersecurity suggestions to your unique needs. NSF CyberSecure is a cost-effective platform and currently offers a free trial, helping water utilities learn where their cybersecurity practices may need refining or extra support.
External evaluations from a third party, including risk assessments and gap analyses, serve as a great tool for identifying vulnerabilities in security. For the best support, ISO 27001: Information Security Management certification helps identify vulnerabilities and guide the implementation of industry best practices. Additionally, certification provides third-party verification that utilities are meeting strict security standards, providing confidence for their stakeholders. All these tools serve as great external resources for water utilities wanting to bolster their security and protect their communities.
Embracing a Comprehensive Approach
In navigating the evolving landscape of cybersecurity threats, water utilities must adopt a robust and proactive approach. This involves implementing strong passwords and access controls, taking advantage of free resources, training employees, creating cybersecurity plans, and leveraging third-party support. Past water supply breaches serve as a reminder of the risks and consequences of hackers in our critical infrastructure. In an era where remote work is common for daily operations, water utilities have a responsibility to operate as securely as possible to protect the communities they serve and provide safe drinking water to our communities.
Written by Dave Purkiss, Vice President of Global Water, NSF, and Tony Giles, Director of Information Security, NSF-ISR
Related articles:
Xylem and Dragos Partner to Bring Cybersecurity Leadership to Water Utilities