To keep the protection of communities a top priority, water and wastewater utilities must not only consider measures that physically protect water supplies but also implement cybersecurity solutions that can thwart cyberthreats. Cybersecurity solutions include the protection of water/wastewater system sensors (via the Internet of Things, or IoT), as well as operational technology (OT) distributed control systems (DCS) and information technology (IT) networks.

There has been approximately a 400% increase in attempts to compromise critical infrastructure since the beginning of 2020. For the water sector, the OT DCSs are often the target of choice for the adversary. These systems control water treatment and release chemicals to maintain a clean water supply, among other key processes. If, for example, IoT sensors are targeted and inaccurate data is communicated to the DCS, the water supply could become tainted.

The first step to improving cybersecurity for a water or wastewater utility is identifying any systems especially vulnerable to cyberattack. An asset inventory should be completed to identify what digital assets the utility has, what cybersecurity measures are already in place, and any gaps in cybersecurity that might exist.

Foundational elements of cybersecurity programs — such as asset management, cyber control management and change/configuration control practices — provide a certain level of cyber assurance. Deploying additional access control mechanisms, such as multifactor authentication, can further restrict remote access to only approved and authorized users. In addition, visibility tools that provide monitoring and detection capabilities can facilitate a response that can minimize or mitigate threats before they can impact operations. Additionally, segmenting the OT and IT systems and networks to keep the utility treatment DCS and business side of the utility separate can limit the potential impact if one system is compromised and lateral movement by the adversary is attempted.

To be prepared to respond to a cybersecurity incident, a utility should have an incident response plan developed, tested and ready to deploy. For instance, if a ransomware attack occurs, the utility should have a response plan in place. It is never a sure bet the hacker will release data after a ransom is paid, and paying the ransom could make the utility a target in the future if attackers know the facility has paid in the past. Through a robust backup and recovery program, the utility will still have the information needed to minimize downtime while also limiting the power the ransomware might have over utility operations.

Traditionally, a majority of water and wastewater funds are used for updating aging infrastructure, leaky pipes or other immediate repairs. However, as digitization occurs across critical infrastructure sectors, cybersecurity must compete with these other priorities to have a resilient operating utility that remains safe and secure. Serving as one of many funding sources, the Drinking Water and Wastewater Infrastructure Act provides over $35 billion to help address the U.S. water infrastructure needs.

In the world of cybersecurity, proactive preparation is crucial to remaining one step ahead of hackers. Cybersecurity threats are always evolving, which means cybersecurity services and solutions must also be ready to pivot to meet these threats head-on.

 

Our services are key to keeping water infrastructure and national security a top priority. Learn how having a cybersecurity team on your side is crucial to keep your assets safe.

Discover Our Services

by
Eric R. Ervin, CISSP, is global cybersecurity director for utilities and manufacturing at 1898 & Co., part of Burns & McDonnell. He leads teams of cybersecurity professionals focusing on improved risk management, situational awareness, resiliency and preparedness for power and water utilities and manufacturers in the U.S. and internationally. Over a career spanning nearly 20 years, Eric has worked for major Midwest utilities in corporate security and cybersecurity roles.