The current geopolitical tectonic shift and ubiquitous digital innovations make for a perfect storm of cybersecurity concerns within water companies, writes Bruno Lhopiteau.
Cyberthreats have reached a new high point during the ongoing global crisis. The hacking of a Florida water treatment plant has renewed interest in the cybersecurity of public utilities. Unfortunately, such lessons are easily forgotten.
For example, a quick recap of past headlines. In 2016, hackers manipulated valves at the so-called Kemuri Water Company (a pseudonym) in the US. The same year, the electricity board of Israel suffered a ransomware attack.
In 2015, a breach in Ukrainian power plants resulted in major power outages. Even further back, in 2010, the malicious computer worm Stuxnet was first uncovered, targeting supervisory control and data acquisition systems (SCADA).
As well as cyberattacks, incidents resulting from technical errors can prove equally as crippling. Take the long-announced retirement of Adobe Flash, which impacted many industries relying on the graphical software scheduling. For example, the plugin’s automatic kill-switch caused a critical railway system in Dalian, China, to go offline for 20 hours in January, stranding passengers.
“Few people realise that most cybersecurity breaches are never reported because it is bad publicity and the victims want to avoid promoting copycat crimes.”
Few people realise that most cybersecurity breaches are never reported because it is bad publicity and the victims want to avoid promoting copycat crimes. However, with the current geopolitical outlook, it’s perhaps inevitable that cyber threats will increase.
The rise of “Shadow IT”
Traditional industrial IT systems (PLC, SCADA) in water utilities are inherently secure by virtue of being isolated from the outside world. Yet sometimes, technologically obsolete (as seen with Adobe Flash) cohabit with a growing range of IoT gimmicks.
Connected Objects transferring data, wirelessly via private or public networks, connect to third-party providers, such as IoT clouds. These are then interfaced with business systems running on the office network. Simply put: external and internal IT systems are becoming more connected.
The Covid-19 pandemic is said to have accelerated this transformative digitalisation trend, widely celebrated in the media.
One example is the now widespread use of remote support “AR glasses” to avoid travel during Covid-19 lockdowns: real-time videos of technical activities in plants are now routinely transmitted over the internet!
Lower barriers of entry for such innovative solutions means that individual departments, small start-ups, and even students perhaps are trailing such systems in the form of Proof of Concept. However, such developments often fly under the radars of central IT departments, creating countless new loopholes. This phenomenon is known as “Shadow IT”.
Lessons from China
Many companies tackle cybersecurity from a technical perspective: the realm of IT specialists. In countries where authorities have issued cybersecurity regulations, the legal department may take the lead to avoid heavy fines if found non-compliant, often reinforcing legal terms in suppliers' contracts.
Yet, as former French Prime Minister Georges Clemenceau once said: “War is too important to be left to the generals.” Chairman Mao Zedong also noted that “the Party commands the gun”, not the other way round.
“The Chinese government approach combines personal data protection and national security.”
Cybersecurity goes beyond being a purely technical or legal issue; it must be integrated into the utilities’ overall risk management strategy. The Chinese approach is very interesting in this regard.
The government has developed a holistic view of cybersecurity that combines personal data protection and national security. The resulting complex, expansive, evolving set of cybersecurity laws still puzzle many observers, but that’s another story.
The Chinese law points to a Risk Management approach to the question by mandating a self-assessment of cybersecurity risks for all companies. Water and energy utilities fall in the category of Critical Information Infrastructure Operators (CIIO) with very specific requirements, but the risk management approach is mandatory for all companies operating in China.
Is more digital the answer?
I personally welcome the approach and think it is a natural one for public utilities, presumably already running mature risk management programs. We have helped Chinese water companies to digitalise their risk prevention, too complex to be managed manually, in line with ISO 31000 and ISO 55000.
An example would be Zhongshan Water, the municipal water company of a three million inhabitants city in South China. Siveco implemented a program aimed at ensuring water quality, later expanding into other risks area such as equipment reliability.
This raises the question of whether further digitalisation is, in fact, needed to help reduce the risks associated with digitalisation?
- Bruno Lhopiteau: Three findings from BIM in China
- Bruno Lhopiteau: Cutting through the Gordian knot
- Bruno Lhopiteau: A tale of two realities in China