Keeping Water Cyber Secure
A very real threat
Ever since the infamous Stuxnet cyberattack destroyed Iranian uranium processing capabilities a decade ago, industrial control systems have been a known target for cybercriminals.
For the water industry, cyberattacks represent a very real threat.
There has been a spate of events over the last few years, most recently in Israel where an attack in April saw a serious attempt to increase the chlorine content in drinking water. Even more recent attacks have been reported.
According to a new analysis from Cisco Systems and Jacobs Engineering, the adoption of new technologies such as digital networks, remote operations, real-time data acquisition and analytics, means water systems are not as digitally secure as they used to be.
As a result, the door has been opened to substantial cyber risks for critical infrastructure.
The changing nature of cyberattacks
Attempting to address this issue, the 2018 America's Water Infrastructure Act requires US water systems serving more than 3300 people to develop or update their risk assessments and emergency response plans, including operational technology cybersecurity.
However, for many water utilities, even those serving many thousands of individuals, there are no such legal requirements.
Perhaps even more troubling, many such utilities do not seriously consider the risks associated with the changing nature of cyberattacks.
“The risk to the water industry is that cyber is changing,” says Barry Searle, director of training at Intqual Pro.
Speaking to Aquatech Online, he says: “It’s moved from IT and data theft to disruption of operational technologies for criminal purposes. There has been a big shift.”
“Threat groups have realised that if they can limit access to critical systems like SCADA, they can make a lot more money.”
He added: “Previously attacks were all about data theft, but in the past two to three years that has changed to denial of service attacks. Threat groups have realised that if they can limit access to critical systems like SCADA or operational technology, they can make a lot more money."
Ensuring reliable and robust security
The Cisco/Jacobs white paper ‘Cities and Communities: Cybersecurity for Water Utilities’ highlights the need for water utilities to identify cyber vulnerabilities and adopt solutions.
These should result in reliable and robust security to ensure the public health and operational resiliency.
Unfortunately, the distributed nature of many small water supply networks also potentially increases their vulnerability to cyberattack.
Independent IT expert Jonathan Aslin, operations director at Intsilo, believes the water sector has some catching up to do on cybersecurity.
“Although the water industry is generally local in nature, rather than national like the electricity grid or international like finance, and might be considered a less obvious target, the source and reach of the threat can be global,” he says.
“All infrastructure presents an attractive target, so if the water industry in its widest form is less well defended than other sectors, then state or non-state actors might seek to exploit the weak areas.”
According to Cisco and Jacobs, cybersecurity shares many similarities with 'defence in depth' physical security. The key to protecting industrial control networks is to minimise exposure with a clear and well-defined separation of operational technology, the enterprise network, and the cloud.
This approach enables organisations to employ well-defined border protections. However, simply protecting the boundary is not enough as no single product or technology can fully secure water assets.
“Water network operators need to consider multi-layered defences.”
Instead, water network operators need to consider multi-layered defences. While attacks may breach one or more lines of defence, it becomes steadily more difficult to overcome each additional barrier.
Building a multi-layered defence
As well as building multi-layered defences, it’s important to note that threats are continually evolving.
“The state-sponsored threat is the highest it has ever been at the moment. They all have a better offensive cyber capability than we have a cyber defensive capability,” adds Searle.
He says: “It is very difficult to prevent cyberattacks, it's about cyber resilience and for us the water industry doesn't have any. They are just relying on luck, and the regulators aren't pressing them.
“The water industry needs to realise that just because they haven’t had a major international incident doesn’t mean they won’t. The industry needs to learn lessons from elsewhere and become proactive rather than reactive.”
Any disruption or failures in water operational control systems could result in injury or death, but water assets represent a far larger threat and potential value at risk.
“We would do well to remember that the threat goes beyond contamination of drinking water, to include consequential damage through inundation caused by interference with dams, reservoirs, sump pumping, drainage and sewage systems, and physical damage caused by a failure of water cooling systems,” adds Aslin.
“This presents a myriad range of weaknesses to defend, up and down the supply chain, and across a dispersed network of organisations.”
A cultural shift is required
Consequently, water sector operators must perform a thorough assessment to understand their vulnerabilities.
They should follow this with the development of a robust plan that can ensure cybersecurity throughout their digital enterprise not just today, but which also considers the secure infrastructure needs of the future.
“Financial services are 10 years ahead of water…I am not seeing the same level of investment or engagement in the water industry.”
This will likely require something of a cultural shift, according to Searle.
“Financial services are probably 10 years ahead of the water industry because the commercial risks associated with data protection for banks are significant,” he adds.
“For the power sector, securing assets, securing networks and understanding the risks of allowing contractors to come in and plug in external equipment is a major part of their cybersecurity investment as they look to secure the engineering side. I am not seeing the same level of investment or engagement in the water industry.”
The potential risks of cyberattacks on the water sector are so significant, though, this needs to change as a matter of urgency.
Share your water technology stories with us
Do you have an innovation, research results or an other interesting topic you would like to share with the international water technology industry? The Aquatech website and social media channels are a great platform to showcase your stories!
Please contact our Sr Brand Marketing Manager Annelie Koomen.
Are you an Aquatech exhibitor?
Make sure you add your latest press releases to your Company Profile in the Exhibitor Portal for free exposure.