Water industry needs to boost Cybersecurity protection
Legacy technologies reaching end-of-life, increasing investments in digitisation and automation, and the growing prevalence and sophistication of cybercrime are creating a melting pot of risk for water utilities, says Marc Wren, OT Cyber Security Manager at Axians Cloud & Cybersecurity.
Teams from VINCI Energies brands Actemium and Axians have combined their respective process control and cybersecurity expertise to provide robust protection for operational technologies within critical infrastructure.
Ensuring the reliability and safety of water supply to homes and businesses are at the core of every water utility’s operations. However, these principles are coming increasingly under threat from the digital world.
The number of cyberattacks around the world is increasing year on year, with attackers finding increasingly sophisticated ways to wreak havoc. Along with manufacturers, transport providers, and energy companies, water utilities are a common target.
On Monday 19th August, South Staffordshire Water, which controls the water supply of around 1.6 million people confirmed it had been the victim of a ransomware gang attack. While the attack seems to have been focused on the IT network, the gang claimed that it had accessed the OT (operational technology) network, specifically the systems that monitor the levels of chemicals in the water.
During the drought conditions across the UK this Summer, the water utility staff worked extremely hard to maintain a safe supply and this attack will have certainly inhibited their ability to focus on this.
Other attacks on water utilities hit the news in April 2020 when cybercriminals attempted to raise the level of chlorine at five Israeli Water Authority facilities and in February 2021 when a hacker attempted to increase the sodium hydroxide in a municipal water supply in Florida, USA, to dangerously high levels.
A multitude of challenges
Due to age, many facilities run on legacy technologies, designed for efficiency over security. At the same time, new investments in digitisation and automation, including the industrial internet of things (IIoT) and hyperconnectivity of systems for remote access or analytics, are creating new and greater surfaces for attack. While these produce fantastic opportunities for efficiency, they need to be installed with a security-first approach.
Mindsets towards industrial cybersecurity and the protection of operational technologies are changing, but water utilities are juggling many priorities to address the risks alongside other investments they need to make amid a staff and skills shortage.
Current operations staff often face the challenge of maintaining system uptime, while implementing complex design changes and upgrades, which leaves little time to focus on asset and vulnerability management.
Others may have policies in place to superficially fulfil the requirements of the 2018 NIS (Security of Network & Information Systems) directive but lack the people capable of maintaining and actioning them.
Help is on hand
OT cybersecurity is most effective when paired with a deep understanding of the process and control systems. As the UK’s largest automation company – via the Actemium brand – and a major player in ICT – via Axians – VINCI Energies UK & RoI is uniquely positioned to help water utilities in the UK protect the safety of their assets and customers.
Vinci works with water and wastewater companies to assess the impact of a potential cyberattack on their OT and implement cybersecurity measures in a phased way, according to the budget and risk level.
Cybersecurity is simplest when designed into an OT system from the start, but Vinci can also support customers to successfully implement robust cybersecurity into existing water systems and treatment processes. The most important thing is to have visibility and monitoring in place, so you can understand what is going on within the network and what needs to be protected.
In either case, the technical solution is only part of the equation. An overhaul of company procedures may also be required, creating good governance and enforcing policies to support the technical controls.