Around the world, water utilities are fighting an increasing battle against a rapidly evolving foe. Cybercriminals are targeting supply infrastructure intent on causing disruption, confusion, and losses.

Tactics can include shutting down supply to consumers or tainting water with additives that make it unusable. The cost of rectifying such incidents can be significant in both time and money.

Utilities experiencing cyberattacks and their customers can suffer in a number of ways. If water quality is compromised, it could lead to health problems which may lead to long-term legal battles. There is also the prospect of a negative impact on an organisation’s reputation and brand.

To reduce the risk of successful cyberattacks, increasing numbers of utilities are embracing the concept of the Internet of Things (IoT). This involves deploying digital sensors across an infrastructure that report back on everything from equipment function to flows and quality.

In the water sector, IoT strategies build on the older concept of operational technology (OT). These systems comprise everything from industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems and programmable logic controllers (PLCs).

A different view of security

While the benefits of both IoT and OT are well understood, things become concerning when they are viewed from the perspective of IT security. Many of the older systems still in use today were designed and built using unsecured, open communication protocols and comprise components that cannot be patched or updated.

Also of concern is the fact that many infrastructure components are now also being exposed to the public internet. This opens a potential digital door for attackers, intent on gaining access and causing harm.

The original designers of these infrastructures did not have security top-of-mind as they did not anticipate that their work would be ever connected to the internet. Instead, they thought it would operate in isolation and therefore be secure against external threats by default.

Visibility is key

To overcome this security challenge, water utilities need to find ways to improve the level of visibility they have into their operational infrastructures. This is needed so that threats can be spotted early, and steps immediately taken to reduce their impact.

Unfortunately, however, there are often gaps in a utility’s ability to gather and analyse telemetry data collected from OT systems. As a result, security analysts are unable to make a correlation of changes in those physical processes that might be indicative of a potential event.  

To improve visibility into their infrastructures, growing numbers of water utilities are deploying security information and event management (SIEM) platforms. Such platforms make it significantly easier for security operations centre (SOC) teams to examine SCADA networks and identify unauthorised activity.

By using a SIEM to analyse the data collected from OT systems and correlate it with information from other security solutions, a SOC team can identify potential threats and take proactive measures to prevent them from becoming a major security incident.

Taking a ‘security-first’ strategy

Improved visibility can then become a core element in a wider ‘security-first’ strategy. This encompasses both OT and IT elements and ensures effective security measures are in place across both.

A well-constructed security-first strategy can also support the concept of threat lifecycle management. This incorporates a range of important steps including forensic data collection, discovery, qualification, investigation, neutralisation, and recovery. Following these steps helps a utility identify threats quickly, neutralise their impact, and recover from any disruptions that may have occurred.

A security-first strategy will also help to ensure that the human element of effective security is not overlooked. Employees need to understand their role in helping to prevent cyberattacks and what they should do if they suspect that one has taken place.

Regular training should be conducted that explains the importance of taking care with everything from keeping personal credentials secure to not opening suspicious email attachments. Staff need to understand that small incidents such as these can have widespread security implications for their entire organisation.

By deploying a SIEM platform and putting in place a security-first strategy, water utilities can be much better prepared to fend off security threats or effectively respond should one occur. The risk of disruption of supply to consumers will be greatly reduced and the likelihood of financial and reputational losses lessened.

Cyberthreats are going to continue to increase in both number and complexity. By taking these steps now, utilities will be well placed to deal with those that might be encountered in the future.