By Dave Purkiss & Tony Giles
Cyberattacks are becoming more common for malicious actors to breach critical infrastructure, making no industry immune. Water utilities are no exception, as we have seen with the Pennsylvania and Florida water utility cyberattacks. Cybersecurity Awareness Month in October is a great time for utilities to revisit their digital security and improve any vulnerabilities that will put communities at risk. This includes learning about the current, most common digital threats and how they can bolster security, even with limited resources.
Understanding Current Threats
Malicious actors, foreign and domestic, are targeting critical infrastructure, exploiting their vulnerabilities. The most common threats that utilities are currently facing include:
- Lack of Staff Security Awareness and Training: Employees play a significant role in protecting digital data and controls. Proper training is critical to avoid the first line of defense becoming the weak link that causes a breach. The most common mistakes employees can make include clicking on phishing links or mishandling sensitive information.
- Security Tool Fatigue: Protecting information security requires extra steps for employees which can lead to “security fatigue.” Lax practices like reusing passwords, using default passwords and failing to follow security protocols consistently, significantly erode the effectiveness of a cybersecurity program.
- Physical Security Threats: While cybersecurity is critical, it is important to also remember physical security. Tactics like tailgating (unauthorized personnel following an authorized employee inside, bypassing door locks) can lead to a data breach via physical means. Additionally, it is imperative all workers like janitors, construction workers and maintenance help are chaperoned while in the facility.
- Uncertainty on Where to Start: For many water utilities, data security can be overwhelming, leading many to not know where to begin. Inaction due to being overwhelmed can lead to exposure of critical systems.
Building a Cost-Effective Cybersecurity Program
With significant threats on the rise, it is critical water utilities act to protect their communities. They can take practical steps to enhance their digital security, without requiring significant expertise or budget, including:
- Implementing Front-Line Defense Policies: Robust password protection policies are important and easy to implement. Whenever possible, strong, unique passwords for all systems and two- factor authentication should be required. This means that passwords should not be reused or shared. Utilities should also regularly update and patch their software to protect against known vulnerabilities.
- Providing Employee Training: Regular training sessions can help raise awareness about common threats like phishing and social engineering and teach staff how to recognize and respond to suspicious activities. This can significantly reduce the risk of a successful attack.
- Creating a Cybersecurity Plan: Cybersecurity plans should be comprehensive and include specific steps the utility will take to protect its digital assets. Details like incident response protocols, audits, and ongoing risk assessments should be included. There are many free templates and frameworks available online that can be adapted to suit the needs of a water utility.
Utilizing Free Resources
Water utilities can lack dedicated IT or cybersecurity staff, in addition to facing resource challenges. Utilities can leverage low-cost and free resources to allow them to still improve their cybersecurity defenses and protect their communities. Utilities can take advantage of resources like:
- KnowB4: This platform teaches viewers how to recognize and respond to phishing attacks.
- NSF’s YouTube Channel: This free video allows viewers to learn about security reviews, risk assessments, security controls and security pitfalls.
- NSF’s CyberSecure Webinar Series: This free, on-demand series provides information on how to build a stronger foundation based on key elements of information security, protecting your proprietary operations and business data.
- NSF’s CyberSecure Free Trial: This platform provides a policy builder function, a repository for information security policies and real time feedback on your existing policies.
Utilizing these resources allows water utilities to assess their current security posture and identify areas for improvement. Through taking advantage of these resources, utilities can build a stronger defense against cyber threats without incurring significant costs.
Securing Critical Infrastructure
As a key component of our critical infrastructure, water utilities must understand current cybersecurity threats, how to implement cost-effective cybersecurity measures, and know what resources are available for free or at a low-cost to help utilities strengthen defenses against malicious actors.
Security posture should be constantly evaluated, and with Cybersecurity Awareness Month recognized every October, it is the perfect time to evaluate and improve cybersecurity. It is important for water utilities to understand that even on a limited budget and no cybersecurity knowledge, they can receive budget-friendly expertise to help protect their data and controls.
The key to effective cybersecurity is not necessarily having the most advanced tools but rather having the right practices and awareness in place. Through implementing these security steps, water utilities can better ensure the safety and reliability of their services for their communities.
Dave Purkiss is the Vice President of NSF and has more than 35 years of experience in all aspects of water treatment and distribution systems. He leads NSF’s global water programs, including offices in the U.S., Belgium, China, India, Korea and the U.K.
Tony Giles is Director of Information Security at NSF. Giles leads the teams that audit and certify organization’s information security systems. Giles is an ISO/IEC 27001, ISO/IEC 20000-1 and ISO 9001 Lead Auditor and is involved with the Cybersecurity Maturity Model Certification program (CMMC).
Leave a Reply