By Constantine Antoniou
Sodium hydroxide is used as an acidity control and metal remover by water utilities. Too much of the corrosive material can cause chemical burns and other uncomfortable side effects. In 2021, when a hacker accessed a Florida water utility’s computer system and altered the sodium hydroxide levels
in the drinking water, the event caused well-earned consternation.
Concern for the safety of the water supply has ignited government responses, such as the Joint Cyber Defense Collaborative’s (JCDC) 2023 emphasis on enhancing “the security and resilience of edge devices for the water sector.” The JCDC, a Cybersecurity and Infrastructure Security Agency (CISA) initiative, demonstrates in its reference to “edge devices” the need for water utilities to continue digital modernization and facilities automation while improving cyber-confidence in modern operational technology.
Modernization is a Must Despite Attendant Security Concerns
Modernizing and digitalizing utilities, which JCDC espouses, is critical to the sector. Introducing digitized systems, such as smart meters, edge computing, and high-efficiency UPSs enables new business models and customer services. Digitized new-generation utility services bestow cascading benefits, such as higher network uptime, more profitable and resilient prosumer activities, and higher customer satisfaction. However, the process of modernizing and digitalizing utilities also introduces new cybersecurity attack surfaces.
By applying the principles of advanced cybersecurity to the operational technology involved in digitization, water systems operators can safely tuck their prized assets away from danger. Unfortunately, advanced cybersecurity principles have not typically been top of mind during utility network design.
The new efforts from CISA will help utilities adopt a stronger security posture while modernizing, bringing along a traditionally neglected sector in dire need of ramped-up cybersecurity measures. Along with following the agency’s lead, utilities and water systems operators can accelerate their cybersecurity transformation by considering the following ways of buttressing cybersecurity processes.
3 Ways to Beef Up Security in Tandem with JCDC Recommendations
1.) Collaborate. The JCDC calls for a collective cyber response in the form of “a coordinated public-private response to minimize impacts and quickly recovery.” The joint effort is needed in part because the water sector lacks in-house security experts, one of the main challenges in reinforcing security practices. Water organizations often don’t even know where or how to begin when selecting the right cyber tools for their environments to ensure they’re adhering to the latest security industry standards. By collaborating with agencies like the Department of Energy (DOE) and companies across the water industry, vulnerable entities such as water utilities, can better protect systems, such as edge devices (meter, testing tools, etc.).
2) Standardize. Protecting utilities presents a unique range of challenges, from considering the electrical grid and local water supply, to interdependent oil and gas lines. As part of cities’ critical infrastructures, we must protect and manage them to a level of detail not usually required in other industries as they keep us safe, warm, hydrated and with the lights on. This means the organizations operating within the utilities industry must strive for the highest cybersecurity levels under global standards, such as IEC 62443, especially when they start digitalizing operations.
3) Invest. Reinforcing cybersecurity measures means investing time, attention and capital in a way that mitigates risk, minimizes cost, and maximizes effectiveness both now and in the long term. Investments of this magnitude enable sustainable cybersecurity practices — if hackers impact infrastructure operations, attacks can deeply affect energy sustainability.
Performing regular cybersecurity assessments, implementing network segmentation, ensuring regular backups, and providing consistent cybersecurity training are some of the first steps the utility industry can take to improve its cybersecurity posture.
Water Systems Must Visualize the Unknown for Enhanced Security
The core problem with current cybersecurity practices is the unknown. During the 2021 sodium hydroxide incident, stronger security practices may have alerted the facility before the hacker could impact operational systems.
Many organizations face similar challenges when analyzing the root causes of an attack — they are unable to definitively rule out why the attack was allowed to take place.
Being able to detect a breach on the security perimeter empowers organizations with knowledge and control. It also permits further analyses should another attack occur. Utilities-sector companies need enhanced security practices, especially as they ramp up digitization initiatives that widen the attack surface.
The Joint Cyber Defense Collaborative is a crucial initiative, underscoring the need for private-public partnership to shore up public infrastructure. Proactive organizations that consider these recommendations can bolster the collective’s effort, further reinforcing their systems against future attacks.
Constantine Antoniou is business consultant, global cybersecurity solutions and services, at Schneider Electric. He is a seasoned engineering executive who spent the first decade of his career designing complex industrial systems before spending the next decade designing and executing countless large-scale OT and IT client projects globally.
By Constantine Antoniou
Sodium hydroxide is used as an acidity control and metal remover by water utilities. Too much of the corrosive material can cause chemical burns and other uncomfortable side effects. In 2021, when a hacker accessed a Florida water utility’s computer system and altered the sodium hydroxide levels
in the drinking water, the event caused well-earned consternation.
Concern for the safety of the water supply has ignited government responses, such as the Joint Cyber Defense Collaborative’s (JCDC) 2023 emphasis on enhancing “the security and resilience of edge devices for the water sector.” The JCDC, a Cybersecurity and Infrastructure Security Agency (CISA) initiative, demonstrates in its reference to “edge devices” the need for water utilities to continue digital modernization and facilities automation while improving cyber-confidence in modern operational technology.
Modernization is a Must Despite Attendant Security Concerns
Modernizing and digitalizing utilities, which JCDC espouses, is critical to the sector. Introducing digitized systems, such as smart meters, edge computing, and high-efficiency UPSs enables new business models and customer services. Digitized new-generation utility services bestow cascading benefits, such as higher network uptime, more profitable and resilient prosumer activities, and higher customer satisfaction. However, the process of modernizing and digitalizing utilities also introduces new cybersecurity attack surfaces.
By applying the principles of advanced cybersecurity to the operational technology involved in digitization, water systems operators can safely tuck their prized assets away from danger. Unfortunately, advanced cybersecurity principles have not typically been top of mind during utility network design.
The new efforts from CISA will help utilities adopt a stronger security posture while modernizing, bringing along a traditionally neglected sector in dire need of ramped-up cybersecurity measures. Along with following the agency’s lead, utilities and water systems operators can accelerate their cybersecurity transformation by considering the following ways of buttressing cybersecurity processes.
3 Ways to Beef Up Security in Tandem with JCDC Recommendations
1.) Collaborate. The JCDC calls for a collective cyber response in the form of “a coordinated public-private response to minimize impacts and quickly recovery.” The joint effort is needed in part because the water sector lacks in-house security experts, one of the main challenges in reinforcing security practices. Water organizations often don’t even know where or how to begin when selecting the right cyber tools for their environments to ensure they’re adhering to the latest security industry standards. By collaborating with agencies like the Department of Energy (DOE) and companies across the water industry, vulnerable entities such as water utilities, can better protect systems, such as edge devices (meter, testing tools, etc.).
2) Standardize. Protecting utilities presents a unique range of challenges, from considering the electrical grid and local water supply, to interdependent oil and gas lines. As part of cities’ critical infrastructures, we must protect and manage them to a level of detail not usually required in other industries as they keep us safe, warm, hydrated and with the lights on. This means the organizations operating within the utilities industry must strive for the highest cybersecurity levels under global standards, such as IEC 62443, especially when they start digitalizing operations.
3) Invest. Reinforcing cybersecurity measures means investing time, attention and capital in a way that mitigates risk, minimizes cost, and maximizes effectiveness both now and in the long term. Investments of this magnitude enable sustainable cybersecurity practices — if hackers impact infrastructure operations, attacks can deeply affect energy sustainability.
Performing regular cybersecurity assessments, implementing network segmentation, ensuring regular backups, and providing consistent cybersecurity training are some of the first steps the utility industry can take to improve its cybersecurity posture.
Water Systems Must Visualize the Unknown for Enhanced Security
The core problem with current cybersecurity practices is the unknown. During the 2021 sodium hydroxide incident, stronger security practices may have alerted the facility before the hacker could impact operational systems.
Many organizations face similar challenges when analyzing the root causes of an attack — they are unable to definitively rule out why the attack was allowed to take place.
Being able to detect a breach on the security perimeter empowers organizations with knowledge and control. It also permits further analyses should another attack occur. Utilities-sector companies need enhanced security practices, especially as they ramp up digitization initiatives that widen the attack surface.
The Joint Cyber Defense Collaborative is a crucial initiative, underscoring the need for private-public partnership to shore up public infrastructure. Proactive organizations that consider these recommendations can bolster the collective’s effort, further reinforcing their systems against future attacks.
Constantine Antoniou is business consultant, global cybersecurity solutions and services, at Schneider Electric. He is a seasoned engineering executive who spent the first decade of his career designing complex industrial systems before spending the next decade designing and executing countless large-scale OT and IT client projects globally.
Share this post