Cybersecurity in a Digital Water and Infrastructure World

Q&A with Nick Nedostup, Chief Information Security Officer, Xylem

Digital technologies are fundamental to solving major water and resource challenges, giving utilities, industrials and other sectors unprecedented visibility and insight into their data and operations to help them optimize and achieve bold water, energy and cost savings. As more water operators and users adopt these increasingly connected and integrated solutions, there is also a growing need to ensure cybersecurity protections. This post provides perspective about how cybersecurity fits into the overall digital water and infrastructure picture, emerging threats facing our industry, and what utilities and the broader water sector can collectively do to manage risk. 

Q: How can we build cybersecurity in?

Nick Nedostup: Digital transformation requires a strong partnership between all parties that make up the ecosystem, which includes suppliers and service providers like Xylem, integrators, and utilities, industrials and other businesses. This means we must collectively include cybersecurity in all critical phases of water; from product development and supply chain management through to sustainability efforts, so that assets stay current with regard to security best practices and standards. In this way, we collectively empower the movement while making a conscious choice to manage risk as related to threats of today and tomorrow. 

Q: What cybersecurity threats do we face?

NN: In light of current events, ransomware has become a prevalent threat and a noteworthy discussion point. Ransomware is a form of malicious software that uses encryption to render access to the victim’s files useless unless a ransom is paid. Ransomware is not a new tactic as it’s been used for years. What’s changed however, is the trend in cybersecurity attacks as focused on Industrial Control System (ICS) assets and critical infrastructure. 

For example, industrial cybersecurity expert Dragos cited in an annual analysis report: “Four new threat groups with the assessed motivation of targeting ICS/OT (Industrial Control Systems/Operational Technology) were discovered, accounting for a 36 percent increase in known groups.” and the emergence of “EKANS (ransomware with ICS-specific functions).” Altogether, ransomware and the overall shift towards ICS has become a growing concern to many.

Q: How real is the risk and the underlying impact?

NN: In essence, ransomware is considered a means to an end. It provides attackers with a highly effective way to achieve a lucrative payout with little risk on their part. A successful ransomware attack on an ICS might mean costly disruption of critical operations relevant to ICS assets such as pumps controlled by connected digital technology. Industry association WaterISAC states: “Average estimates for the cost of cyberattacks run from tens of thousands of dollars for small organizations to millions of dollars for large organizations.” 

To avoid further impact, some ICS asset owners may opt to pay the ransom as the lesser of two evils, which is why ICS has become such an attractive attack target. This trend has also caught the attention of policymakers due to impact on critical infrastructure and public safety, and it’s signaling the likelihood that stricter regulations may be passed. Overall, in lieu of these factors, and the effect on the water industry, we must think differently about cybersecurity risk and do more. 

Q: What can we do to manage the risk?

NN: We must all do our part. To help mitigate cybersecurity threats, below is a recommended set of safeguards as aligned with ISA / IEC 62443, which is an industry standard for securing ICS assets. Although leveraging these practices may inherently help to mitigate against various threats such as ransomware, this is considered a general set of safeguards and a starting point. Specifically, as active participants in digital transformation, we are all responsible for managing the risk. That not only means considering these recommendations based on risk appetite, but also playing an active role to embed cybersecurity as a key element of the movement.

  • Secure Products - Enhance protections for user identities by leveraging strong authentication and authorization along critical paths to ICS assets such as remote access channels.
  • Secure Deployment - Execute a multi-barrier approach to keep assets resilient to attack (e.g. asset segmentation, secured by default with least access required, ability to continuously update).
  • Continuous Health and Monitoring - Employ a security-relevant monitoring approach that includes active threat detection and response based on traceable events (i.e. forensic trail).
  • Incident Response Services - Establish capabilities that preempt operational risks, including backup and recovery, cybersecurity incident planning, training and awareness for critical staff (e.g. tabletop exercises). Leverage relevant expertise as offered by industry associations, partners, and retained service providers.
    Product security at Xylem

For more information on our approach to Product Cybersecurity or to contact our security team, please visit