Protecting critical infrastructure has taken on new meaning as cyberattacks rise. Water is no exception. In 2022, the U.S. Government picked water as one of its critical infrastructure focus areas to raise minimum security standards and other governments similarly are raising cybersecurity standards.
The scrutiny on water utilities comes alongside a drive to adopt next-generation digital technologies. Operators need digital solutions and services that they can trust.
For Kenneth Crowther, Product Security Leader at Xylem, this presents an opportunity for utilities to both embrace the benefits of digital while strengthening security protections through a shared responsibility approach that includes technology providers.
As we develop the next generation of technology that empowers utility workers, one of the main messages we want to get across to our customers is that they aren’t alone.
At Xylem, we strive to deliver digital solutions and services with cybersecurity protections built in. But we also go further. We also work with utilities to understand the risks inherent in their processes and then take steps to help them operate and maintain their solutions securely.
This means that, in a digital sense, protection is not just limited to the sensor in the ground. Digital also paves the way for additional opportunities such as monitoring and control via cloud-based technology.
Taking a more connected approach comes with many benefits, but it also comes with a growing need to ensure cybersecurity protections.
There is a reason that the government has started to get more concerned with cybersecurity in critical infrastructure. Over the past decade, we have seen attacks on vulnerable systems that have impacted critical infrastructure. Attention has been focused mostly on the energy grid and oil and gas, sectors that tend to be more interconnected and centrally controlled.
Water is different. In the US for example, instead of a relatively interconnected system, you have over a hundred thousand disconnected systems. Instead of a centralized front, you have a highly distributed collection of organizations.
So, what does this mean for water operators? It might mean that we need a new model. The foundation of this new model is connected, digital technology in which shared services create operational efficiencies and opportunities for centralized cybersecurity expertise.
Legislation such as America's Water Infrastructure Act of 2018 (AWIA) and supplementation of the Sanitary Survey with cybersecurity questions from the U.S. Environmental Protection Agency (EPA) have done a lot to increase cybersecurity awareness in the industry. But solving future water challenges will require a shift in mental model towards shared responsibility that fits the unique position and requirements of the water sector.
Working together with utilities to solve the challenges
Utilities can partner with technology providers to shift to centrally managed digital systems that are both cost-effective, easy to update, and transparent.
Crucially, it also means that the responsibility of cybersecurity is shared.
Modernization is an opportunity to improve cybersecurity protections and address legacy vulnerabilities while helping with strategic priorities and operational problems. Put plainly, utilities can solve two problems at once.
We can protect services running in the cloud with detection mechanisms, threat monitoring, and hunting. We can add many utilities to cloud infrastructure before any additional specialized staff are needed, due to the inherent flexibility afforded by the cloud, making it much more cost-effective.
If you look at historical attacks on water utilities, a sizable proportion came down to stolen credentials or exploitation of known vulnerabilities. Frequently, an attacker had a valid username and password to get in.
We can sometimes make this problem big and complex, but there is no need to overcomplicate our response.
If we strengthen in the right places and prioritize the things that matter, we can improve and even simplify cybersecurity.
Education is a massive part of this, but what happens when something goes wrong? If we can work off a shared responsibility model, one where we understand how everything is connected and how to respond to an incident, we can control where the data is going. We can manage remote access, safely update systems with an authorized push of a button and add threat detection. If mistakes happen, we can help catch them before they become a big problem.
As a provider of water solutions and services, we work with other industry experts brought together by the Cybersecurity and Infrastructure Agency (CISA) to create and collaborate on minimum practices and protections for cybersecurity. For now, utilities can look at what security they have in place. Xylem, for instance, offers Cybersecurity Assessment services that involve expert analyses of Operational Technology systems in the water sector, with actionable remediation recommendations to help utilities with their digital transformation and growth.
But we can also dream a little bigger. Digital technologies and the ability to upgrade systems help us to solve water challenges and build trust at the same time.