Amid the digitization of the water sector, the risks posed by cyber threats are growing. Nick Nedostup, Chief Information Security Officer at Xylem, discusses how utilities can modernize while staying secure.
Every day, utilities harness digital tools to deliver efficient services for their communities while solving complex water and resource challenges. Increasingly connected and integrated solutions require increasingly strong defenses. We need to embed cybersecurity into our digital approach.
Previously attacks mainly focused on data breaches and stealing sensitive information, but the rise of ransomware has changed the way that bad actors seek to gain financially by denying a user or organization access to files. Where financial services companies may have been a prime target, many have invested heavily in cybersecurity, which makes them a less appealing target.
The business model is now to disrupt an essential service, put providers under extreme pressure, and get a quick payment – putting water firmly in the crosshairs.
While the Environmental Protection Agency (EPA) are stepping up to issue guidance, including direction on cybersecurity audits and sanitary survey completion, developing a coordinated industry response is vital. Organizations such as the Water Information Sharing & Analysis Center (WaterISAC) in the U.S. are bringing utilities together to bolster security and ensure water is not a soft mark.
From cyber strategy to day-to-day action
So how can utilities act?
The first step for utilities is checking what supports are available. The U.S. and many other jurisdictions provide state-supported funding options that can help address security.
An individual utility may not have the bandwidth to stay across events throughout the sector. As the tech world moves more to a software-as-a-service or infrastructure-as-a-service model, utilities can save on upfront costs and share the security burden with providers.
Choosing the right vendor by embedding cybersecurity into procurement can build trust that a provider is taking the right security steps.
For businesses such as Xylem, security is the foundation of our ability to be successful in the market. If utilities can develop these trusted relationships, they can also lean on providers to upgrade the system in the background, allowing a utility to get on with serving its community.
Layers of defense
Secure technology is a vital layer of defense, but some layers don't require significant capital or operational investments. One is mapping and understanding a utility's assets for gaps or risks. Simply put: if you don't know you have it, you can't protect it. Regular security and technology audits can ensure necessary controls are in place. This is not a one-and-done, it needs to be a continuing practice.
And as threats evolve, we need to keep on top of them. A key question in that inventory is asking if any devices in a utility are out of date. Another vital layer is education. So many attacks happen through social engineering that tricks employees into making security mistakes or giving away sensitive information.
The first line of defense is often the simplest. Arming employees with a basic knowledge of how to take security precautions can stop many of these attacks at source.
Make your employees aware it is okay to question things – ask if an email makes sense, pause to consider if you can trust the person contacting you. Make time for awareness and education, from online vigilance to showing how to create a strong password. These simple steps have an impact.
When it comes to cyber security, the environment will constantly evolve. We are never really done with security. We must focus on identifying our key risks and take steps to address them. Then we stay vigilant and work together to keep evolving as an industry, one that can get all the benefits of digital technology while staying secure.