Water and wastewater companies are undergoing digital transformation, digitising processes, adopting the Internet of Things and Artificial Intelligence technologies to improve efficiency and reliability. The connectivity of operational technology to the internet and the convergence between operational technology and IT have created extreme efficiencies, new vulnerabilities and exposure to cybersecurity threats.
Some of the cybersecurity challenges faced in the water industry are related to legacy technologies, lack of awareness, interconnectivity, insider threats and budget allocation.
The main question utilities need to answer is how could the water and wastewater industry be affected by cyber-attacks?
According to the US Cybersecurity and Infrastructure Security Agency, these are the challenges to keeping this critical infrastructure operating safely.
Operational technology
Network complexity: water operational networks may contain hundreds of diverse components that can be difficult
to map and update properly. This complexity may lead to operators not having complete visibility into their networks, which in turn may contribute to misconfigurations and continued usage of components not included in a utility’s network mapping.
System maintenance: improperly maintained custom and commercial off-the-shelf components, particularly those not updated on security patches or operating beyond end-of-life, can leave operational technology (OT) systems vulnerable to
attack. Managed service providers may be used within critical infrastructure to support both IT and OT networks and, if compromised, could provide adversaries with remote access to customers’ OT systems. Successful exploitation of an OT system can give the attackers a direct means of manipulating systems that support the management of water systems.
IT/OT convergence
Network segmentation: malicious actors may use IT networks as a vector to target non-segmented OT networks and systems. Proper network segmentation is the most effective way to prevent cyberattacks against OT networks and IT systems.
Data: malicious actors may attempt to access IT systems
to steal sensitive data, turn off network components and
move laterally within a network to access other, more
sensitive systems. They may also attempt to use stolen
information to move laterally within the network and access
other more sensitive areas.
Ransomware: ransomware attacks can disrupt operations within a facility until systems are restored. While disruptions in office-based systems are most common, ransomware can also infect connected OT systems, particularly if there is not adequate segmentation between IT and OT systems.
While not a risk assessment standard per se, the National Institute of Standards and Technology (NIST) Cybersecurity Framework is one of the foremost resources for informing risk assessments. In addition, the Australian Security of Critical Infrastructure Act 2018 (the SOCI Act) highlights the NIST framework as guidance for critical infrastructure sectors – including water – to write the Critical Infrastructure Risk Management Program (CIRMP) (which has a deadline of August 2024).
Organisations with critical infrastructure, such as those operating in the water and wastewater sectors, must act quickly.
Based on these findings and aligned with the NIST framework, NHP and Rockwell Automation’s cybersecurity professionals recommend these core steps:
- Undertake asset inventories
- Perform accurate risk and vulnerability assessments to locate the areas of greatest weakness
- Develop a cybersecurity plan based on assessment results
- Segment and harden networks with an industrial demilitarised zone and firewalls
- Implement threat monitoring
- Prepare and rehearse incident response plans
Although many water and wastewater utilities have invested the necessary time and resources in cybersecurity, the sector needs to make more progress in securing IT and OT systems.
NHP collaborates closely with partner Rockwell Automation to deliver all-inclusive cybersecurity solutions that go beyond network security. Our range of services, hardware and software is certified and aligned with the industry’s most robust standards and frameworks, such as ISA/IEC 62443 and the National Institute of Standards and Technology Cybersecurity Framework. Our solutions can assist clients in evaluating, executing and maintaining ICS security within operations and enabling transformational technologies that depend on enterprise connectivity.
This sponsored editorial is brought to you by NHP. For more information, please call your local NHP Account Representative on 1300 NHP NHP or go to nhp.com.au/cybersecurity.
Featured image/NHP