Cybersecurity has become a major issue for companies in the water sector. In recent years, there have been multiple attacks on utilities, given the importance of this sector as an essential service.
Concern about cyberattacks has been on the rise in the last 20 years. The first attack was on a utility in Queensland (Australia) in 2000, whilst more recent attacks hit Israel’s water supply in 2020 and a water treatment plant in Florida in 2021. We only have to input the term “cybersecurity” in Google to see the importance of this phenomenon.
New technological trends in the water cycle, such as automation, early warning systems and smart metering, bring significant advantages and innovations to the water sector, but also open up new attack vectors for cybercriminals. Therefore, as Idrica’s Water Technology Trends 2024 report pointed out, utilities are spending more time and effort on strengthening and increasing their cybersecurity initiatives.
Measures to improve cybersecurity in Europe
There were 107,777 registered cyberattacks in Spain in 2023, up 94% on the previous year. This data comes from the Annual National Security Report 2023, drawn up by the Department of National Security. According to the report, the fact that attackers possess “greater technical and operational capabilities” has led to cyberattacks increasing in frequency, sophistication and severity. This situation is getting worse due to society’s “high dependence on information and communications technologies”, as the report points out. Indeed, Spain’s second biggest threat today is the vulnerability of cyberspace, second only to disinformation campaigns, though it has a potentially greater impact.
Therefore, utilities need to establish a series of strategies aimed at strengthening their cybersecurity.
- Risk assessments: regular risk assessments must be carried out to identify vulnerabilities and potential threats.
- Continuous monitoring: continuous monitoring systems must be implemented to detect suspicious activity in real time.
- Training and awareness: employees must receive training on cybersecurity best practices to create a culture of security.
- Redundancy and resilience: redundant systems and disaster recovery plans need to be established to ensure operational continuity.
- Upgrades and patching: systems must be kept up to date with the latest security patches.
- Encryption and authentication: data encryption and strong authentication must be rolled out to protect sensitive information.
In this scenario, governments and other stakeholders are strengthening legislation to mitigate the situation. Regulations such as ACN in Italy, on cloud services; ENS in Spain, on information security; ANSSI in France, focused on product certification; and BIO in the Netherlands, on information system management, are just a few examples.
In this regard, European countries must implement the NIS2 directive which provides legal measures to promote cybersecurity in the European Union, ensuring:
- Member States are well equipped to respond to any incidents that may occur.
- The creation of a Cooperation Group to safeguard cooperation between Member States, as well as the exchange of information between them.
- The promotion of a culture of security in all essential sectors (European Union).
Idrica, a company founded by Fomento Urbano de Castellón, S.A., is aware of the importance of implementing appropriate organizational, technical and operational measures to manage security risks. Therefore, it has certified the information system that runs its design, development, implementation, support and maintenance services for the GoAigua platform according to ISO 27001 and the Spanish National Security Scheme (ENS).
In addition, in April 2024, a guide was published to make it easier for all ENS-certified companies to comply with NIS2. Logically, compliance with the NIS1 directive does not imply compliance with the more recent NIS2. This guide contains a roadmap to navigate between both regulations to ensure companies comply with the new directive.
Finally, in 2024 Idrica has begun to implement SOC2 (Service and Organization Controls) cybersecurity certification focused on the American market.