In 2021, drinking water facilities located in Tampa, Florida, suffered a cyberattack that sought to poison the population by increasing the amount of sodium hydroxide in the system. In 2020, pumping stations and water management facilities in Israel were targeted by cyberattacks, whilst in 2018, the Swiss city of Ebikon’s water supply received thousands of malware requests. Fortunately, all the threats were dealt with, thanks to the expertise of operators and the security systems in place.
These are just a few examples of known cases that have come to public attention, but the number of attacks on water facilities is increasing every year. Often, these attacks have no repercussions, and even infrastructure managers pay little attention to this serious issue that needs to be tackled. This problem is common to other similar essential service-related infrastructures, such as those that supply electricity, which are comparable in terms of their type and scope.
Digital transformation has brought with it an increase in exposure to cyberattacks, which ultimately put the health and development of society at risk. The hyperconnectivity stemming from this digital world, though undoubtedly beneficial, also entails risks and, in recent years, as has occurred in other sectors such as banking and energy, utilities have begun to invest more time, effort and money in strengthening their cybersecurity. Digital transformation, which is a must for water utilities, also needs to ensure robust cybersecurity, especially in a sector that is vital for society’s survival and development.
In any case, there is a need to go beyond cybersecurity by implementing technological solutions to tackle the problem from a holistic perspective.
How does improving security in the water sector pay off?
Implementing an effective security policy in water utilities brings major advantages:
- Water conservation
This is the first and most important element to safeguard. As previously mentioned, implementing online and offline security measures guarantees access to water, a commodity as necessary as it is scarce. Of course, when we talk about a safe and secure supply, we also mean sufficient amounts of quality water.
- Data preservation
At a time when data has become a major issue, being able to fully protect it is a priority, especially in a sector such as water, which handles sensitive user information (personal data, financial data for billing, etc.). The risk does not only involve the theft of confidential information, but also the loss of business data and the serious issues that this entails.
- Improved productivity
Updated and protected infrastructures and systems reduce unscheduled downtimes caused by a security breach or attack, with the ensuing increase in productivity.
- Business reputation
As mentioned above, a system that complies with online and offline security standards means utilities can offer a trustworthy brand image, resulting in increased customer loyalty. Security problems are currently a potential cause of lost business reputation in all sectors, with all the consequences that this brings.
SECURITY ISSUES TO CONSIDER
Issues related to security, and more specifically cybersecurity, have been watchwords in many sectors for years. In an essential public service such as the supply of water, this takes on special relevance, as previously mentioned. However, cybersecurity needs to be approached from a broader standpoint, including other aspects that will be on trend in 2023. Sometimes these are basic situations and measures which, unfortunately, have not been resolved and continue to pose risks:
- Physical security of facilities
A simple remote-control station in a distribution tank, without proper monitoring and without appropriate anti-intrusion systems, could be the source of an attack entailing significant risks for users. All system assets, without exception, must be part of a global security strategy. In addition, it is easier to provide a swift, agile response to an incident if security and control systems are connected to operational monitoring systems.
- Updates and modernization
Secondly, in water utilities (and in other sectors, of course), system monitoring and control relies on SCADA systems. In some cases, these systems have been in operation for decades, using protocols and configurations which did not originally have security as their main concern, as they were designed as stand-alone systems, which are now compromised. As a result, obsolete operating systems continue to exist. These cannot be updated, and no security patches can be installed in the face of new threats. Upgrading and modernizing them should be one of the main lines of action for utilities this year. In this case, the use of latest-generation, cloud-based SCADA applications (either in the client’s own dedicated data center or in a suitably secured third-party data center) can be of great help.
- Consolidating system perimeter security
Systems must be separated from all other corporate systems, establishing one or more DMZ (Demilitarized Zones) or another similar approach. Where systems do not support this, a change of strategy should be considered.
The same applies to communications security. In view of the growing number and type of new devices that are progressively being added to systems, it is important to ensure that gateways are not only scalable, but also encrypted using TLS or similar. In this regard, cloud providers’ IoT platforms offer a good alternative.
- Secure hosting
Systems must be hosted in intrinsically secure locations and configurations. On this point, the advent of cloud providers has brought about a real revolution, and the range of solutions and alternatives they offer means easy configuration of servers with redundancy in different geographical areas, highly configurable backup and disaster recovery systems. Some of these security measures were beyond the reach of most companies a few years ago but are now accessible and affordable. Despite this, there are a large number of on-premise systems in place, with their own specific needs (physical security, hardware and software maintenance and updates, possible outages, sabotage, etc.), which can make them the weak link in a utility’s IT infrastructure. In this case, we should consider hybrid systems as a possible alternative, for example, backing up sensitive information hosted locally on securely backed-up cloud servers.
- Corporate culture
Finally, it is important to talk about corporate systems in general, both those which are exposed to third parties (users, etc.) and those which are used internally within the organization. Fortunately, the progressive implementation of state-of-the-art security systems provides a wide range of tools and resources to combat threats. However, they need to be integrated into the company’s culture through training and awareness-raising efforts for all staff, not just the IT team. In this sense, corporate efforts should be directed at security systems that are certified according to internationally recognized standards. These must start to be seen as a requirement in the sector and be led by a specialized figure in the utility working solely on this area.
In short, security in water utilities has become a key issue that must be addressed alongside the company’s digital transformation process. This implies cybersecurity concerns, which must be approached holistically, updating infrastructures, improving IT systems, taking advantage of the latest technologies available, and, of course, training and awareness-raising throughout the organization