Cybersecurity Risk & Responsibility in the Water Sector

At the moment, one of the significant threats facing businesses all over the world is the risk of cyber-attack. In the water sectors, utility firms have suffered from various types of cyber-risk, including ransomware attacks, tampering with Industrial Control Systems, manipulating valve, flow operations, chemical treatment formulations, and other efforts that disrupt and potentially destroy operations.

Challenges in Managing Cyber Attack

For so many utilities managing a cyber-attack seem difficult due to the limited resources and capabilities for preventing, detecting, and mitigating cyber risk. Large organizations complain of how difficult it is to defend against cyber-attacks due to their size and multi-faceted systems. On the other hand, small organizations often claim inadequate financial and personnel resources and lack the time and knowledge needed to address cybersecurity issues.

Effect of cyber-attacks on the water sector

The effect of these attacks on critical water sector operations could cause devastating harm to public health and safety, threaten national security and result in costly recovery and remediation efforts to address system issues and data loss. Attacks causing contamination, operational malfunction, and service outages could result in illness and casualties, compromise emergency response by firefighters and healthcare workers, and negatively impact transportation systems and food supply. Due to this, organizations, government, and the public must put in the necessary steps to put an end to this or bring it to the barest minimum.

Standards, Guidance, Regulation, And Insurance To Help The Water Sector

Already, there are various standards, guidance, regulation, and insurance that have been put in place to help water sector entities address cybersecurity issues and develop comprehensive cybersecurity policies, programs, and procedures. Some of these include:

NIST Framework & Publications: National Institute of Standards and Technology (NIST) framework is a key and helpful cybersecurity resource. This framework provides a flexible and cost-effective approach towards the protection and resilience of critical structures in the water sector.

AWWA Guidance & Use-Case Tool: The AWWA guidance provides Process Control System Security Guidance for the Water Sector and a supporting Use-Case Tool, which is helpful for establishing and improving cybersecurity systems.

HIPAA Security Rule: The Health Insurance Portability and Accountability Act provides a clear, jargon-free framework for developing information security policies and programs. These programs can help municipalities, and other water sector owners and operators build a solid foundation for cybersecurity programs.

State and Federal Regulation: Certain states have enacted regulations or provided guidance to prioritize cybersecurity in the water sector. These laws are designed to improve the safety, reliability, and administrative oversight of the water infrastructure.

Cyber Insurance: Cyber insurance is another important consideration for private-sector and government entities. It guides an organization’s cyber risk profile. However, determining the proper type and amount of cyber insurance requires a rigorous assessment of risk and evaluating specific coverage and policies.

10 Basic cybersecurity recommendations for water and wastewater utilities

In partnership with the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the FBI, and the Information Technology ISAC, the WaterISAC has developed a list of 10 basic cybersecurity recommendations to help water and wastewater utilities defend against avoidable data breaches and cyber-attacks. These recommendations include the following:

1. Maintain an Accurate Inventory of Control System Devices and Eliminate Any Exposure of this Equipment to External Networks.
2. Implement Network Segmentation and Apply Firewalls.
3. Use Secure Remote Access Methods.
4. Establish Role-Based Access Controls and Implement System Logging.
5. Use Only Strong Passwords, Change Default Passwords, and Consider Other Access Controls.
6. Maintain Awareness of Vulnerabilities and Implement Necessary Patches and Updates.
7. Develop and Enforce Policies on Mobile Devices.
8. Implement an Employee Cybersecurity Training Program.
9. Involve Executives in Cybersecurity; and
10. Implement Measures for Detecting Compromises and Develop a Cybersecurity Incident Response Plan.

Conclusion

Finally, the most effective way to mitigate against cybersecurity in the water sector and manage cyber risk is by developing the right partnership. This partnership can be within the organization, the sector at large, and among public and private entities. In addition, sharing vital threat information, solutions, best practices, and other resources can also provide greater security that can be of great benefit to the water sector as a whole.