Opinion: Protecting our water assets against cyber threats
It's vital that engineers start to lead the conversation on cyber security for operational technology in the water industry, writes Umang Patel
By Umang Patel, EICA Global Practice Leader, Water, Mott MacDonald
In the modern age all businesses are vulnerable to cyber threats – including the water sector. Cyberattacks in the water industry can have devasting results, especially as network systems become increasingly more sophisticated. Whether moving to a more sophisticated digital infrastructure model or upgrading old devices during maintenance cycles, businesses are faced with the challenge of keeping critical information safe and secure.
To put things into perspective, 43% of businesses suffered a cyber breach or attack in 2017. One example that was particularly damaging in 2016 was at a water treatment plant, where hackers changed the levels of the chemicals being used to treat tap water four times. Stuxnet – a global reaching malicious computer worm targeting industrial control systems – infected over 200,000 computers and caused 1000 machines to physically degrade.
So who is at risk of cyberattacks? With an ever-increasing number of devices and data any internet connected system is vulnerable. Once there is an internet connection to your system, existing vulnerabilities can provide a path into your other systems as well. Multi-vectored attacks can come through a corporate network connection, or through a remote connection to your Industrial Control Systems (ICS) or even employees. The implications are that your control system can be compromised, which may lead to disruption in delivery of power, transportation, water, wastewater or other services. Alternately, it can lead to a compromise in the revenue collection, contact lists, data collection and customer information systems and ultimately loss of reputation.
Planning for cybersecurity from the outset is a good place to start. Many industrial control systems are vulnerable to malicious cyber-attacks against their networks and the infrastructure they control. These attacks can cause loss of data, control, or even physical damage to equipment. Understanding your cyber assets and having a plan to protect ICS is becoming more important every day. It is therefore crucial to incorporate cybersecurity considerations into all designs from project inception stage.
IT stands for Information Technology. OT stands for Operational technology. OT equipment and software could include devices like PLCs (Programmable Logic Controllers), SCADA (Supervisory Control and Data Acquisition) software, HMIs (Human Machine Interfaces), SCADA workstations or telemetry outstations.
It is crucial that engineers start to lead the conversation on cybersecurity for operational technology (OT). As engineers, in my opinion our mindset should be to prioritise safety, availability and predictability of assets, and with support from IT specialists this will help protect critical infrastructure and ultimately benefit the end user by managing cyber threats and mitigate risk.
The recently introduced Network and Information Security (NIS) regulations has been a catalyst for change across all sectors and provides guidance on improvement process which broadly corresponds with the National Cyber Security Strategy 2016-2021. The NIS regulations require the water industry to defend, deter and develop strategies so threats can be managed and understood to minimise disruption during and after attacks. The legislation, which came into force in May 2018 and was updated in January 2019, requires Operators of Essential Services (OES) to put “appropriate and proportionate” measures in place to implement and proactively manage cybersecurity.
Policies and procedures are very important. To have a proper “defence in depth” strategy, you will need to also consider physical security and policies and procedures as part of your cybersecurity plan. Vetting of sub-contractors who access and maintain your ICS, use of storage devices (thumb drives, non-volatile media), laptops which could infect your system and training of personnel in cybersecurity should form part of the plan. This will help resolve weaknesses, monitor threats and mitigate risks should they occur, increasing security and protecting assets, infrastructure and clients.
In order to achieve the strategic vision and objectives set out by Competent Authority, it is essential for businesses to carry out systematic and risk-based Cybersecurity evaluations of an ICS and cyber assets. The industry increasingly understands the importance in supporting and upskilling of workforce. Various frameworks for self-assessment do exist such as the CPNI’s1 Security for Industrial Control Systems (SICS) Framework, the NCSC Cybersecurity Assessment Framework (CAF) or the United States’ Department of Homeland Security’s Cybersecurity Evaluation Tool (CSET)2. It should though be recognised that none of these frameworks focus solely on technology, but support with compliance, training and emergency response planning.
These regulations will require UK operators to be prepared to deal with increasing number of cyber threats. The regulations also cover other threats affecting IT, such as power failures, hardware failures and environmental hazards. The work is part of the Government’s £1.9 billion National Cyber Security Strategy to protect the UK in cyber space and make the UK the safest possible place to live and work online.
These regulations apply to OES that rely on network and information systems and satisfies the threshold requirement describes for an essential service. The Drinking Water Inspectorate threshold requirement applies to the essential service of the supply of potable water in the UK of water to 200,000 or more people.
While the threat of cyberattacks is certainly alarming, it is reassuring that 70% of security-related risks are reduced when businesses invest in cybersecurity training and awareness. Simply taking the right steps and making sure staff are aware of the threats, providing training and working together with the supply chain to secure your infrastructure will go a long way in mitigating many cyberattacks.
- Technically Speaking: Data Analytics and Water Advanced analytics have the potential to transform the water sector, if they are used across the business and are backed... Read More >
- New direction: Is the industry ready for direct procurement? Ofwat's continued aim to drive efficiency and value for customers will see the introduction of a new direct procurement... Read More >
- Scottish Water completes 1.2km tunnel One of Scotland's largest projects in AMP5 has been completed in Airdrie. Scottish Water’s William Ancell explains how it... Read More >
- Into the Deep using advanced camera techniques Underwater drones, also known as remotely-operated vehicles (ROVs) have proved key to the inspection of... Read More >
- Opinion: Protecting our water assets against cyber threats It's vital that engineers start to lead the conversation on cyber security for operational technology in the water... Read More >
- Capital's infrastructure needs integrated water approach The concerns of Londoners about the capital city's resilience highlight the need for integrated planning across water,... Read More >
- Ready for anything: Resilience in the Round Resilience is one of the four priorities that Ofwat wants to see water companies adopt in their plans for PR19. But what... Read More >
- Mind the step: manholes, steps and ladders Manhole steps, ladders and associated access systems perform a safety critical function. Here, Chris Cawte, managing... Read More >