Managing the changing tides of cybersecurity

Amid the digitisation of the water sector, the risks posed by cyber threats are growing. Nick Nedostup, Chief Information Security Offcer at Xylem, discusses how utilities can modernise while staying secure.

Every day, utilities harness digital tools to deliver effcient services for their communities while solving complex water and resource challenges. Increasingly connected and integrated solutions require increasingly strong defences. We need to embed cybersecurity into our digital approach.

Previously, attacks mainly focused on data breaches and stealing sensitive information, but the rise of ransomware has changed the way that bad actors seek to gain fnancially by denying a user or organisation access to fles. While financial services companies may have been a prime target, many have invested heavily in cybersecurity, making them less appealing.

The business model is now to disrupt an essential service, put providers under extreme pressure, and get a quick payment – putting water frmly in the crosshairs. While in the US, for example, the Environmental Protection Agency (EPA) is stepping up to issue guidance, including direction on cybersecurity audits and sanitary survey completion, developing a coordinated industry response is vital. Organisations such as the Water Information Sharing & Analysis Center (WaterISAC), also in the US, are bringing utilities together to bolster security and ensure water is not a soft mark.

FROM CYBER STRATEGY TO DAY-TO-DAY ACTION
So, how can utilities act? The first step for utilities is checking what supports are available. The US and many other jurisdictions provide state-supported funding options that can help address security.

An individual utility may not have the bandwidth to stay across events throughout the sector. As the tech world moves more to a software-as-a-service or infrastructure-as-a-service model, utilities can save on upfront costs and share the security burden with providers.

Choosing the right vendor by embedding cybersecurity into procurement can build trust that a provider is taking the right security steps.

For businesses such as Xylem, security is the foundation of our ability to be successful in the market. If utilities can develop these trusted relationships, they can also lean on providers to upgrade the system in the background, allowing a utility to get on with serving its community.

LAYERS OF DEFENCE
Secure technology is a vital layer of defence, but some layers don't require signifcant capital or  operational investments. One is mapping and understanding a utility's assets for gaps or risks. Simply put, if you don't know you have it, you can't protect it. Regular security and technology audits can ensure necessary controls are in place. This is not a one-and-done; it needs to be a continuing practice.

And, as threats evolve, we need to keep on top of them. A key question in that inventory is asking if any devices in a utility are out of date. Another vital layer is education. So many attacks happen through social engineering that trick employees into making security mistakes or giving away sensitive information. The frst line of defence is often the simplest: Arming employees with a basic knowledge of how to take security precautions that can stop many of these attacks at source. Make your employees aware that it is okay to question things – ask if an email makes sense, pause to consider if you can trust the person contacting you. Make time for awareness and education, from online vigilance to showing how to create a strong password. These simple steps have an impact.

When it comes to cybersecurity, the environment will constantly evolve. We are never really done with security. We must focus on identifying key risks and take steps to address them. Then, we stay vigilant and work together to keep evolving as an industry, one that can get all the benefts of digital technology while staying secure.