At a time of political volatility when a threat to our critical infrastructure seems more likely than ever, the Water Industry Journal speaks to Barry Searle about why the industry should change its approach to cyber security to safeguard their operations.
The Water Industry needs to be taking an informed risk-based approach to their cyber security, not a purely financial or regulatory approach,” explains Barry Searle. “They should be assessing the pros and cons of risk, rather than just looking at greater efficiency.
“The industry needs to accept that an attack on their critical infrastructure could happen here, as it has in other countries, and take robust steps to mitigate such an attack – especially given so many of their operational systems are now automated and cyber-dependent.
“In the water industry, like almost every other industry, a lot has become automated in recent years, not just customer communications and records, but their operations too.
“What the industry needs to grasp is that the cyber threat isn’t merely about data theft – serious though this threat is and huge though the financial implications could prove – especially with the advent of GDPR.
“More crucially, the cyber threat has huge ramifications for a water company’s operations. In a number of countries around the world, critical national infrastructure, including water, has been specifically targeted by cyber threat groups and these instances show that it is their critical operations rather than their data that can be targeted.
“In one such attack, the chemical controls within a treatment works were compromised and the consequences of such an attack just don’t bear thinking about, but thinking about it is exactly what the industry needs to do.
“Water companies need to be asking themselves how they would deliver their critical services in the event of a major cyber disruption. How could they control their operations; and how long would it take them to get their critical services up and running again in the event of a serious and sustained attack?
“Many water companies have automated their operations without putting in place sufficient contingency plans for business continuity in the light of an attack on their automated and cyber-based systems.
“The volatile political situation makes putting these contingencies in place all the more important. Cyber crime has no borders, what has happened to Critical National Infrastructure in the Czech Republic, Ukraine and Saudi Arabia could easily happen here.
“More and more these days, cyber attacks are being used as a political tool. Already, the National Cyber Security Centre (NCSC) has warned that a sustained cyber attack on our critical national infrastructure is likely this year.”
Barry is well-placed to comment on matters of security, cyber and otherwise, as his background is in military intelligence. As Director of Training at specialist training provider Intqual-pro, Barry designs and delivers OFQUAL regulated qualifications in intelligence analysis, cyber security and safeguarding, amongst other topics, that are now delivered in over 30 countries.
Intqual-pro was formed in 2014 to provide high-quality training and regulated qualifications to intelligence analysts employed in a variety of roles, with trainers that consisted of former military and law enforcement intelligence specialists.
Over the last few years their remit has broadened and Intqual-pro are now the UK’s largest provider of OFQUAL regulated vocational intelligence qualifications, with public and private sector clients, including banks and companies running the essential infrastructure. Every day, somewhere in the world, someone will be receiving their cyber stars training.
As Barry explains, “We deliver training and we also assess people, so organisations know that the people they have in key roles are competent and up to the challenges of the job.”
“The crux of the matter is that we simply can’t exist without a safe supply of water. Almost every other part of our critical infrastructure relies on water in one way or another, and when it comes to cyber security, our data centres depend on water to regulate the temperature of their hard drives.
“The impact of disruption to a water company’s critical operations is far-reaching, water companies are too complacent and they need to re-think their approach to risk and security.
“The water industry has benefitted for too long from the fact that their customers had no choice as to whom supplied their water, but the market is opening up and already businesses, charities and public sector bodies can choose their provider.
“Investing in cyber security and related awareness training makes financial, business and reputational sense. Customers are now much more aware and wary of where their data is held and a lack of trust is the main reason customers have for walking away from a company.
“Water companies hold a huge amount of data and it is estimated that for each individual company that data alone is worth around £30-40 million. When a customer is a victim of credit card fraud, for example, they know their money is likely to be refunded by their bank, but when it comes to a data breach who knows where the crime begins or ends, where their data will end up and for how long it will be an issue.
“We can all name companies that have never fully recovered from a security breach. Water companies need to understand the impact of a security breach and how the subsequent loss of trust could affect their business, they must consider the operational and reputational risk as a more open market emerges.
“Unfortunately, not every company wants to know how easy it is to hack into their systems, they don’t own or take responsibility for that risk or they feel they have no budget to do anything about it.
“Water companies could learn a lot from banks which provide robust cyber security training for all of their personnel. We know that the vast majority of cyber breaches come about or are enabled by human error, so raising awareness of these issues and providing your staff with strategies for dealing with the cyber threat are crucial to remaining secure.
“Ultimately, a cyber security breach would be bad for business, with GDPR now enshrined, companies could be fined up to €20 million or 4% of the company’s global annual turnover, whichever is greater and they could suffer reputational damage from which they may never fully recover.
However, a cyber security breach of a water company’s operational systems has far more appalling consequences than a mere financial loss given water is essential to life.”
“Water companies need to review their contingency plans and ensure that they can operate in the event of a security breach, with so many of their systems cyber-based, it is their operations rather than their finances or data that are most at risk.
“The UK industry needs to learn the lessons from the cyber breaches of water companies around the world and gain a better understanding of how they can isolate their critical systems. Systems that don’t need to be connected to outside networks, shouldn’t be connected.
“Water companies need to transform the culture within their organisations, raising awareness of the issues and look at putting technical solutions in place to keep their operations running safely and efficiently in the event of a cyber breach.
“The cyber threat is constantly evolving and water companies need to take stock of the changing security landscape and take action now.”