By Alain Dedieu President, Water and Wastewater Segment at Schneider Electric.
Critical infrastructure is a prime target for cyber attackers. Water and wastewater utilities are particularly susceptible to attacks due to communities that rely on the services they provide.
What’s more, companies that count on water to manufacture their products, through procedures such as cooling, would suffer consequences to their operational costs if they were hit by an attack. The potential for cyber-attacks to contaminate drinking water, threatening public health, has even led to some governments enacting legislation to counter this threat.
Connected devices through digitalisation are here to stay. Digitalisation helps companies become more efficient, powers data-led insights, and drives sustainability. Today’s technology enables equipment to have connectivity which empowers utilities to be competitive and increase profits. However, as water and wastewater utilities are crucial, they strive for the highest cybersecurity levels.
Network segmentation: The solution to agile cybersecurity
A recent survey across the water and wastewater industry revealed that 34% of companies experienced a ransomware attack that affected IT only. Meanwhile, 22% of ransomware attacks affected OT only.
What’s more, 52% of respondents experienced a partial impact on one site, while 30% said they experienced a substantial impact on multiple sites for one week. Some even faced a similar impact on several sites for more than a week. For 37% of all respondents, those impacts resulted in a downtime cost between $100,000 to $500,000 per hour, and for 12% of respondents, it cost $1M to $5M per hour. Ultimately, 60% of the survey respondents paid the ransom.
Many UK utilities face challenges when analysing the root causes of an attack – where they are unable to definitively rule out what may or may not have occurred that allowed the attack to take place. Having the ability to detect a breach in your security perimeter empowers your organisation with knowledge and control. It also permits further analyses should another attack occur. Without anything in place to detect a breach, attackers could be in a system already gathering information and sustaining access over time.
Through implementing network segmentation within a company’s digitalised architecture, operations could continue in some capacity if a cyber-attack can be isolated to one area. With that in mind, water and wastewater industries should strive to reach Security Level 3 protection within their organisation. Here’s a breakdown of what each level entails:
Security Level 1 – Protects against unintentional breaches or coincidental violations.
Security Level 2 – Delves into areas with more serious implications by protecting against intentional violations permeated by those with generic skills and few resources.
Security Level 3 – A company protects itself against professional hackers – people or entities with system-specific skills using sophisticated means to gain access to infrastructures.
Security Level 4 – Organisations are protecting themselves from highly motivated hackers using sophisticated means, who also have extended resources to gain access to nation-state-level attacks. While it may be difficult to withstand level 4 attacks, companies can better defend themselves and analyse internal weaknesses.
Mapping out a road to cyber confidence
When reassessing your cybersecurity perimeter, it’s important to commit to certain goals and practices. Yes, there is no silver bullet when it comes to cybersecurity. But laying down a pathway towards cyber confidence can lead to more efficient operations and reduce the chance of a cyber-attack.
1. Conduct regular cybersecurity assessments. Tools like edge data collectors focus on asset inventory to keep track of devices used across operations. Knowing all access points is important, but tracking firmware updates, especially as companies grow and modernise over time, becomes a critical defence practice.
2. Implement network segmentation into your organisation’s architecture to separate the IT network from the OT network. Doing so can provide a stopgap during an attack. Network segmentation like this is known as a “demilitarised zone” (DMZ), and it isolates areas of the network or devices that have been compromised. Firewalls and containment help in regaining control.
3. Back your data up. Set this up to recurautomatically to protect your IP and core system and do so regularly. Should a cyber-attack occur, an organisation can get up and running faster. Frequent data backups can make your company less attractive to potential hackers seeking to do significant damage. Store any supercritical configurations and source codes in multiple places as well.
4. Recovering from an attack is done best through practice. Cyberattack “fire drills” prepare companies to mitigate breaches as they occur and can help them recover faster. Training for various scenarios in role-based cybersecurity workshops will instil confidence and cultural buy-in with employees.
Inspiring cyber confidence in UK water utilities
Having cybersecurity confidence is imperative and having the means to protect key utilities from potentially devastating cyber-attacks not only protects public health but also ensures an organisation’s reputation stays intact, minimising financial loss. Understanding certain fundamentals will increase an organisation’s ability to pre-empt, and consequently counteract cyber-attacks.
Ensuring routine cybersecurity assessments are implemented, alongside consistent backups and the implementation of an in-depth training programme are just some of the steps that organisations can take to achieve resiliency against security threats. Businesses need to create a clear roadmap to cyber resilience, by adhering to industry-leading OT cybersecurity standards, solutions, and services.
