Water & Wastewater Treatment Magazine
Issue link: https://fhpublishing.uberflip.com/i/1094482
10 | APRIL 2019 | WWT | www.wwtonline.co.uk The Talk: opinion UMANG PATEL EICA GLOBAL PRACTICE LEADER (WATER) MOTT MACDONALD Protecting water assets against cyber threats It's vital that engineers start to lead the conversation on cyber security for operational technology in the water industry I n the modern age all businesses are vulnerable to cyber threats – including the water sector. Cyberattacks in the water industry can have devasting results, especially as network systems become increasingly more sophisticated. Whether moving to a more sophisticated digital infrastructure model or upgrading old devices during maintenance cycles, businesses are faced with the challenge of keeping critical information safe and secure. To put things into perspective, 43% of businesses suffered a cyber breach or attack in 2017. One example that was particularly damaging in 2016 was at a water treatment plant, where hackers changed the levels of the chemicals being used to treat tap water four times. Stuxnet – a global reaching malicious computer worm targeting industrial control systems – infected over 200,000 computers and caused 1000 machines to physically degrade. So who is at risk of cyberattacks? With an ever-increasing number of devices and data any internet connected system is vulnerable. Once there is an internet connection to your system, existing vulnerabilities can provide a path into your other systems as well. Multi-vectored attacks can come through a corporate network connection, or through a remote connection to your Industrial Control Systems (ICS) or even employees. The implications are that your control system can be compromised, which may lead to disruption in delivery of power, transportation, water, wastewater or other services. Alternately, it can lead to a compromise in the revenue collection, contact lists, data collection and customer information systems and ultimately loss of reputation. Planning for cybersecurity from the outset is a good place to start. Many industrial control systems are vulnerable to malicious cyber-attacks against their networks and the infrastructure they control. These attacks can cause loss of data, control, or even physical damage to equipment. Understanding your cyber assets and having a plan to protect ICS is becoming more important every day. It is therefore crucial to incorporate cybersecurity considerations into all designs from project inception stage. IT stands for Information Technology. OT stands for Operational technology. OT equipment and so'ware could include devices like PLCs (Programmable Logic Controllers), SCADA (Supervisory Control and Data Acquisition) so'ware, HMIs (Human Machine Interfaces), SCADA workstations or telemetry outstations. It is crucial that engineers start to lead the conversation on cybersecurity for operational technology (OT). As engineers, in my opinion our mindset should be to prioritise safety, availability and predictability of assets, and with support from IT specialists this will help protect critical infrastructure and benefit the end user by managing cyber threats and mitigate risk. The recently introduced Network and Information Security (NIS) regulations has been a catalyst for change across all sectors and provides guidance on improvement process which broadly corresponds with the National Cyber Security Strategy 2016-2021. The NIS regulations require the water industry to defend, deter and develop strategies so threats can be managed and understood to minimise disruption during and a'er attacks. The legislation, which came into force in May 2018 and was updated in January 2019, requires Operators of Essential Services (OES) to put "appropriate and proportionate" measures in place to implement and proactively manage cybersecurity. Policies and procedures are very important. To have a proper "defence in depth" strategy, you will need to also consider physical security and policies and procedures as part of your cybersecurity plan. Vetting of sub- contractors who access and maintain your ICS, use of storage devices (thumb drives, non-volatile media), laptops which could infect your system and training of personnel in cybersecurity should form part of the plan. This will help resolve weaknesses, monitor threats and mitigate risks should they occur, increasing security and protecting assets, infrastructure and clients. These regulations will require UK operators to be prepared to deal with increasing number of cyber threats. The regulations also cover other threats affecting IT, such as power failures, hardware failures and environmental hazards. The work is part of the Government's £1.9 billion National Cyber Security Strategy to protect the UK in cyber space and make the UK the safest possible place to live and work online. While the threat of cyberattacks is certainly alarming, there is no need to panic: it is reassuring that 70% of security-related risks are reduced when businesses invest in cybersecurity training and awareness. Simply taking the right steps and making sure staff are aware of the threats, providing training and working together with the supply chain to secure your infrastructure will go a long way in mitigating many cyberattacks.