Water & Wastewater Treatment Magazine
Issue link: https://fhpublishing.uberflip.com/i/944532
18 | MARCH 2018 | WWT | www.wwtonline.co.uk • Cyber Security Advice The National Cyber Security Centre's '10 Steps to Cyber Security', which can be downloaded from www.ncsc.gov.uk, encourages companies to focus on the following areas: ● Set up your Risk Management Regime ● Network Security ● User education and awareness ● Malware prevention ● Removable media controls ● Secure configuration ● Managing user privileges ● Incident management ● Monitoring ● Home and mobile working establish best practice. "Security isn't something that's used as competitive advantage between us," he says. "Security managers share threat intelligence very frequently with each other. We collaborate very widely both in terms of reactive threat intelligence but also proactively in terms of understanding what the challenges are that people are facing and how we are addressing them." On that point, Trippier says user education within companies is "absolutely critical – the number one thing you can do to reduce risk across the network". On the technological side, he references the NCSC's 10 Steps to Cyber Security. "It contains 10 really quite basic things to do across an organisation's IT landscape," he says. "Those 10 things mitigate probably over 90% of most attacks. By getting those basic counter measures and controls right, you put your organisation in a space where it's at significantly less risk of an attack." He expects all water companies to focus on cyber security in AMP7. "'When, not if ' is becoming common parlance and certainly something that I use with my management board frequently," he says. "The days of building metaphorical fences and hoping no one would get through that fence don't exist anymore, and incident response is a really important element. "You can't ever really be 100% secure because, if someone has enough money and enough motivation, they can keep going until they find vulnerabilities." Steve Trippier will be discussing cyber security at WWT's Smart Water Networks Conference in Birmingham on 20 March. Info at: events.wwtonline.co.uk/smart As in all sectors, the most common relate to IT systems, with phishing emails offering the most straightforward route. "Almost universally, email to staff is the most common factor, which is why most of us, and particularly Anglian Water, are really heavily investing in staff awareness to try to reduce the propensity of staff to click on links," he says. "It started in the 1990s with the Nigerian Prince 419 scams where a prince offered to send you lots of money if you transfer them an advance payment to launder their money, and they've now become very much more sophisticated. Those attacks can be very difficult to identify and can look very credible." The consequences of a successful IT attack can be significant, including access to the customer database, loss of money through fraud and disruption to the way in which the corporate and IT infrastructure works. As the reported 2016 incident indicated, though, an attack on operational technology (OT) could feasibly be far worse. "The worst-case scenario would be access to control systems – somebody who isn't supposed to access control systems having access to them," Trippier says. "Those kinds of attacks are very, very rare and not very easy to do. "I would say that, on the whole, most people's OT systems are not currently directly connected to the internet – for a very good reason, because that makes it harder to perform those attacks remotely. Whilst not infallible, that historically has been the best protection – not to connect those control systems or to minimise the connections to spaces where they could be compromised externally. "In all cases, safety-critical systems are always completely isolated from the other control systems, so that prevents issues with water quality." However, the growing reliance on the Internet of Things (IoT), if not well managed, could ultimately weaken that protection as IT and OT converge. "People are looking at how to exploit efficiency from the Internet of Things, and of course you would do because the potential benefits are huge, whether that's around leakage or around optimisation or around better monitoring and better status reporting," he says. "The IoT devices are potentially significantly cheaper and easier to install. "As with all innovation, that comes with a need to conduct assessment of what risk that provides – that's risk to operability as well as security. Organisations will need to ensure they understand the full security impact of all their innovation, including IoT. We look at things like WITS [Worldwide Industrial Telemetry Standards] for the technology standards, telemetry, and that's already seeing security built in as standard, trying to build consistency and starting to build security into the fundamentals of how things are operating." Companies across the water industry already share information relating to threats, while Water UK's Strategic Security Board facilitates assistance between companies and works to The Talk: interview "The worst-case scenario would be access to con- trol systems... but those kind of attacks are very rare and not easy to do."