Water Cyber Security
Utilities Desalination Europe

Keeping Water Cyber Secure

Wednesday, 5 August 2020

A very real threat

Ever since the infamous Stuxnet cyberattack destroyed Iranian uranium processing capabilities a decade ago, industrial control systems have been a known target for cybercriminals.

For the water industry, cyberattacks represent a very real threat.

There has been a spate of events over the last few years, most recently in Israel where an attack in April saw a serious attempt to increase the chlorine content in drinking water. Even more recent attacks have been reported.

According to a new analysis from Cisco Systems and Jacobs Engineering, the adoption of new technologies such as digital networks, remote operations, real-time data acquisition and analytics, means water systems are not as digitally secure as they used to be.

As a result, the door has been opened to substantial cyber risks for critical infrastructure.

The changing nature of cyberattacks

Attempting to address this issue, the 2018 America's Water Infrastructure Act requires US water systems serving more than 3300 people to develop or update their risk assessments and emergency response plans, including operational technology cybersecurity.

However, for many water utilities, even those serving many thousands of individuals, there are no such legal requirements.

Perhaps even more troubling, many such utilities do not seriously consider the risks associated with the changing nature of cyberattacks.

“The risk to the water industry is that cyber is changing,” says Barry Searle, director of training at Intqual Pro.

Speaking to Aquatech Online, he says: “It’s moved from IT and data theft to disruption of operational technologies for criminal purposes. There has been a big shift.”

“Threat groups have realised that if they can limit access to critical systems like SCADA, they can make a lot more money.”

He added: “Previously attacks were all about data theft, but in the past two to three years that has changed to denial of service attacks. Threat groups have realised that if they can limit access to critical systems like SCADA or operational technology, they can make a lot more money."

Ensuring reliable and robust security

The Cisco/Jacobs

“The water industry needs to realise that just because they haven’t had a major international incident doesn’t mean they won’t. The industry needs to learn lessons from elsewhere and become proactive rather than reactive.”

Any disruption or failures in water operational control systems could result in injury or death, but water assets represent a far larger threat and potential value at risk.

“We would do well to remember that the threat goes beyond contamination of drinking water, to include consequential damage through inundation caused by interference with dams, reservoirs, sump pumping, drainage and sewage systems, and physical damage caused by a failure of water cooling systems,” adds Aslin.

“This presents a myriad range of weaknesses to defend, up and down the supply chain, and across a dispersed network of organisations.”

A cultural shift is required

Consequently, water sector operators must perform a thorough assessment to understand their vulnerabilities.

They should follow this with the development of a robust plan that can ensure cybersecurity throughout their digital enterprise not just today, but which also considers the secure infrastructure needs of the future.

“Financial services are 10 years ahead of water…I am not seeing the same level of investment or engagement in the water industry.”

This will likely require something of a cultural shift, according to Searle.

“Financial services are probably 10 years ahead of the water industry because the commercial risks associated with data protection for banks are significant,” he adds.

“For the power sector, securing assets, securing networks and understanding the risks of allowing contractors to come in and plug in external equipment is a major part of their cybersecurity investment as they look to secure the engineering side. I am not seeing the same level of investment or engagement in the water industry.”

The potential risks of cyberattacks on the water sector are so significant, though, this needs to change as a matter of urgency.

Related content

Share your water technology stories with us
Do you have an innovation, research results or an other interesting topic you would like to share with the international water technology industry? The Aquatech website and social media channels are a great platform to showcase your stories!

Please contact our Sr Brand Marketing Manager Annelie Koomen.

Are you an Aquatech exhibitor?
Make sure you add your latest press releases to your Company Profile in the Exhibitor Portal for free exposure.