Navigating Cybersecurity: Is Your Water Utility Safe

According to Forescout Research and Vedere Labs, cybersecurity attacks on infrastructure rose by a staggering 30% in 2023, reaching a total of 420 million. This translates to 13 attacks per second on a wide range of targets, including drinking water systems, libraries, hospitals, transportation and manufacturing.

Water systems play a critical role in ensuring public health and environmental safety. A cybersecurity breach in these systems could lead to severe consequences, such as contamination of drinking water, failure in waste treatment processes and environmental pollution. System owners and utility managers can face legal and financial liability for preventable cybersecurity failures.

One of the major issues faced by water utilities is cybersecurity for legacy systems. Operational Technology (OT) is the hardware and software that detects or causes changes by directly monitoring and controlling physical devices, processes and events. This differs from Information Technology (IT), where the primary focus is handling tasks like communication, data analysis, storage and office applications.

Most OT systems are on a 10-20-year (or longer) technology refresh cycle. Utilities face constraints when updating these systems; they are expensive and sometimes require extensive downtime. As a result, these older components make the systems more difficult to secure.

Another threat to water utilities is the lack of segmented networks. Most OT networks are considered flat networks, a type of network architecture in which all devices are connected to a single network segment without any hierarchical segmentation or separation.

Flat networks are used primarily for simplicity and performance, but it is easier for hackers to move within the network. Once a hacker gains access, they can easily manipulate the network and are hard to detect.

Remote Access Vulnerabilities

Traditionally, OT networks have used software solutions for remote access that can be easily compromised. These methods were originally designed for convenience and accessibility, allowing operators, engineers, and technicians to connect to OT systems from remote locations to perform maintenance, troubleshooting or system updates. However, these networks come with several inherent security risks, especially in the context of modern water cybersecurity threats.

Finding the Solution

Historically, the solution was to implement hardware firewalls, Virtual Local Area Networks (VLANs), Virtual Private Networks (VPNs) and complex policies. These water security solutions work, but they are expensive and require complex configuration and significant downtime to implement.

There is a better way.

A Zero-Trust Overlay Network is a clear solution to effectively address the threats above. This type of network runs parallel with the existing network, allowing processes to perform uninterrupted. In simpler terms, this approach adds an extra layer of security to your existing network. This solution allows for network cloaking, micro-segmentation and secure dual-factor authentication remote access. The Zero-Trust Network Architecture (ZTNA) simply means that nothing within the network is trusted.

ZTNA requires that each device or user be continuously verified. This is done through biometrics (fingerprint or face scan) and unique, one-time-use QR codes. Users requesting access can be assigned individual permissions to see only what they need to accomplish their assigned duties.

The overlay network can hide specific network devices based on permissions assigned by an administrator. Since this happens in the overlay network, it does not affect the operational properties of these devices. This is especially useful when dealing with legacy equipment.

Micro-segmentation is also accomplished by utilizing permissions. Devices on the network cannot communicate with each other unless specific permission has been granted and proper authentication through ZTNA is established.

Once a Zero-Trust Overlay Network is in place, everything in the network can now have its own segment and is individually securable.

ZTNA is focused on increasing authentication and monitoring. It ensures that each user is authenticated, every access request is validated and all activities are continuously monitored. ZTNA can be an effective tool for utilities implementing smart, emerging technologies to limit risk within critical infrastructure environments. According to the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST), ZTNA is now becoming the gold standard for cyber resilience.

Additional Concerns for Water Utilities

While the Zero-Trust Overlay Network is a huge step in protecting against cybersecurity threats, there are other concerns that utilities must consider. Insufficient cybersecurity training and awareness, third-party and supply chain risks and outdated or poor patch management are all additional risks. Inadequate monitoring and detection, inside threats like disgruntled employees and physical security also need to be navigated. The EPA is beginning to issue more regulations requiring states to include cybersecurity assessments in their sanitary surveys of public water systems.

Stanley Consultants takes a holistic approach to navigating these risks. As an engineering and consulting firm, we can help optimize your water and wastewater systems and make key recommendations on protecting from cybersecurity threats. Our team of OT cybersecurity experts will begin with a full audit of your system, creating a cybersecurity conditions report. This will highlight all the active OT devices in your network, their current vulnerabilities and associated risks and summarize any shortcomings.

Once we complete the condition assessment audit, our team will draft a roadmap toward achieving robust cybersecurity resilience. This will group and prioritize upgrades into a logical list of projects backed by sound reasoning to help justify needed budgets.

If you want to learn more about how Stanley Consultants can help you assess your utility cybersecurity risks, please contact us today.