Drinking water and wastewater utilities looking to boost reliability and lower cost for customers increasingly look to digital data management and operations.
The hitch: going digital typically means moving to the cloud, and many utilities fear opening their data and critical functions to cyberattacks. The concern is especially acute for smaller utilities that lack staff and expertise to ensure protection against bad actors.
The concern is not unfounded: The U.S. EPA in May issued an Enforcement Alert stating, “The cyberattacks against community water systems are increasing in frequency and severity across the country. Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers.”
Specifically, state actors including Cyber Av3ngers (affiliated with the Iranian Government Islamic Revolutionary Guard Corps) and Cyber Army of Russia Reborn have stepped up their cyberattacks.
Nevertheless, concerns about security need not be an obstacle to digital transformation, according to experts on the cybersecurity team at Xylem. Software and analytics solutions for smart water can meet and exceed EPA expectations for cybersecurity in water and wastewater utilities. Cybersecurity is a shared responsibility between utilities and vendors of digital technology, according to the company.
Addressing the issue in an interview with Treatment Plant Operator were Damien Hugoo, product security leader, and Seth Werlinsky, director of global product marketing for Xylem Vue powered by GoAigua.
TPO: How does the threat of cyberattacks impede progress on digital transformation?
Hugoo: More digital data can bring greater intelligence to water utilities, but many prefer to keep the data within their perimeter; they are afraid to share it because they are unsure of where their data will go. We have seen that water utilities in general are understaffed and therefore not as well prepared to be secure as, for example, energy utilities. There is an urgency to raise the bar. But while cyber threats have increased, there are ways in which data can be shared with technology vendors to provide intelligence in a secure way.
TPO: Are water utilities of all sizes equally vulnerable?
Hugoo: Smaller utilities are being targeted more than bigger ones because they don’t have the same level of staff and may lack awareness of the issues as well as the knowledge, skills and abilities around what to do about potential attacks.
Werlinsky: As more utilities go digital without adequate security measures, bad actors have more places to attack.
TPO: What is the nature of the attacks on water utilities?
Hugoo: The main driver today is ransomware. The attackers get into the network, encrypt some of the data and say, “If you want to get your data back, you have to pay.” Meanwhile the state actors exploit weaknesses in remote access configurations and then use default credentials on devices inside the perimeter.
TPO: What measures can utilities take to limit their vulnerability?
Hugoo: They can start by training their employees, because most of the attacks come through phishing; they are not very complicated. It’s about making it harder for intruders to gain access. It starts with moving from very simple to longer or more complex passwords. The next thing is multifactor authentication, which is basically your password followed by a message you receive with a one-time passcode. Then there is federated access, where employees use the same set of credentials when accessing all of an organization’s systems. This is convenient and also more secure because there is no need to manage multiple passwords. Starting with these basics, it is not difficult to make progress and increase security.
TPO: How do companies like Xylem help utilities increase cybersecurity?
Hugoo: We provide solutions that enable water utilities to go forward with digital transformation in a secure way. We have experience increasing security within our own enterprise and across products, and we share that expertise with customers. Our goal is to reassure them that when they share data with us to accelerate digital transformation, it doesn’t expose them to more risk. In some cases, we may create a cybersecure level they didn’t have. For example, every product that we offer is monitored by a product security incident response team, so that if a weakness is discovered we can coordinate across teams to patch it quickly. In addition, every cloud service we host is monitored 24/7 by a product security operations center that constantly updates automatic detection.
Werlinsky: In our business specifically, we brought to market the Xylem Vue powered by GoAigua software platform, through our partnership with Idrica, an international pioneer in water data, analytics and smart water solutions. The platform allows water and wastewater utilities to visualize and act on data from systems across their network: advanced metering infrastructure, lift stations, SCADA, GIS and others. The solution integrates all that data in one place to provide a holistic view of everything that is happening in the network. Our software engineers integrate cybersecurity into the platform versus adding a layer of security. And this is not the only secure digital solution Xylem has — all of our digital solutions require the same level of cybersecurity. We have a global standard that we set for all our products.
TPO: How can a digital solution provider give customers a comfort level with cybersecurity?
Hugoo: They should provide a model for shared responsibility and continuous improvement. They should also present a strong program to align the proposed solution with cybersecurity standards and show how to securely integrate their solution with the utility’s operations. That creates a strong foundation for an ongoing cybersecure journey. Most providers that value security, including Xylem, post information about their security program on their public-facing websites.
TPO: What assurance can a digital solution provider give that its own solutions are fully secure?
Hugoo: The solution provider’s systems should go through annual testing by security engineers. They should test all existing and newly developed solutions to ensure that they are secure as they are deployed and continue to be secure post-deployment. The provider should also continuously monitor all the software and the cloud environment they manage. That includes threat intelligence and monitoring the dark web for anything that could be compromising the solutions or the clients running them.
TPO: How can a provider instill customer confidence in its ability to deal with incidents such as breaches or outages?
Hugoo: Providers should ensure swift restoration of services. Incidents may happen, and part of being secure is having a capable incident response team. In our case, we have an incident team available 24/7 that is able to respond rapidly to restore the system, making sure that any interruption is of very short duration.
TPO: What do you see in the future in terms of the nature of cyberattacks?
Hugoo: It’s not like two or three years ago when we would see a one-time event in which someone accessed a utility network and changed some settings. The threat today and in the future is real, and it is accelerating. Attackers are targeting water utilities and are not likely to stop until they see them putting up more defenses. If attackers can’t get into one utility, they will move on to the next one. Today, we mostly see ransomware, but once attackers are done with that, they will move on to something else. State-sponsored actors will want to disrupt operations. Thankfully to date, we haven’t seen that as much.
TPO: Is it possible to quantify the level of threat?
Hugoo: The EPA did an assessment, and last May they issued a statement that over 70% of the water systems in North America do not meet the critical cybersecurity standards. We’re going to see more push from the federal government to encourage utilities to follow good cybersecurity practices. We are seeing from the top down an understanding that change is needed.
