For eight years, state CIOs have named cybersecurity their No. 1 concern. Last year, schools saw a record number of cyber attacks, causing education stakeholders to request more action from federal policymakers.
But not many people had considered the possibility of a water utility being hacked until an attempt to poison any of the 15,000 citizens of Oldsmar, Fla., was thwarted in February.
Kristen Sanders, chief information security officer of the Albuquerque Bernalillo County Water Utility Authority, said she had gotten the sense that smaller water utilities didn’t believe they could end up in the crosshairs of a hacker.
“When you talk to them, they kind of feel like the energy industry is much more of a target than water utilities,” Sanders explained, later adding that she thinks the passage of America’s Water Infrastructure Act has made more utilities take a harder look at their cybersecurity postures.
Sielen Namdar, an industry solutions executive with Cisco, said she has also seen some utilities suggest that they’re not going to be targeted by cyber criminals. As with all things cybersecurity, awareness is the first and most important step to improving protection.
But challenges remain for water utilities, even if they are concerned about hackers. One of the biggest hurdles involves the convergence of operational technology (OT) and IT systems. Traditionally, the OT side of water utilities has been “air gapped.”
“That means nothing gets out, nothing comes in, so we have total control over our system, and it’s not connected to anything else outside of it — certainly not the Internet,” Namdar said.
That status quo has been upended by the introduction and proliferation of smart technologies. As a case in point, Sanders’ organization has installed 100,000 smart water meters since fall 2012, according to Communications Director David Morris. These meters cover close to half of the water authority’s customers in Bernalillo County, and in five more years, the authority plans to finish full installation.
Because of this type of change and others, Sanders suggested it’s critical for water utilities to have full visibility into their OT environments, as well as regular cybersecurity training and multifactor authentication. Sanders also praised the DNA Center tool from Cisco, which allows for software-defined networking.
“When this person connects, the switch is actually smart enough to put them on the appropriate network without a person having to go in and actually do manual configurations,” Sanders said. “It’s a very automated process and really enhances security. That way, if someone goes into a conference room and plugs in their personal laptop, they’re not going to be on the enterprise network. So those are some great things that we are moving towards.”
Sanders added that water utilities tend to have OT systems that were never intended to communicate with other systems, much less thwart cyber criminals. Utilities can’t just “forklift this equipment out,” either.
“You still have to figure out how to secure it, when the vendor that originally created it may not even be around anymore … A lot of times there’s no patches available,” Sanders detailed. “Sometimes when these entities are trying to secure it, they find that there’s not even a way to really change usernames or passwords or hardened systems, just because it wasn’t ever designed with security in mind. They weren’t supposed to be connected to a network, outside of it’s just supposed to talk to a very controlled system and nothing else … that was the original intent when some of these systems were made 20 years ago.”
Namdar said every utility needs a cybersecurity road map. One must fully assess the current situation and have clear goals to accomplish. Strong cybersecurity protocols must run through every component of a utility’s overall tech system.
“So baking [cybersecurity] in as opposed to trying to deal with it when a problem comes up,” Namdar concluded.
Sanders said her organization does monthly phishing campaigns. She emphasized the importance of having everyone on the same page when it comes to understanding how to spot and avoid potentially malicious emails.
“Everybody’s using single sign-on, which is extremely easy for the users, but if you can snag somebody’s active directory credentials through a phishing email, and they’re using that for VPN and their office, and they don’t have any sort of multifactor authentication … then yeah, you’ve pretty much opened up your entire organization just by a simple phishing email, and that’s definitely the biggest attack vector.”
Budget constraints among water utilities can make cybersecurity investments harder to justify. For this reason, Morris said his organization is lucky to have a governing board “that has made infrastructure renewal a priority for this utility.” In other words, strong leadership can be the key to overcoming the costs associated with cybersecurity.
“Obviously we operate within budgetary constraints, but it’s certainly something that we take very seriously,” Morris said.
