In an Expert Focus article for WaterBriefing, Alain Dedieu, President, Water and Wastewater Segment at Schneider Electric, takes a look at how the water and wastewater industry can take steps to mitigate the risk of cyber attacks to its critical infrastructure.
Alain Dedieu :The threat of cyber attacks has become increasingly prevalent in recent years, with President Joe Biden recently making a vow at the G7 Summit to enhance the cybersecurity of critical systems.
Industries like the water and wastewater industry are at great risk, not least due to a lack of training to guard themselves from harm, but also due to the number of people that depend on the utilities and services they provide. If a water and wastewater company were to be attacked, the health and safety of its customers would be in danger. Additionally, operational costs would be faced by companies that depend on water for manufacturing processes, as procedures such as cooling would be placed at risk.
Potential cyber attacks can be devastating, as seen in the 2021 attack on the Oldsmar Water Treatment plant. It took staff over five hours to realise that attackers had managed to remotely hack into the plant’s systems using old credentials. The attackers then altered controls, dangerously increasing the level of sodium hydroxide from 100 parts per million to 11,100 parts per million. This was done in as little as five minutes.
While the rapid development of digitalisation has placed the water and wastewater industry at risk, its benefits are here to stay. Connected devices enable companies to become more efficient, using data-led insights that help organisations stay ahead and keep sustainability at the forefront of their plans.
Having the opportunity to become more competitive, while simultaneously increasing profits, is vital for businesses. Yet, as a crucial utility, the water and wastewater industry must ensure they have the highest cybersecurity levels under the global standards of IEC 62443 to reach these heights.
Is the water and wastewater industry ready to mitigate cyber attacks?
A recent survey across the water and wastewater industry revealed that 34% of companies had experienced a ransomware attack affecting IT only, with 22% affecting OT only.
Further to this, over half of respondents (52%) had experienced a partial impact on one site, and 30% acknowledged multiple sites had experienced a significant impact over a week. These attacks are costly, with 37% of respondents revealing that they suffered a downtime cost of $100,000-$500,000 per hour, and 12% between $1M-$5M per hour. In most cases, the ransom was paid.
Many companies face challenges when analysing the root causes of an attack – where they are unable to definitively rule out what may or may not have occurred that allowed the attack to take place. Having the ability to detect a breach in your security perimeter empowers your organisation with knowledge and control. It also permits further analyses should another attack occur. Without anything in place to detect a breach, attackers could be in a system already gathering information and sustaining access over time.
Through implementing network segmentation within a company’s digitalised architecture, operations could continue in some capacity if a cyber attack can be isolated to one area. With that in mind, water and wastewater industries should strive to reach Security Level 3 protection within their organisation. Here’s a breakdown of what each level entails:
- Security Level 1 – Protects against unintentional breaches or coincidental violations.
- Security Level 2 – Delves into areas with more serious implications by protecting against intentional violations permeated by those with generic skills and few resources.
- Security Level 3 – A company protects itself against professional hackers – people or entities with system-specific skills using sophisticated means to gain access to infrastructures.
- Security Level 4 – Organisations are protecting themselves from highly motivated hackers using sophisticated means, who also have extended resources to gain access to nation-state-level attacks. While it may be difficult to withstand level 4 attacks, companies can better defend themselves and analyse internal weaknesses.
The 4 key steps to reaching cyber confidence
While there is no one size fits all approach to achieving cybersecurity, one of the most important strategies a company can commit to is determining goals, and outlining the practices they must follow to achieve these goals. Not only does this vastly improve the efficiency of operations, but also critically reduces the threat of cyber attacks.
- Conduct regular cybersecurity assessments. Tools like edge data collectors focus on asset inventory to keep track of devices used across operations. Knowing all access points is important, but tracking firmware updates, especially as companies grow and modernise over time, becomes a critical defence practice.
- Implement network segmentation into your organisation’s architecture to separate the IT network from the OT network. Doing so can provide a stopgap during an attack. Network segmentation like this is known as a “demilitarised zone” (DMZ), and it isolates areas of the network or devices that have been compromised. Firewalls and containment help in regaining control.
- Back your data up. Set this up to recur automatically to protect your IP and core system and do so regularly. Should a cyber-attack occur, an organisation can get up and running faster. Frequent data backups can make your company less attractive to potential hackers seeking to do significant damage. Store any supercritical configurations and source codes in multiple places as well.
- Recovering from an attack is done best through practice. Cyberattack “fire drills” prepare companies to mitigate breaches as they occur and can help them recover faster. Training for various scenarios in role-based cybersecurity workshops will instil confidence and cultural buy-in with employees.
Fostering cybersecurity trust within the water sector
It’s vital to have strong cybersecurity confidence, as well as the necessary resources to safeguard crucial sectors against highly damaging cyber attacks. This not only safeguards public health but also guarantees the preservation of an organisation's reputation, reducing financial losses. By understanding fundamental principles, an organisation can enhance its capacity to anticipate and effectively respond to cyber attacks.
Regular cybersecurity tests and checks are integral to ensure that organisations become resilient to security threats. Having consistent backups of data and important information, and implementing in-depth training programmes are some of the steps organisations can use to facilitate this change. To create a well-structured plan that achieves cyber confidence, organisations must stick to industry-leading OT cybersecurity standards, solutions, and services.
“SAS (Surplus Activated Sludge) is a bit weird and 
Owen Mace has taken over as Director of the British Plastics Federation (BPF) Plastic Pipes Group on the retirement of Caroline Ayres. He was previously Standards and Technical Manager for the group.
PureTec Separations, the Ledbury-based water treatment engineering firm, has appointed Dan Norman as its new Sales Manager – Water Process Systems, supporting the company’s continued growth in the UK and international markets.
bNovate has launched BactoCloud, a secure cloud-based platform that connects and manages its BactoSense instruments, enabling real-time monitoring and optimization of microbial water quality.
Hear how Scottish Water has completed its £235 million Ayrshire Glasgow Resilience Project - customers across Greater Glasgow, Ayrshire and East Renfrewshire will now benefit from a more secure and resilient water supply.
Hear how United Utilities is accelerating its investment to reduce spills from storm overflows across the Northwest.
Find out more about the remarkable career opportunities on offer at WSP - scroll down to watch the inspirational video.