As the risks of a catastrophic cyber attack on critical water infrastructure grows, companies across all industries must prepare for the fallout, warns Alexander Ward, consulting partner & account lead for critical national infrastructure, cyber security and trust, Thales

The risks facing critical national infrastructure have never been in sharper focus.

For instance, recently, Moody’s warned that the UK’s water networks are currently facing an “elevated” risk from bad actors.

drops-of-water-water-nature-liquid-40784

As water suppliers wait on permission to ramp up spending on digital security measures, the threat of cyber attackers targeting drinking water is only increasing.

This warning comes against a backdrop where infrastructure companies are becoming an increasingly lucrative target for cyber-attacks.

Just recently, Southern Water, which supplies 4.6 million customers, had its systems accessed by a ransomware group, which posted customer data on the dark web.

The realities of what these bad actors could do were brought into harsh reality in 2021 when hackers attempted to poison water supplies in Florida.

A new era of connectivity

Water infrastructure has become increasingly digitised in recent years, ushering in a new era of connectivity.

Smart water meters, controllers, and sensors offer undeniable benefits in terms of efficiency and profitability – both for suppliers and customers. However, this technological leap forward has increased the number of attack vectors – opening up more opportunities to hackers.

The ramifications of such attacks extend far beyond data breaches. The potential for compromising water grids, leading to flooding or contamination, represents a very real and tangible threat with potentially dire consequences.

“The safety and security of our water networks should be on everyone’s radar.”

This could ladder up to the wider supply chain, including the agriculture, healthcare, emergency services, manufacturing, and energy production industries, for example - as just a handful of sectors that rely upon water sources to function.

The knock-on effect of water shortages, outages, or compromised supplies could result in production delays and inventory shortages, cut offs in services, and disruptions to operations.

However, practically all organisations – given every office as a minimum will depend on reliable water supply - will feel the effects. Needless to say, the safety and security of our water networks should be on everyone’s radar.

Against this backdrop, it becomes imperative to address the pressing need for end-to-end security measures within the water infrastructure sector. Developments in AI, which can also aid cyber-attacks, further make it imperative for water suppliers to take a more proactive approach to security.

A proactive approach to cyber security

It’s vital for water suppliers to adopt a “secure by design” approach to cyber security. Rather than treating security as an afterthought or add-on feature, “secure by design” prioritises building robust security mechanisms into the foundational architecture of a product or system.

Given the diverse array of potential attack vectors – ranging from dam controls to water meters – every sensor and module must be imbued with robust security features from the outset. This proactive stance can help fortify the sector’s defences against would-be intruders.

Then there’s the need for encryption. All critical data travelling through the intricate ecosystems of water infrastructure must be encrypted to prevent unauthorised access or tampering.

By encoding sensitive information, water companies can establish a barrier against malicious actors seeking to exploit vulnerabilities within the system.

The importance of digital identities cannot be understated here. Giving each water meter its own digital identity makes it uniquely identifiable within the digital network, allowing for better monitoring, management, and control.

“By pooling resources and expertise, water companies can bolster their defences and stay abreast of emerging threats” 

Digital identities help cybersecurity by providing a means to authenticate and verify the legitimacy of data transmissions between water meters and central monitoring systems – ultimately helping to prevent unauthorised access or tampering with meter readings.

Furthermore, the importance of regular updates throughout the lifecycle of components cannot be overstated. Continuous monitoring and timely patching of vulnerabilities are essential to pre-empting potential avenues for attack.

By ensuring that all software and firmware remain up-to-date, water companies can mitigate the risk of backdoor access and enhance the resilience of their infrastructure against cyber threats.

Moreover, collaboration and information sharing within the industry can play a pivotal role in enhancing collective resilience against cyber threats. By pooling resources and expertise, water companies can bolster their defences and stay abreast of emerging threats and best practices in cybersecurity.

How to manage the supply chain risk

While water networks need to take cybersecurity into their own hands, risk managers across all industries should ensure the security of water networks forms a part of their risk assessment plans, too.

  • Demand compliance: Mandate that your water suppliers have robust cybersecurity measures in place, and that they are transparent about their defences. Opening up a dialogue with suppliers and setting that expectation will encourage greater compliance and strengthen overall preparedness.
  • Take a look at your own defences: The supply chain’s overall security is dependent on each and every cog in the wheel. Indeed, an organisation’s suppliers or partners – if compromised - could represent the gateway to infiltrate their own network. So, prioritise your own security measures as a priority, and encourage robust cybersecurity across the entire ecosystem.
  • Adopt a ‘when, not if’ mentality: Being realistic and expecting a breach will help you best prepare for worst case scenarios. As a first step, develop risk assessments and audits to ascertain what aspects of your organisation and operations will be impacted by potential water outages.
  • Prepare your response: On this basis, run scenario planning exercises to determine how the organisation performs when impacted, and identify weak areas. Develop a business continuity plan in the event of an attack, so your back up plans are well-established and ready for when the time strikes.
  • Prioritise collaboration: Involve water suppliers in risk discussions to ensure their subject matter expertise is sufficiently taken into account.

The final word

In essence, safeguarding the integrity and security of water infrastructure requires a more proactive and multifaceted approach.

From incorporating security measures into the very fabric of hardware and software to implementing robust encryption protocols and embracing a culture of proactive maintenance and updates, every facet of the sector must be fortified against the growing cyber threat.

Ultimately, the imperative to fortify digital security measures within the water infrastructure sector is not merely a matter of compliance or risk mitigation; it is a fundamental prerequisite for safeguarding public health and safety.

As the digital landscape continues to evolve and cyber threats grow in sophistication, proactive investment in cybersecurity measures is not just prudent – it is an existential imperative for water companies tasked with ensuring the uninterrupted flow of clean and safe drinking water.