Cybersecurity is not a new issue for utilities. It received the spotlight in 2021 when President Biden committed to strengthening our Nation’s cybersecurity, specifically by hardening our critical infrastructure. The Infrastructure Investment and Jobs Act includes around $1.9 billion for cybersecurity. About half of those funds are intended for the State, Local, Tribal and Territorial Cyber Grant Program, administered by the Cybersecurity and Infrastructure Security Agency over the next four years. Cybersecurity, particularly for critical infrastructure, is an issue that needs constant attention as technology evolves and automation increases. Keeping up to date with the technological demands can be difficult for small water utilities. However, the risks involved with not keeping current with cybersecurity are significant. Supervisory Control and Data Acquisition (SCADA) systems and online billing portals are examples of automation that utilities are dependent upon and vulnerabilities. There are some actions that utilities can take to help with cybersecurity.

Utilities should perform an asset inventory. Assets cannot be secured if the utility does not know assets and what information they provide. An asset inventory database that lists devices, data, personnel, etc., should be identified. Conducting and maintaining an up-to-date inventory is key to understanding what vulnerabilities exist and aid in discovering unauthorized devices and connections to the utility’s network.

After inventorying, the utility should complete a risk assessment to identify and prioritize security vulnerabilities. Risk and Resilience Assessments are required as part of America’s Water Infrastructure Act (AWIA). The American Water Works Association (AWWA) Cybersecurity Guidance Tool and the National Institute of Science and Technology (NIST) Guide for Conducting Risk Assessment are both recommended resources for risk assessment completion. The utility can appropriately prioritize its cybersecurity initiatives by completing the risk assessment.

After the assessment, various security measures can be implemented to reduce their cybersecurity vulnerabilities. An effective means of improving security is minimizing control system (e.g., SCADA) exposure. This can be done by limiting pathways between the control system, information technology (IT) system, and the Internet. These connections represent an exploitable point that needs to be eliminated or monitored vigilantly. System segmentation can protect from unwanted system traffic by utilizing firewalls and demilitarized zones (DMZ) between the control system and the rest.

Enforcing appropriate user access controls is also helpful in improving cybersecurity. Only give access to authorized users and only provide the permissions needed for the role or task. An example of limiting access to the system is giving an operator access to SCADA but not the water billing system because the operator’s job does not involve water billing. Limited access makes it easier to detect and limit suspicious activity on the system.
Proper good password practices are essential. The NIST recommends longer, memorable passwords over more complex passwords requiring special characters. Default passwords should be changed immediately, and each user should have a unique password. Other security features should be enabled, such as locking out the user after too many password tries. Instituting multi-factor authentication reduces the risk of stolen credentials. Finally, it is vital to remove former employee/contractor access to the system/site.

One of the more accessible ways to improve cybersecurity is limiting physical access to the system. Only give site access to people who need it. Use ID key cards and other security measures such as cameras and alarm systems to protect the physical assets. Non-technical barriers, such as fencing, should also be used. Training employees to be aware of intruders trying to gain access is critical. Always make sure equipment is secure. Leaving laptops used for remote system access in unlocked vehicles is not secure. If items, like laptops, must be left in a vehicle, put them out of sight in a locked vehicle.

Develop appropriate policies for remote devices. Properly research “Bring Your Own Device” policies because they represent a unique security risk. Make employees aware of the dangers of connecting to public WiFi. These connections are not secured. Instill a cybersecurity culture in your organization, so all parties are aware of the cybersecurity threats.

Finally, have a cybersecurity response plan in case of a breach. The option of purchasing cybersecurity insurance does exist and may be something for utilities to consider. Have a system back up, stored off the system, and preferably offline. Plan how the system will continue to operate with only partial functionality and take steps to mitigate risks ahead of time.