Securing the Future: Cybersecurity Challenges and Solutions for the Water Industry
The EPA recently issued a report stating that more than 300 drinking water systems have cybersecurity vulnerabilities that could lead to functionality loss, denial-of-service (DoS) conditions, and customer information compromise. These systems serve roughly 110 million Americans.
In fact, a recent attack in New Jersey has put the EPA on the defensive in regard to their cybersecurity requirements. They have already announced plans to increase security inspections.
The state of cybersecurity in the water sector is causing unrest. With so much at stake, you can smell the regulations coming in the air from the EPA and other regulatory industries.
Creating harmony across all critical infrastructure segments.
Each of the 16 sectors the federal government classifies as “critical infrastructure” has different standards around cybersecurity. The federal government has been keen to standardize across the board with a single plan that can be adapted to fit different needs across all critical infrastructure sectors. The word they use is “harmonization”.
For example, the DoD uses STIG controls and gets comprehensive security. State governments might use CIS Benchmarks for the same coverage. And contractors might need CMMC certification. All are based on the same NIST standards, just in different configurations and levels of complexity. All are in harmony.
Understanding NERC CIP, the standard all utilities may soon be relying on.
So in looking at where water and wastewater may soon be headed in terms of harmonization across critical infrastructure, cybersecurity professionals are looking at NERC CIP—North American Electrical Reliability Corporation Critical Infrastructure Protection. Here’s why.
Formed for the electric industry, NERC CIP are the toughest, most comprehensive standards out there. They can be adapted to suit varying complexities. And they map to NIST standards.
Finally, the federal government is always going to use the toughest standard for harmonization because if they harmonize based on a less comprehensive plan, it’s like telling the energy industry their standards are too tough. It’s like saying they can now pull back on the secure and mature standards they’ve developed over decades in response to government mandates because now they’re standardizing for a lower common denominator. The government isn’t going to do that.
Maturing your cybersecurity program and beating the government to the punch.
What this all comes down to is that the sooner the water industry moves in the NERC CIP direction, the better. If you don’t already feel like a ransomware or denial-of-service attack is breathing down your neck, you should. And many in the water industry who are paid to identify problems before they become problems are starting to think in that direction.
You could wait until the government asks, sure. But when they ask, you may not get the time you need to complete the job amidst all your other work. If you meet NERC CIP’s requirements now, the government is not likely to ask more of you. And you won’t have to worry about rushing to meet their deadlines. But more importantly, you’ll be protecting yourself, your employees and your customers from more than 90% of the nefarious actors out there—you’ll be less likely to be the next headline.
Make change right out of the gate with a simple, but powerful move forward.
The fastest way to get the most bang for buck on this journey is to harden your system. This is also known as reducing your attack surface. What that means is that you shore up all your vulnerabilities—close the doors hackers like to sneak into.
Most hardware and software used in business is made for the masses. So the developers build it so most users—commercial and private—can use it out of the box. This includes unneeded and unused capability that can be used as an avenue to get into your system.
Hardening is about closing those doors. It sounds easy, but closing doors can cause other functionality in the application to break. Thus, hardening requires some finesse. That said, it’s a huge part of the cybersecurity maturity needed for whatever government compliance standard that is created for the water industry. Every standard will ask you to harden.
Hardening can take a lot of time and effort. Hardening now not only protects your system from rapidly growing threats, it also establishes an essential baseline of security that is required of every government cybersecurity standard. The effort you put in now will simplify the efforts you have to put in when a deadline is thrust upon you. It’s an easy win that makes a big dent in your efforts and impresses the powers that be.
Simplifying hardening through automation and maintaining secure systems.
We mentioned that hardening takes time and effort. The good news here is that government directives around hardening are long-established, proven effective, and the mandated checklists and benchmarks are fairly consistent as we said before—CMMC, STIG and CIS Benchmarks deliver similar results, just in different sizes and flavors, all of which would satisfy NERC CIP.
The even better news here is that hardening can be automated. Once you implement the solution and set your policy, it takes minutes or hours to harden your system—a task that might take weeks and months if done manually. This is especially handy because there will be quarterly updates to whatever controls or benchmarks you use, making updates and continual compliance possible. And with continual compliance and up-to-date hardening, hackers will just move on to someone with weaker cybersecurity than you.
Creating solid cyber hygiene practices before your vulnerabilities are exploited.
Cybersecurity is a program, not a one-time process. It is a living, breathing organism that needs to be fed daily. As the government moves toward greater mandates for critical industries, cybersecurity is going to take more and more of your time. Which is why recent wisdom, recommendations and requirements suggest the use of automation.
Automation demonstrates you have smart cyber hygiene habits, sets you up nicely for certification assessments, simplifies the requirements of government mandates like NERC CIP and keeps all the known risks at bay.
Learning what will work best for your water organization in the future.
SteelCloud partners with Enhanced Information Systems (EIS) to help organizations determine the best ways forward when it comes to cybersecurity. EIS implements SteelCloud’s ConfigOS and ConfigOS MPO, both of which automate and simplify the hardening process, remediating issues, fixing things that break, and ensuring continuous compliance with little to no human intervention.
EIS and SteelCloud recently conducted a webinar on this topic for the water industry with more details—both technical and strategic—of the types of actions required by the government across various public and private concerns. Watch the webinar now, then contact EIS to consult on what lies ahead and what your next moves should be.