Investigators and researchers are still learning of the scope of the cyberattack which has hit US government agencies and other victims around the world – AFP
The Biden Administration’s new cybersecurity push finally gives these management companies a budget boost to implement the tools they need to thwart foreign or domestic cyber threats.
Radiflow’s CEO Ilan Barda has given considerable thought to the key issues springing from these measures, including the impact of the decentralized nature of America’s water utility companies; federal cybersecurity initiatives to secure water infrastructure; the AIWA 2018 regulations surrounding water security; and how best to protect against the vulnerabilities that arise from the US’ fragmented system.
Barda outlines these points to Digital Journal.
Cybersecurity risks to water utilities
According to Barda, utilities, especially water, represent a major threat from cyberattack: “Potable water and wastewater management is a top priority for cybersecurity professionals and the Biden administration alike. With new regulations and funding, companies must find the best way to implement and manage cybersecurity to protect these systems.”
What is the Industrial Control Systems Cybersecurity Initiative?
Due to these threats, the U.S. government is taking action. According to Barda: “The U.S. Environmental Protection Agency (EPA), the National Security Council (NSC), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Water Sector Coordinating Council and Water Government Coordinating Council (WSCC/GCC), are taking part in President Biden’s Industrial Control Systems (ICS) Initiative. This is part of National Security Memorandum 5, Improving Cybersecurity for Critical Infrastructure Control Systems.”
As to what the legislation entails, Barda explains: “The Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan concentrates on high-impact activities that can be surged within 100 days to protect water resources by improving cybersecurity across the water sector. The federal government and critical infrastructure community will help facilitate the deployment of technologies that provide cyber-related threat visibility, indicators, detections, and warnings.”
Decentralisation and associated risks
Decentralisation serves a key purpose for the provision of water to homes and businesses, yet this also posed a weakness. Here Barda explains: “The United States relies on a decentralized water utility network, putting state, municipal, and city governments in charge of managing their own utilities. While some private companies cover vast regions, it is common to see individual towns and cities manage their own water for their residents.
While these standalone utility authorities allow communities more autonomy and flexibility in their operations, they commonly struggle to pool together the critical resources needed to secure their operations against the ever-evolving face of cybersecurity hackers. Lack of standards and regulation presents opportunities for hackers looking to disrupt their delicate Operational Technology (OT) and Industrial Control Systems (ICS). This is especially true at a time when these facilities are facing the need for remote access and operations to remain resilient during natural disasters and pandemics, beyond cyberattacks.”
Open for attack?
As to what types of attacks might arise, Barda says: “These fragmented systems open new attack vectors for competitive nation-states, criminals, and terrorists to exploit vulnerabilities in a far more distributed infrastructure. This means water districts and municipalities sharing reservoirs also share risks. An example of this is how water asset owners are located in rural areas, although they may have large water supplies. Being on the periphery makes them less likely to receive government funding early on, relative to larger providers, even though they are more susceptible to cybersecurity attacks because of lack of regulation due to their smaller size.”
Putting in place a protection plan
When considering protective measures, Barda says: “Devising an ICS protection plan can be a daunting task. There’s no one-size-fits-all solution, and in many cases, operators have incomplete visibility into their networks.”
Speaking of his own company’s efforts, Barda draws attention to: “Some companies in the field, such as Radiflow, are working around the globe facing similar issues. While some systems and regulatory protocols may vary by region, the global cybersecurity threat landscape demands the same level of protection regardless of location. Radiflow has helped facilities managers protect their IT environment by introducing the same digitally mirrored virtual environments commonly used in the IT world to prepare teams to mitigate and manage future threats.”