By Chris McNamara, Smart Industry editor in chief
The Cybersecurity and Infrastructure Security Agency (CISA) recently announced its Joint Cyber Defense Collaborative (JCDC) that promises to address energy and water security this year, focusing on three main areas: systemic risk, collective cyber-response, and high-risk communities.
Here we chat with Constantine Antoniou, business consultant with Schneider Electric’s Global Cybersecurity Solutions and Services team, to explore cyber-threats facing the water sector and how CISA’s new efforts can help utilities work toward cyber-sustainability and resiliency.
Smart Industry: What do you find most interesting about the Joint Cyber Defensive Collaborative?
Constantine: This is a big deal because it’s strengthening the lines of communication and information being shared between industries and the federal government. This will provide more visibility into the most pressing cyber-threats, with the goal of bringing critical industries together to turn collective insights into risk-informed actions. This is a huge step in the cyber-industry, especially as some industries, like the water/energy sectors, have been historically neglected but are now in dire need to ramp up measures to fend off attackers as cyber-threats continue to rise.
When looking at the water industry, this collaboration addresses one of the main cybersecurity challenges—a lack of in-house experts. Water organizations often don’t even know where or how to begin when selecting the right cyber-tools for their environments, to ensure they’re adhering to the latest industry cyber-protection standards for both their IT and OT networks. Collaborating with agencies, like the Department of Energy and companies across the water industry, vulnerable entities like water utilities can develop better protection for systems like edge devices (meters, testing tools, etc.).
Our Global Cybersecurity Solutions and Services team is very excited about this kind of advanced advocacy on behalf of water districts, along with any kind of utilities/critical infrastructure. The way the Cybersecurity and Infrastructure Security Agency has set up this new collaboration to establish and secure critical infrastructure is ahead of the game. It sets cyber-guidelines/best practices and I'm excited to see what this collaboration holds for the future of the water industry.
Smart Industry: What is unique about securing utilities? How is digital transformation changing this landscape?
Constantine: Utilities are an important element of critical infrastructure and must be protected to ensure that the daily lives of millions of people continue without disruption. Protecting utilities presents a unique range of challenges, from considering the electrical grid and local water supply, to oil-and-gas lines. As part of cities’ critical infrastructures, we must protect and manage water to a level of detail not usually required in other industries. This means the organizations operating within the utilities industry must strive for the highest cybersecurity levels under the global standards of IEC 62443, especially when they start digitalizing utilities.
The process of modernizing utilities is critical, and we all know that connected digital devices are here to stay. Once smart meters, edge computing and high-efficiency UPSs are introduced, new business models incorporating more customer services become feasible. With this new generation of utility services, a cascading effect of benefits involving higher network uptime, more profitable and resilient prosumer activities, and higher customer satisfaction are possible. However, the process of modernizing utilities also poses new cyber-security exposure/threats that are important to address.
Smart Industry: What new efforts from CISA come into play here?
Constantine: Cybersecurity is a default requirement. If utilities are not cyber secure, then digitalization can quickly move from an advantage to a serious disadvantage. Utilities have been known to be slower moving entities with longer cycles of change and digital transformation without strong cybersecurity planning is a serious risk. Understanding that once you digitalize, your most precious assets such as data, and your “crown jewels” can be more easily accessed. However, if you understand the principles of advanced cybersecurity, especially on the OT side of things, you can make sure that your crown jewels are appropriately protected. Specifically, ad hoc or flat network design can be surprisingly common in utilities, making it easier for threat actors to gain access to a wide range of assets once they penetrate the perimeter of the network.
The new efforts from CISA come into play here by providing utilities with industry-specific cybersecurity compliance guidelines and information, which will help them to ensure that they are following industry best practices (such as using defense in depth to make sure that your most critical assets are the hardest for any attacker to reach) during the process of modernization and digitalization to keep their assets and data safe.
Smart Industry: What do you mean by cyber-sustainability? How does this differ from cyber-resiliency?
Constantine: At its core, sustainability is about using resources in a way that avoids exhausting them and strategically meets today's net-zero targets. Similarly, cybersecurity sustainability means investing time, attention and capital in a way that mitigates risk, minimizes cost, and maximizes effectiveness—both now and in the long term. Cyber-resiliency means having the ability to withstand significant and sophisticated cyber-attacks without compromising the availability, integrity and confidentiality of your OT and IT systems. Performing regular cybersecurity assessments, implementing network segmentation, ensuring regular backups and providing consistent cybersecurity training are some of the first steps the utility industry can take to improve its cybersecurity posture, sustainability and resiliency. Cyber-confidence is obtainable; and we help customers pave the way toward cybersecurity goals with industry-leading OT cybersecurity standards, services and solutions.
Smart Industry: What is cause for optimism in this space?
Constantine: The core problem with cyber is not knowing what your organization is up against. Take, for instance, the Oldsmar Water Treatment attack in February 2021. Using old credentials, hackers were able to remotely access and survey the facility network. Within a few hours, they were able to alter controls, drastically raising sodium hydroxide levels from 100 parts per million to 11,100 ppm. Further, Claroty, a leading provider of cybersecurity platforms (and one of our leading partners in this space), conducted a survey across the water and wastewater segment and revealed that 34% of companies experienced a ransomware attack that affected IT only. Meanwhile, 22% of ransomware attacks affected OT only. Stories and research like this do a lot to create anxiety and pessimism for the people tasked with addressing any cybersecurity issues and vulnerabilities for their companies.
Optimism can be found when we look at programs such as CISA’s Joint Cyber Defense Collaborative that can provide a source of information-sharing among utilities so that they realize that they are not alone and that there are solutions to their problems. Additionally, the sophistication of threat-detection software, along with organizations such as our Global Cybersecurity Solutions and Services team, can help utilities to face their cybersecurity posture with more confidence and long-term success.
