Knowing beats wondering: Steps to cybersecurity success
When it comes to cyber risk, a proactive approach is paramount. Xylem Product Security Leader Senad Pašalić discusses how an in-depth understanding of systems, vulnerabilities, and actionable remediations can help utilities stay secure.
The spotlight on cyber risk for critical infrastructure has never been greater. In the U.S., a report from the National Infrastructure Advisory Council (NIAC) – an expert group that advises the president on infrastructure risks – called for the creation of a water industry national standard in cybersecurity that is affordable and attainable by all utilities.
In Europe, there is similar scrutiny. A survey from the EU’s NIS Directive (directive on the security of Network and Information Systems) highlighted the sharp rise in the cost and frequency of attacks, as well as the reputational damage and data protection penalties operators face following data breaches.
A proactive approach to cyber health
“To be prepared is half the victory” is a mantra that rings true when it comes to cybersecurity. Utilities can reap many rewards from a proactive approach to getting ahead of risks and regulations.
Foremost is the reduced risk of data breaches, which can save the organization time and financial resources required to remedy them. It can also ensure compliance with regulations, avoiding fines and penalties.
A proactive approach can also deliver long-term benefits, improving operational efficiency, reducing costs, increasing productivity, and building customer trust by demonstrating a commitment to security.
Review, evaluate, assess, and check
To reduce the likelihood of a successful cyberattack and improve recovery in the event of one, utilities should take four steps: review operational technology, evaluate vulnerabilities, assess the maturity of cybersecurity remediation processes, and conduct regular health checks. To review a utility’s architecture, we map data flows – examining how data is and could be used. We can then evaluate the utility’s existing system data flows against typical threat susceptibilities.
Teams are just as important as tech. Ensuring every team in a utility is up to speed with cybersecurity best practices and risk mitigations is an important step. During an architecture review, the Xylem team works with utilities’ Operational Technology (OT) staff through virtual workshops to identify vulnerabilities and remedies. This leads to a roadmap of proven and repeatable processes that enables the OT team to understand cybersecurity priorities and implement safeguards and gap remediations.
The second key step is a vulnerability review. Utilities can request a vulnerability review to determine if their digital technology is up-to-date and to assess if their OT security posture is being sustained.
Because cyber threats rarely stand still, examining vulnerabilities is an evolving, ongoing process. A utility’s digital assets must be checked against respected databases for new threats and to evaluate vulnerabilities.
A maturity assessment is a third key step, which allows a utility to consider its IT and OT teams’ skills, processes, and capabilities. By taking an in-depth look at the utility’s knowledge and skills and benchmarking these against industry peers and standards, we can identify focus areas for improvements and utilities prepare for potential risk remediations by upskilling their teammates’ cybersecurity knowledge.
The final step of conducting regular health checks helps utilities to ensure technology continues to be deployed securely and that processes are fit for purpose. As threats constantly evolve, this can provide water managers with actionable recommendations to ensure solutions remain secure based on current vulnerabilities.
Practical tips to fuse tech and team
Just as effective digital solutions require a blend of team and technology, so too do effective cyber defense strategies.
When developing a cybersecurity strategy, we encourage utilities to avoid solely focusing on technology and to consider their team. Evaluating whether utility staff are current with and confident in their cybersecurity knowledge is a critical step.
Ensuring IT and OT team members play a role in developing and implementing cybersecurity processes can also pay dividends. In assessments and reviews, these team members can provide valuable insights into identifying and mitigating risks as well as educating other employees on best practices.
Lastly, for utilities that don’t have a large or knowledgeable cybersecurity team on staff, partner selection is key. The right partners can enable utilities to leverage additional expertise to strengthen their team’s cybersecurity protections.
By combining effective and defined processes with an engaged staff and the right partners, utilities can reap the benefits of digital solutions while significantly reducing the likelihood of being compromised.