Cybersecurity: Myths & Realities
Is cybersecurity the elephant in the room when it comes to a utility’s digital journey? We find out in this month’s QTalks episode on Cybersecurity: Myths & Realities.
With the implementation of digital solutions, utilities have more granular data and insights than ever before. But at what price? Water systems are potentially less secure with new technologies, such as digital networks, remote operations, real-time sensors, and data acquisition analytics.
Joining environmental journalist Tom Freyberg:
What is the impact of the digitalization of water on networks?
Tom began by highlighting the progress that’s been made towards the digitalization of water and how more granular insights and data are now able to be drawn because of it. He also mentioned that with the adoption of new technologies like digital networks, remote operations, real-time sensors, and data acquisition analytics comes new questions about the security of water networks.
He also raised the question of whether cybersecurity is the elephant in the room when it comes to water’s digital journey.
Roger kicked off the discussion by talking about the challenge of retrofitting cybersecurity in the face of the digitalization of water, as well as the interoperability challenges involved with regard to the multitude of sensors from different organizations. Mentioning the “merging of two different worlds”, Paula highlighted just how challenging it can be to bring together traditional industrial industries and new technologies.
Eric went on to discuss how the increase in devices being scattered across large geographic areas has broadened the potential “attack surface” from a cybersecurity point of view. However, he also mentioned the potential to design security into the SCADA replacement initiatives that are happening across the board.
Is the digitalization of water forcing a culture shift in the industry and a change in the way personnel are being trained?
Tom then went on to ask the experts about how they believe cyber resiliency can be created within teams, and how the skill set and experience necessary to uphold cyber resiliency can be fostered.
Roger talked about how, in his experience, cyber resiliency has to be trained from within, and that everyone — from engineers to HR and finance — need to understand the need for it. He said that as well as an awareness of customer data, there also needs to be an awareness of denial of service threats, too.
Paula brought up that with the digitalization of water comes the potential for multiple types of security attacks and threats, which means a wider set of skills is needed to meet these head on. She also mentioned how the culture around security may be different for personnel working in plants, since they haven’t had security concerns and protocols ingrained in their work from the get-go. This further highlights how important it is to ensure that all staff are trained on cyber security issues.
Eric then went on to mention how most critical infrastructure companies have safety built into their core missions statements, and can tap into their I.T. department to begin initial cyber security training. He also noted the intrinsic challenges of the rapid expansion of digitalization across operating environments and how this can impact the protection of assets.
What lessons can be learned from recent changes?
Wrapping up the session, Tom asked the experts to reflect on any successful changes they’ve implemented recently.
Explaining how he was brought in to build the cybersecurity program at Hampton Roads Sanitation Districts (HRSD), Roger reflected on how they’ve homogenized working with SCADA and DCS partners to fit everything into a single profile. By knowing exactly who they’re working with and on what has meant that they’ve been able to build solid relationships. Roger also mentioned how selecting a security partner that works best for the specific organization, rather than one that works best for everyone else helps to ensure a better culture fit.
Commenting on knowledge sharing between departments and divisions, Paula highlighted the importance of being proactive in the face of cybersecurity challenges. She said that organizations should not wait to learn lessons — especially in the water industry, due to the real impact on real people — but strive to anticipate and learn how to best prevent mistakes from occurring.
Following on from this, she also mentioned how cybersecurity should not be a trickle-down exercise, but an organization-wide priority which involves providing the relevant knowledge, tools, and education to members from all teams.
Finally, in regards to the evolving regulatory landscape, Eric hammered home how important it is for entire organizations to understand the shift in cybersecurity, and especially so around the expectation that everyone has a role to play. He also highlighted how crucial it is for organizations to ensure that cybersecurity is a part of the fabric of organizations.