Cybersecurity for Water Systems

Cybersecurity remains a prominent topic in 2024, and its vital importance extends to rural water systems. The imperative of imparting fundamental cybersecurity knowledge to these water systems cannot be overstated. Recent studies have estimated that cybercriminals made nearly $8 trillion dollars in 2023, with projections estimating a steady increase to $10.5 trillion by 2025. While a considerable portion of this stolen money resulted from targeting large corporations and industries such as healthcare, cybersecurity experts highlight a notable surge in attacks on critical U.S. infrastructure. Many experts foresee a rise in cyber threats originating from potentially hostile countries towards the United States, with incidents having already occurred and anticipated to escalate in the coming years. 

The significance of cybersecurity awareness for rural water systems is self-evident, as they constitute an essential component of a community's public health. However, most water systems have not yet implemented a cybersecurity plan, and many remain unaware of the imperative for cybersecurity awareness. Individuals unfamiliar with cybersecurity are often skeptical about the necessity of preventing cybercrime and fail to recognize the benefits of proactive protection. This lack of cybersecurity awareness underscores the need for a cybersecurity plan. 

What is a Cybersecurity Plan? 

A cybersecurity plan is a structured approach to fortifying the digital defenses of a water system. The first step in crafting a robust cybersecurity plan is to identify a designated Cybersecurity Lead. This person will become the focal point for all cybersecurity-related activities, ensuring a centralized and organized approach to safeguarding sensitive data and critical infrastructure. The cybersecurity lead need not possess advanced technical knowledge, or a specific skill set; the important aspect is to have someone appointed who can prioritize cybersecurity, ensuring it remains at the forefront of everyone’s awareness and serving as a point of contact for questions or potential issues. 

Once a Cybersecurity Lead is identified, the second step involves the establishment of a Cybersecurity Policy. This policy serves as the guiding framework, outlining the organization's commitment to cybersecurity, defining roles and responsibilities, and establishing a set of rules and protocols to govern the secure use of Information Technology (IT) and Operational Technology (OT) devices. This policy sets the tone for cybersecurity practices and creates a shared understanding across the system.

In the third step of the cybersecurity plan, annual cybersecurity training is conducted to keep the workforce vigilant in identifying and addressing risks. The fourth step involves preparing for cybersecurity threats by developing incident response plans, conducting vulnerability assessments, and staying updated on emerging threats, ensuring the water system is resilient and ready to navigate the cyber threat landscape. 

Steps toward a Cybersecurity plan 

Not every system is prepared for the full implementation of a cybersecurity plan. Rural water systems, often understaffed, may lack the resources to allocate additional responsibilities to their employees. Nevertheless, taking preliminary steps toward the eventual implementation of a cybersecurity plan can be vital for system security. Here are three simple steps that water systems can take to initiate the process of enhancing their security: 

1. Secure Passwords 

Changing passwords frequently and creating complex, difficult-to-guess passwords are among the easiest and most effective cybersecurity practices. Additionally, setting up Multi-factor Authentication is recommended.

Common best practices specify four elements that contribute to a secure password:

1. one uppercase letter
2. one lowercase letter
3. one number
4. one symbol

Example: iL^vE_C@t$ 

2. Email Security 

A large proportion of successful cyber-attacks are carried out through email scams. An essential preventive measure involves ensuring that water systems comprehend the most common types of attacks and know how to respond to them. Water system employees should be able to recognize and react to the three most common types of attack: spoofing, phishing, and interception. 

1. Spoofing: An attacker disguises their identity to appear trustworthy, often by using a familiar email address or domain.
2. Phishing: Perpetrators attempt to trick individuals into divulging sensitive information, such as passwords or financial details, by posing as a trustworthy entity.
3. Interception: Unauthorized access to or interception of communication.

3. Require Separate IT and OT Credentials 

This simple action provides a significant security measure. Many water systems use the same devices for accessing both their SCADA systems and the internet. Though it may not always be feasible due to available equipment, an effort should be made to separate IT and OT systems. As cyber-attacks frequently target SCADA systems in water facilities, the introduction of distinct credentials for IT and OT systems offers an additional layer of security for the water system’s operations. 

Recognizing the constraints faced by many water systems, these steps serve as a vital starting point for enhancing security gradually. By implementing cybersecurity awareness and practicing proactive measures, water systems can begin to navigate the evolving threat landscape, safeguarding critical infrastructure and community health.