Why water utilities must invest in cybersecurity
In Albuquerque, N.M., arid conditions and frequent droughts make water a precious commodity that must be carefully managed. Aggressive conservation programs, water recycling and storage of excess water underground (safe from evaporation) are just some of the methods we employ to safeguard the water supply for our 650,000 users. Recently, safeguarding has taken on new meaning for utilities such as ours, as cybercriminals have made water suppliers targets for attack.
Everyone in the water industry fears a repeat of what happened in Oldsmar, Fla., last February, when hackers took advantage of a remote-access system that was beyond the local water utility’s security perimeter. The intrusion only lasted between three and five minutes, according to the Tampa Bay Times. But that was time enough for the hackers to increase the levels of sodium hydroxide (lye) being fed into the water system as a corrosion inhibitor from 100 parts per million to 11,100 parts per million. If not for the operator who saw the change and quickly corrected it, it could have been a disaster.
The harsh reality is that too many water utilities are stuck with antiquated systems and limited visibility into what’s happening in their operational technology (OT) environments. Historically, OT environments and IT environments were completely separated (air-gapped). We are now able to leverage smart sensors to help detect leaks and save manpower. This technology allows water utilities to become proactive as opposed to reactive. However, this also means the convergence of IT and OT environments. Often, equipment within OT environments was never designed with the intent of one day communicating with IT networks. This opens a whole new world of vulnerabilities that must be addressed, and air-gapping is no longer an adequate fail-safe response.
Fortunately, the Water Authority is not afraid of innovation, and we’re taking advantage of remarkable new technology that offers solutions to the challenges of OT/IT convergence and the security risks that arise when these worlds come together.
Deploying this technology was not an overnight process, and we didn’t fully recognize the need for it until our IT and OT teams began collaborating more on system integration. This led to the realization that our end-of-life network equipment was not up to the task—and that our IT staff lacked an in-depth understanding of the operational environment.
To read the complete article, visit American City & County.