Prepared by Marcello Basani, Ariel Nowersztern and Yanir Laubshtein
Although increased digitization and automation of water facilities improves their efficiency and helps reduce operating costs, it also exposes them to cyber risks. From nation-state actors creating political chaos and economic disruption, cybercriminals seeking profit, hacktivists driven by ideological agendas, to individuals conducting fraud to reduce their bills, the amount and variety of cyber threats and malicious actors who target utilities never stops growing.
As digital technologies spread and add value, cybercriminals exploit connected water infrastructure by attacking their IT and Industrial Control Systems (ICS) that manage flow operations, wastewater treatment, and more. Cyberattacks are predicted to escalate in frequency, volume, and sophistication. However, low awareness coupled with a reluctance to invest in security due to perceived costs, complexity, lack of motivation, or lax regulations, result in utilities’ increased vulnerability to these attacks.
Worldwide, water utilities have already faced a wide range of attacks, including ransomware and tampering with ICS to manipulate valve and flow operations, alter chemical treatment formulations, or damage machinery. By disrupting continuity and reliability, corrupting payments, or manipulating or compromising data, these attacks can jeopardize both drinking water supply and quality and wastewater collection and treatment. Not only can this lead to devastating effects on public health, the environment, and the economy, it can also erode customers’ trust in water services and result in substantial financial and legal liabilities.
For governments and utilities to cope with these challenges and mitigate cyberthreats, a proactive approach is required. Utilities’ ability to classify an operational event as a cyber incident depends on their digital infrastructure, forensic capabilities, and cyber awareness.
Here are some insights we gathered from international standards, guidelines, cyber security organizations, and governmental regulations:
- Cybersecurity culture should exist within all departments. These threats and risks are not just traditional IT problems; they can also endanger the process control ICS/OT environment. By identifying these risks, taking the right control measures, and involving stakeholders (ie, employees, customers, vendors, regulators, etc), organizations can improve their resilience to incidents and recover more easily once they occur.
- Know your environment and assets. To detect cyber incidents and protect assets, the organization must maintain an inventory of its digital systems, including PLCs, Sensors, PCs, mobile devices, servers, storage hardware, applications, systems, software platforms, network devices, communication infrastructure, networks, etc. This list must be reviewed and updated regularly, in tandem with the vulnerabilities associated with these assets to enable, streamline and inform cyber risk management.
- Risk management must involve the entire supply chain and key stakeholders. In a sector where multiple actors provide all or part of the core business services (purification, desalination, distribution, water treatment, and operational or engineering services), all suppliers must have a Software Development Life Cycle (SDLC) process in place and integrators and outsourced operators must implement cyber standards.
- Organizations must be able to detect and analyse any security event or anomaly that is not in line with their operation. Organizations must respond professionally once an incident is detected, which requires dedicating resources and preparing in advance by defining internal roles and responsibilities, policies and processes, establishing contingency plans with third parties response teams and government CERTs, and having contingency communication plans to inform the public.
To learn more about these risks and what should be done to mitigate them, download our new publication: Protecting Water and Sanitation Infrastructure from Cyberthreats: A Cybersecurity Study for Latin America and the Caribbean.
Let’s talk about Cybersecurity
While digital technologies spread and add value to water infrastructure, more cybercriminals try to attack industrial control systems, flow operations, wastewater treatment, and more. Cyberattacks will escalate in frequency, volume, and sophistication.
The Water and Sanitation Division, the Innovation in Citizen Services Division, IDB Lab and Source of Innovation held a Webinar on cybersecurity in water and sanitation. Speakers provided a series of recommendations for governments and private sector actors and presented a new study called Protecting Water and Sanitation Infrastructure from Cyberthreats: A Cybersecurity Study for Latin America and the Caribbean.
They will also shared a self-evaluation for organizations to assess their current cybersecurity gaps and obtain recommendations.
Do you work for a Water and Sanitation company? Know your cybersecurity level!
We invite you to click on our self-assessment tool and you will be able to know the safety level of your Water and Sanitation company.
About Source of Innovation
Source of Innovation is an alliance of the IDB Group with external partners to promote the development and adoption of innovative solutions in the water, sanitation, and solid waste sector to achieve smart, inclusive, and sustainable services, with a focus on service providers in Latin America and the Caribbean.
Source of Innovation is funded by the Government of Switzerland through its State Secretariat for Economic Affairs (SECO), by the FEMSA Foundation, by the Republic of Korea through its Ministry of Environment, and by the Government of Israel. The alliance is also complemented by direct contributions from IDB Lab and the Water and Sanitation Division of the IDB.
Yanir Laubshtein. Currently VP of Managed Extended Detection and Response (M/XDR) at Sygnia, one of the leading incident response and cyber resilience companies globally, Yanir has had an extensive and impressive career in cybersecurity. In the past, he held top positions as project director for the cyber lab projects; he acted as Cyber Security Consultant to the world’s largest desalination plant project, and held a position as Global Director at PwC Israel, leading their global Centre of Excellence for ICS/OT and critical infrastructure protection. Yanir also worked as Head of Cyber Security Operations at the Ministry of National Infrastructures, Energy and Water Resources, and the Water & Sewage Authority, guiding Israel’s national and private energy and water sectors in achieving cyber resilience. While working for the Ministry of Energy (MoE), he contributed to crafting regulations, guidance and audits, as well as examining and evaluating new cyber technologies, not to mention coordination with different governments agencies and international industrial vendors.
Ariel Nowersztern. A Sector Specialist in the Inter-American Development Bank, joined the IDB in 2017. His responsibilities include supporting Latin American and Caribbean governments in aspects of their national digital initiatives as well as in specific digital modernization efforts financed by the IDB. With over 25 years of professional experience, Ariel also worked in Israel as a freelance consultant to private and public sector clients. Ariel holds a Master’s degree in Business Administration from Tel Aviv University and a Bachelor’s degree in Computer Science from the Hebrew University.