Cybersecurity: Water Utility Security Part 2

Last month, we began an exploration of the risks posed to water utilities by lack of adequate cybersecurity. Now, it’s time to understand why organizations aren’t doing more to address these modern threats.

How Widespread Is Lack of Preparedness?

Very. According to a 2014 report by Unisys and Ponemon Institute (“Critical Infrastructure: Security Preparedness and Maturity”), more than two-thirds of utility and infrastructure agencies admit to having at least one incident of compromised security that led to data exposure or operational disruption. Yet fewer than one out of three of these organizations considered security one of their top 5 priorities. Less than 20% of companies interviewed were operating at a mature level of cyber security.

What’s Holding Utilities Back?

Most public agencies have, historically, been very slow to adopt new technology. There are several reasons:

  • High costs
  • Perceived risks
  • Practical and technical challenges

The last problem is one of the trickiest to resolve. Even systems that were once considered state-of-the art weren’t built with today’s digital world in mind. For example, it’s common for utility companies to run their technology infrastructure on very old or unpatched versions of Windows—the same O/S that was initially put in place when systems were first computerized.

Upgrading can’t be achieved simply by throwing money at the problem. Legacy modernization requires a great deal of preplanning and risk mitigation to avoid disruption of services. After all, the operation of utilities has physical, real-world consequences. A failed upgrade doesn’t just mean people complaining on message boards about a bug in a smartphone app. It can entail people living without water and sanitation.

The Wait and See Approach Remains the Norm

It’s no wonder that the time and cost involved in updating utility systems to make them more secure is often viewed as prohibitive. Cybersecurity as an unavoidable cost of maintaining a system can be a hard sell. The only upside to making a system secure is that it continues to function as customers expect. There’s no visible benefit to having better security as long as things are going well. Unfortunately, many agencies simply cross their fingers, hoping to avoid a catastrophic event. What should they be doing differently?

In Part 3 of this series, we’ll explore some of the ways water utilities can become more secure.