The issues surrounding cybersecurity in the water utility industry become more complex and technically demanding as the focus becomes more granular. This month, we continue the shift from overarching “big picture” best practices that remain fairly stable to a moving target of security and encryption protocols that may change on a monthly basis.
In fact, application security and encryption can’t be pinned down perfectly because there are too many variables to consider—and hackers are always looking for new ways to penetrate online systems. For this reason, cybersecurity measures in these areas must be subject to ongoing testing and review with resources committed to frequent fixes, updates, and upgrades. Any other approach makes it simply a matter of time until a breach occurs.
Securing an application begins in the design phase and continues through testing, deployment, monitoring/maintenance, and through to obsolescence. One common area of vulnerability is Insufficient Transport Layer Protection that fails to protect network traffic, leaving data and session IDs exposed. Knowing enough to ask the right questions is essential during vendor selection to avoid these risks. Software vendors and system integrators must demonstrate that their applications and processes have an appropriate level of integrity. There are also actions that can be taken at an administrative level within the organization to promote better application security.
Examples of current smart practices: Each PCS user should have their own login (username and strong password). This login should be different from the user’s login for other business apps and provide access only to those program capabilities required for the user to perform their job. Administrator privileges should be given only to administrators, and all application usage should be logged, monitored, and reviewed regularly.
No application can be guaranteed to be entirely secure, but the level of security is enhanced with constant vulnerability monitoring to identify weak points and address them quickly.
In simple terms, encryption is about keeping information away from prying eyes through the use of cryptography (codes). Data must be protected both in storage and during transmission from one point to another. Encryption schemas may include compression algorithms, Virtual Private Networks (VPNs), and other components to provide well-rounded security. The appropriate type and level of encryption should be applied to databases, laptops and computers, mobile devices, wireless and wired communication, removable storage devices, and so forth. The best practice is typically to use the highest level of encryption available for a given piece of equipment or system.
Encryption keys themselves should be treated with special care throughout the lifetime of the keys and the data they are intended to protect. They must be backed up and managed to prevent loss, theft, or unintentional destruction. Key vaults and similar environments with restricted access and redundant storage capacity may provide a solution.
Above all, water utilities should ensure that encryption is more than window dressing. According to the AWAA, “Weak encryption schemes are particularly dangerous because they provide little protection and create a false sense of security and complacency. Proprietary encryption schemes should be avoided since they typically have not gone through comprehensive testing and often contain flaws. Also, only encryption schemes that are referenced by appropriate standards and use keys of proper length should be considered secure.” Encryption only works if it addresses real world risks.
Next up, Telecommunications, Network Security, Architecture and more!