Demystifying Cybersecurity for Water Utilities

Nov. 1, 2022
To protect digital assets in the ever-changing environment of cybersecurity, best practices can be fragmented between utilities of different sizes across the nation.

Risk assessment and prioritization are vital for critical infrastructure’s information security. When it comes to the water industry, there is no one-size-fits-all solution as the industry is fragmented with utilities of different sizes spreading across the nation.

As a whole, this decentralization may be seen as a positive when it comes to data protection and operational control: it would be hard to bring the whole industry down in one cyber attack. Yet, decentralization also means there is a vast difference in security practices and maturity across the industry.

Hackers are always on the prowl for the weakest link. As cyber threats are continuously evolving, smaller utilities may not have the dedicated in-house cybersecurity expertise and resources to deal with the ongoing challenge.

The recent Presidential Order to Improve the Nation’s Cybersecurity is a big step forward. It helps raise awareness of the importance of this challenge as a national security issue. It provides an excellent framework and guidance for water utilities to know what they need to be looking for in best practices on how to protect employees and secure operations.

Consider Vulnerabilities

Every organization has a vast cyber threat attack surface. Knowing what these are is the first step to understanding a utility’s vulnerability.

For example, over half of cybersecurity incidents occur through third parties, like supply chain vulnerabilities. This could be your small vendors like accountants, medium-sized vendors like engineering firms, and larger-sized social platforms that most employees use every day.

However, the most vulnerable piece of cybersecurity is the human being. Last year, 36 percent of data breaches were from phishing. Well-meaning employees who want to do a good job can be easily fooled by attackers impersonating people within the organization to convince employees to give access or information to things they wouldn’t if they knew who they were.

Remote access has allowed utilities to continue to achieve a higher level of efficiency, transparency, and even continued smooth operation during a pandemic that restricted workers from being in the office, plant, or field. Ensuring secure access to the IT network is key to protecting data and the safe control of SCADA systems.

Systems that are not connected to the internet, also known as being air-gapped, are missing out on the digital transformation that brings a whole new level of efficiency and transparency allowing authorized personnel to always have eyes on the system, regardless of where they are.

It doesn’t matter whether an operating system is plugged in: if a utility has an internet connection it is at risk. However, utilities can be confident in embracing the benefits of digital transformation, so long as they have a proactive approach when it comes to security.

A Starting Place for Protection

Cybersecurity is part of the digital journey. It requires ongoing attention, starting with addressing basic needs and moving on to more complex solutions to build on top of foundational blocks. Here are some ways that water utilities can step up to address the evolving world of cyber threats.

Create awareness across the organization

Cybersecurity needs to come from the top down. All employees, regardless of role, need to follow basic best practices. Water utilities can use the EPA’s Cybersecurity Best Practices or find a host of resources at the Cybersecurity & Infrastructure Security Agency (CISA).

The best way to protection is with knowledge. Everyone in the organization should understand the basic terms like encryption, VPN, firewall, malware, virus, ransomware, trojan horse, worm, etc. Employers should provide ongoing training and access to processes and policies that are in place to protect employees and operations so that, when there is a red flag, employees know the right questions to ask — and that their concerns will be understood.

There are many little things that make a difference. For instance: don’t share passwords; when something feels wrong, it’s probably wrong; and don’t give remote control of a computer. If the utility airgaps, then don’t let people slip in a USB port to the isolated system. This used to be common practice — remember coming back from tradeshows with USB giveaways?


It’s a good idea to have an ongoing conversation on the latest phishing scams, so everyone knows what to look out for. Social engineering is becoming more sophisticated; hackers are assuming the identity of trusted personnel and accessing people by text, phone, and email.

Some organizations put out their own phishing scam tests to identify the most vulnerable people in the organization so that they can bolster training efforts where needed. Consider partnering with software companies that make cybersecurity a priority.


Passwords should not be shared. This would seem obvious, but people still share passwords or user accounts within an organization and sometimes go as far as posting a sticky on the computer that is used to access the program. When employees leave, change the passwords. There are many programs that help with password management and ensuring that passwords are strong.

Ensuring systems are up to date

Software systems that are out of date are more vulnerable. Be sure to include servers, internet routers, modems, and gateways in patching. These updates are often necessary to correct errors and secure areas of vulnerability to new cyber threats. Also, utilities should ensure that their data backup is up to date.

Third-party evaluation

There is more often awareness of security inside an organization than on the outside. The Presidential Order provides a good framework for water utilities to ask third-party vendors the right questions to ensure they meet the federal requirements for providing a service to a critical infrastructure organization.

Reputable software companies have gone through the rigor of meeting safety standards such as ISO 27001, NIST, FedRAMP, OWASP, and others. Companies that have these certifications live and breathe security to maintain it. Utilities can also look at the security scorecard of third-party vendors.

Secure remote connections

Remote work and access are here to stay. One of the best ways an organization can protect itself and its employees is by establishing a virtual private network (VPN). This ensures staff are authenticated through a corporate VPN before they access other networks to do their work.

Never poke a hole in a firewall to access data remotely. Utilities can install an agent (hardware with software) behind the firewall to act as a gateway and push the data required (on demand, on a timer, or an event) using encryption such as secure sockets layer (SSL) or transport layer security (TLS) encryption for protection while it’s in transit.

Continuous monitoring

Some vulnerability scanners regularly monitor systems to look for and prioritize threats. There are many different tools available, such as firewalls, antispyware, antivirus software, etc. New threats continually evolve so, without skilled experts in-house to stay on top of it, utilities can instead use third-party services.

Continuous sharing of intelligence information

Collaboration with other utilities is another way to stay informed and learn what works from neighboring utilities and associations. On a broader scale, utilities can join Water ISAC, an international security network created by and for the water and wastewater sector. They are an excellent resource to support response, mitigation, and resilience initiatives and are partners with high-profile water associations.

In the event of a cyber attack, utilities should report it to CISA and Water ISAC.

An Evolving Landscape

While cyber threats are real and on the rise, software to protect organizations has also evolved. It used to be that a firewall would protect a system’s perimeter and antivirus software protected the inside. New software today looks at behavior analytics of processes within the system. If a system starts to act unusual, the new software will send alerts or stop the process that is outside of the norm.

In the past, security was often seen as the competitor to functionality. Now, it’s a key function of the business. Thinking has changed from “what do I want my product to do” to “what do I want my product to do and how do I do that securely?”