For water and wastewater treatment facilities that have historically only had to worry about physical safety concerns and high water quality standards, a new security risk has entered the discussion in the last decade: cybersecurity.

Adding the digital realm into everyday workflows has brought a wide range of benefits to water management, including increased efficiency, more stable plant performance, and reduced operating costs. However, the benefits also come with an extra layer of risks. Knowing how to best navigate those risks is not always clear or intuitive, especially for veterans of the industry that have primarily dealt with internal-only monitoring and communications tools in their daily operations. These internal tools have provided some data and have often been managed by in-house IT departments for security, but the addition of new technologies that require external connectivity, often through the internet and an associated “internet of things” (IoT), has created a new dimension of required digital literacy and protection.

Digital solutions powered by “the cloud” are changing the conversation by enabling more efficient and effective operations, but at the cost of opening the virtual door to a new invisible threat to plant safety and security. For operations managers, facility owners, and the everyday staff that runs a treatment plant, there are a number of factors to consider when searching for, assessing, implementing, and using a new digital tool. An overview of these cybersecurity factors, the types of questions to ask potential vendors, and the best practices to incorporate when adopting a solution can be found in this post.

Cyberattacks at water and wastewater treatment plants

In this digital age we’re living in, many people are aware of the basic steps needed to protect themselves online. Common tips to securing electronic data include setting strong passwords, never giving out passwords or login credentials (that includes to family and friends), updating passwords regularly and not using the same ones across multiple accounts, not opening suspicious emails or clicking on unknown links, and not introducing unauthorized data or access into a treatment facility’s network.

However, as the average person takes time to adjust their behaviour to keep these practices top-of-mind, bad actors are also advancing their approaches to take advantage of potential vulnerabilities. Numerous examples of malicious hackers gaining unauthorized access through SCADA systems have occurred in the past few years and ransomware attacks, malware, and phishing attempts are also on the rise, targeting this critical infrastructure. While water utilities are often targeted because of their essential role in communities, the threat to cybersecurity is also relevant in the private sector for treatment plants that rely on industrial control systems like SCADA or PLC.

Social engineering (where attackers use social norms to manipulate a person into giving unauthorized access), staff turnover (where old accounts are not removed by administrators quickly enough), or delayed software updates and patches (where software is not able to run regular security updates) can all be potential weak points that allow bad actors into a facility’s operating tools and systems.

The advent and adoption of cloud computing has created new tools for the toolbox when it comes to data and software management, bringing its own benefits and risks into the mix.

The benefits and risks of working in the cloud

When we add in the opportunities that cloud computing provides for treatment plants, the existing threat level can often be outweighed by the benefit of being able to gather, process, store, and access massive amounts of data on demand and at incredible speeds.

But “outsourcing” this data to external service providers and relying on them to deliver secure data transfers, processing, and stable service uptime does add a layer of risk when considering data security, integrity, ownership, and access while both in transit and at rest. This can be particularly true for smaller operators that don’t always have the in-house resources or dedicated departments to assess and manage data risks.

However, by understanding what questions to ask vendors (and which answers are acceptable when it comes to IT risk management versus cybersecurity considerations), every facility can make effective, and safe, use of this technological advancement to make progress on their digital journey.

What to ask vendors when assessing digital tools for water treatment plant operations

Digital solutions can deliver exponential benefits to treatment facilities. These include remote monitoring, automated data analysis and trending through the power of cloud computing, and enhanced decision-making support that facilitates improved efficiency in both workflows and process performance. But assessing which software-as-a-service (SaaS) vendor will treat your facility’s data with the utmost integrity and security isn’t always simple, especially if common cybersecurity practices are still a bit of a black box to you.

Here are some of the top questions you should be asking in early conversations with SaaS providers to understand which one will help you sleep soundly knowing that your facility is protected.

How is data from water treatment plants being sent, received, stored, and accessed?

One-way or two-way data transfer

Data transfer can flow one or two ways, either as read-only or read-write configurations, respectively. One-way transfer (read-only) means the service provider can only read the data using agreed upon conditions and time intervals. Two-way transfer (read-write) means the service provider can also change or update the data as needed. The former restricts access to critical controls. The latter is required if direct control is required. For analytic service providers, read-only configurations provide a sufficient level of access. As a result of their increased level of authorization, read-write configurations open the possibility of unauthorized access to data and system controls, depending on system setup.

Encryption-in-transit versus encryption-at-rest

Encryption is a standard security practice in which any data being shared is “scrambled” so that unauthorized users can’t read it while it is in transit (while being sent) or at rest (stored in a database, but not actively being used). Data should always be encrypted while in transit, as it’s being sent from the client’s computer to the solution provider’s server, to keep it secure. Encryption-at-rest means that the data also remains scrambled in a solution provider’s database while not being used to further prevent unauthorized access.

Data integrity and ownership considerations

Another important component to ask service providers about is data integrity and ownership, especially when it comes to third-party use.

1. How is the data stored when being sent, as well as once it arrives? Is encryption-at-rest part of the service offering?
   

2. What happens in case of unexpected issues such as server downtime or critical security patches and updates? Is the service provider responsible for conducting regular backups of the data, as well as multiple locations of its storage, in case of failure at one data center’s location?
   

3. Are multiple locations storing that data for redundancy and automatic failover so that data is not lost in case of database failure?
   

4. How is third-party access being managed and where is the line between who owns the data being stored? Does the intellectual property always remain owned by the treatment facility, or can the data received be anonymized and aggregated with data from other clients that a service provider works with? If so, how is the aggregated data being handled, used, or shared?

The answers to these questions will vary widely across vendors and it is a critical part of the decision-making process when assessing a digital solution to fully understand which party is responsible for what. Agreeing upfront and understanding the delineations in responsibility will help ensure that uncertainties are minimized and points of failure can be avoided as much as possible.

What are some best practices for cybersecurity at water treatment plants?

There are a number of best practices that SaaS providers should be aware of and actively using in their service offerings. These include protections such as defense-in-depth, the principle of least privilege, roles-based access controls, and multi-factor authentication, among others.

In an increasingly remote world post-COVID 19 pandemic, many organizations are already actively implementing these best practices. When it comes to SaaS tools that require internet connectivity to function, it’s important that routine vulnerability assessments and safe practices are in place to protect operational technology (OT) assets. Compliance with established industry standards is also important for vendors to adhere to, including SOC compliance.

Other cybersecurity factors for water and wastewater treatment plants

Besides addressing questions around data security, integrity, and ownership and ensuring service providers have the necessary requirements and details when it comes to cybersecurity, there are a few more factors to consider before making a purchasing decision.

Regulatory compliance

There are, of course, organizational needs, principles, and practices that will influence which tool is the best fit for the job at treatment plants. However, another critical component to factor into the decision comes from local jurisdictions and regulations at a governmental level.

Understanding how local regulations apply to electronic information being sent and used through the cloud is part of the decision-making process when assessing which service provider to trust with data, especially in the context of critical infrastructure.

Regular reminders about cybersecurity safety

Another simple, yet often overlooked, strategy to boost cybersecurity at treatment facilities is to incorporate regular training and provide resources and reminders to staff about the latest best IT practices. The digital technology space changes rapidly and what may have been applicable last year could no longer be or could have changed to keep up with emerging threats to security. Staying updated with regard to changes is the responsibility of both the service provider, and the management and everyday users of a plant that’s empowered by a digital solution like SaaS.

Choosing the right partner

As with most things in life, the key to success is choosing the right partner to work with. Trust is a foundational piece of the relationship and sound cybersecurity must be a core component of every service provider’s offering. If the questions and considerations above can’t be freely answered by a potential partner, then they may not be the right partner for the job.

Addressing cybersecurity as a component of the digital transformation that plants and the water treatment sector as a whole are undergoing is important to a safe transition. When embarking on or continuing the digital journey, be sure to work with partners and solution providers that can help you keep your data safe and secure, while also enabling you to make the most out of it through the power of cloud computing, remote monitoring, and collaborative, on-demand access to information.

Want to learn more about how Pani handles cybersecurity for our water treatment customers? Visit our Product page or contact us for access to our cybersecurity paper to learn how our digital solution keeps facilities secure. 💧🔐