What steps can utilities take to guard against cyberattacks targeting water and wastewater systems?

In this IQ&A, Garver’s series of conversations with leading experts delivering value to communities across the country, Industrial Control System (ICS) Cybersecurity Leader Steven Nguyen discusses how utilities can protect against potentially dangerous cyberattacks. In this discussion, Nguyen, who has more than two decades of experience developing cybersecurity and SCADA systems, details options that are beneficial to protecting systems against such threats.

What can I implement today to help protect my system?

1. Enforce strong password requirements by combining letters, numbers, and symbols.
2. Limit remote access to daylight hours or prescheduled time slots.
3. Keep your systems patched with the latest security updates that are released monthly by your SCADA vendor.

What are some recommendations for added security that would require additional assistance or planning?

There are three options that can provide you additional assessments and lead to higher levels of risk mitigation:

1. Detailed passive assessments provide general recommendations to added security. This assessment outlines goals and existing protocols of utilities, identifies opportunities to reduce risk, and improves system resiliency in the existing framework. These assessments use the AWWA Cybersecurity Use-Case Tool and provide an industry standard of care. This final product provides recommendations for specific areas to focus on for improvements.
2. Proactive assessments provide a path forward for a more robust network. Creating a Cybersecurity Master Plan and Cybersecurity Emergency Response Plan allows utilities to have a course of action should a cyberattack occur. This would allow your utility to have a course of action should a cyberattack occur. These documents can be implemented into standard operating procedures (SOPs) to mitigate consequences.
3. Active penetration testing simulates cyberattacks to test system vulnerabilities. Your cyber systems are put to the test by a trend consultant tasked with breaching your system safeguards. This assessment tests your system to see how it would hold up to an active attack. The result is identifying insufficiencies in the network to find weak points to address.