Closing the floodgates

Closing the floodgates

Building a watertight defence against an evolving cyber security threat

Lucas Young, Axis Communications, explains why collaboration and tighter controls are essential to defend our water supplies from a rapidly evolving threat to critical infrastructure

Water industry attacks are growing in number and complexity. In January 2020, a water company in the US experienced a cyber attack which disabled its phone and online payment systems, impacting nearly 500,000 customers[1]. In April, Israel’s National Cyber Directorate received reports about an attempted attack which aimed to target a water plant’s Industrial Control System (ICS) and raise the level of chlorine in the water supply[2]. With such attacks presenting a major risk to the quality and availability of water supply, the UK government aims to work closely with water companies to ensure that security becomes a crucial focal point, to be addressed through a range of measures.

As increased automation and connectivity reduces the scope for standalone or manual operation of the water supply, the UK’s Department for Environment, Food and Rural Affairs (DEFRA) outlined its vision for 2017-2021 of a ‘secure, effective, and confident sector, resilient to the ever-evolving cyber threat[3]’. The ‘Water Sector Cyber Security’ strategy is designed around protecting and developing ‘strong preparedness to respond to emergencies’ and securing both information technology (IT) and operational technology (OT) systems. And yet, with 2021 just around the corner, many water companies across the UK are still yet to complete the security upgrades and processes needed across their many sites to be fully capable of responding to a cyber attack.

Anticipating the evolving security threat

Standardisation across the estate is essential if the water sector is to work as one. With the UK water industry still currently seeing sites working in isolation, inadequately guarded remote water reserves and inferior consumer grade technologies are potentially left wide open to attack. Adopting appropriate measures, such as the installation of enterprise grade security systems, and working closely with trusted partners to proactively guard against attack will be crucial. And as the Centre for the Protection of National Infrastructure (CPNI) has warned, the consequences of failing to formulate a strategic security vision and investment in appropriate measures to mitigate the risk can be costly[4].

With new threat vectors placing mounting pressure on water companies, it’s important to continuously risk assess the types of attack and the resulting protective measures required. For example, attacks may not come from a single point, but from multiple means; an approach which combines cyber attack with a marauding physical assault to create panic, disorientation and limit the effects of any crisis response. The compromising of information technology systems could lead to the theft of valuable data, while the control and sabotage of OT systems, directly related to the quality and quantity of water supply, has the potential to put many lives at risk.

The hallmarks of advanced cyber security principles

As with all technology, there are inherent risks when improperly secured IoT devices are installed on a network. Network surveillance cameras, for example, which are not cyber secure can be used as a backdoor to gain access to the IT network, either from an insider threat or a remotely triggered assault. Consumer grade security technologies might appear to offer adequate protection, but in reality come with none of the assurances around quality of manufacture or adherence to cyber security principles. Secure technologies, built from the ground up with cybersecurity considerations at the forefront, should form an essential part of any enterprise asset protection strategy.

The water sector should look for guarantees when partnering with the providers of such technologies, such as Secure by Design and Default, an accolade awarded by the Surveillance Camera Commissioners (SCC), and Cyber Essentials Plus, offering evidence of operation in accordance with advanced security principles. These credentials play a role in forming the strategic implementation of solid security goals that are aligned with regulation and best practice. Discussions should take place to determine how security is managed and maintained across the ecosystem. The rolling out of training and education, provided by an approved provider or device manufacturer, will cover best practice and explore appropriate measures to ensure high levels of security. Gaining the ‘buy-in’ of relevant personnel and stressing the importance of adhering to stringent cybersecurity protocols is key to ensuring full commitment to the protection of hardware, software and systems, and removing any weak link in an otherwise secure chain.

From a network perspective, the success of the IoT should not be hampered by weaknesses in physical systems. The potential for success is too great to be lost to a forgotten IP-flaw. The challenge does not lie in how to create the ultimate IoT platform, but in securing it across every touchpoint and unexpected vulnerability. There is a requirement for water sites to harden their security networks, automatically locking down exposed connections to reduce access to IP-based Industrial Control Systems (ICS). Automating the 24/7 health and cybersecurity monitoring of devices also adds an additional layer of cyber protection.

Comprehensive protection of the water industry

Effective physical security of an asset is achieved by multi-layering the different measures, what is commonly referred to as ‘defence-in-depth[5]’. A combination of security technologies ensures that, while comprehensive protection is achieved when all of these measures work together, security is not significantly reduced with the loss of any single layer. Network cameras offer high quality video surveillance both inside and at the perimeter of a site. Their ability to capture real-time evidence of a physical attack in progress, rather than the after-the-fact forensic video typically provided by legacy systems, provides authorities with timely evidence of any attack on the premises as it occurs.

IP audio systems, comprising digital speakers on a network, can be used to sound alarms and issue live or pre-recorded verbal warnings, complimenting video for a combined audio-visual deterrent and surveillance solution. Additionally, with modern access control devices configured to accept access via a QR code displayed on a mobile phone, and using positive identification by video as a second factor of authentication, approved personnel can be swiftly admitted to a site, while unauthorised attempts at entry raise an alarm. Remote management capabilities also allow security and operations personnel to check the status of a site without having to enter the premises unnecessarily, particularly important during the operational constraints under a lockdown. Advanced analytics allow the data from numerous security devices to be combined for a complete site overview managed from afar.

A collaborative approach to security

It’s clear that a converged approach to security is needed as the dynamic threat evolves, with strategies employed across physical and cyber security to address vulnerabilities and maximise resistance. By working with partners and vendors to build trusted relationships across the supply chain, guarantees can be established as to authenticity and integrity.

Regulations such as the GDPR, and the NIS Directive, place more onus on industry sectors to demonstrate security understanding and compliance and to ensure the integrity of their systems. A scalable, future-proof solution, backed by the full support of a trusted partner and following government guidance and strategy, will unite the industry to create a formidable barrier against the next generation of attack.

Further information on critical infrastructure security can be found here: