Guest Column | May 5, 2022

Cybersecurity: A Marathon, Not A Sprint

By Kenneth Crowther


To become more resilient against increasing cyber threats, water and wastewater utilities should employ a multibarrier approach.

Digital technologies are fundamental to solving major water and resource challenges. However, as more water operators and users adopt these increasingly connected and integrated solutions, there is also a growing need to strengthen cybersecurity protections and build resilience to cyberattacks across their networks.

In recognition of the increasing threat to water systems, and following a number of high-profile cyberattacks, the U.S. Congress and the Biden-Harris Administration have rolled out initiatives to strengthen cybersecurity in the water sector.

For example, having already established industrial control system (ICS) initiatives for the electric and natural gas pipeline subsectors, the administration has expanded its efforts to the water sector with the creation of the Water and Wastewater Sector Action Plan. The plan, which is currently in development, is a collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technologies and systems that provide cyber-related threat visibility, indicators, detections, and warnings. Developed in partnership with the U.S. EPA, the Cybersecurity and Infrastructure Security Agency (CISA), and the Water Sector Coordinating Council (WSCC), the plan outlines actions to confront cyber threats and address cybersecurity gaps within the water utility industry. The 100-day sprint to establish the plan includes the creation of a task force of water utility leaders. The EPA and CISA will work with water utilities and invite them to participate in a pilot program for ICS monitoring and information sharing. The initiative will also engage with the task force and use these learnings to inform future regulations and proposed statutes.

In further efforts to prevent disruption due to cyberattacks, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 contained in the Strengthening American Cybersecurity Act will require critical infrastructure companies to report any substantial cybersecurity incidents or ransom payments to the federal government within 72 and 24 hours, respectively. Before these reporting requirements come into effect, CISA has up to 24 months to establish clear guidelines and rules — e.g., for defining what “critical infrastructure” entities must comply with and what constitutes a “covered cyber incident” — providing sufficient clarity to ensure that the act successfully disadvantages attackers by improving reporting and analysis, offering better protections to critical infrastructure and the citizens that they serve.

Shared Responsibility

These initiatives represent a positive step toward building resilience across the sector. However, as cyber threats become more sophisticated, the risk to infrastructure networks, including water systems, increases. We need a more holistic, integrated approach to protecting our water systems, with a sense of shared responsibility across the supply chain.

Traditional cybersecurity models whereby the owner or operator has sole responsibility for evaluating and protecting their own control equipment are not adequate without sufficient cybersecurity professionals who can understand and respond to threats. There are over 153,000 public drinking water systems and 16,000 publicly owned wastewater treatment systems in the U.S., according to CISA.1 The majority of these are owned/run by small municipal operators who, more often than not, don’t have the capacity to screen all technologies or hire cybersecurity expertise in the way that an electric or oil and gas utility might. While the plan intends to develop protocols for sharing information with operators of all sizes, operators are still faced with the challenge of deploying unfamiliar technologies and systems.

Shifting this amount of responsibility and investment onto water utilities could significantly harm the viability of the water sector and exacerbate issues associated with water rates and aging infrastructure in the U.S.

Water utilities are lean, and the security and resilience model must recognize their resources and, in some cases, limitations. We need to look beyond the operators to the entire sector if we really want to secure the water sector in a cost-efficient way.

A Multibarrier Approach

An alternative to the historical cybersecurity model is a “multibarrier approach” with collaborative outcomes, community partnerships, shared responsibilities, and communication channels all clearly defined from the outset. This model enables a broader distribution of responsibility, removing some of the burden from utilities.

This multibarrier approach is not a new concept to the water sector — it is frequently used by water treatment systems to improve water safety and reduce health risks associated with contaminated drinking water. This layered depth of defense is also highlighted in a recommended set of safeguards as aligned with ISA/IEC 62443,2 which is an industry standard for securing ICS assets. These standards form the backbone of Xylem’s recommended cybersecurity approach:

  • Secure Products – Enhance protections for user identities by leveraging strong authentication and authorization along critical paths to ICS assets such as remote access channels.
  • Secure Deployment – Execute a multibarrier approach to keep assets resilient to attack.
  • Continuous Health and Monitoring – Employ a security-relevant monitoring approach that includes active threat detection and response based on traceable events.
  • Incident Response Services – Establish capabilities that preempt operational risks, including backup and recovery, cybersecurity incident planning, training, and awareness for critical staff. Leverage relevant expertise as offered by industry associations, partners, and retained service providers

As active participants in digital transformation, we are all responsible for managing risk. Within these guidelines, responsibility is spread across the product makers, integrators, and utilities, with the burden of continuous monitoring and incident response falling on utilities.

Once connected, digital systems provide opportunities to shift some of those responsibilities to integrators and product makers that are providing services, thus reducing the cybersecurity headcount requirements on water utilities. Integrators and product makers can understand and apply cloud software, CloudSCADA, and conditional monitoring, enabling enhanced visibility and rapid detection and incident response — thus expanding security and resilience. This model will enable the vendor to protect thousands of utilities with greater effectiveness due to centralization of expertise and greater ability to distribute costs of security across products in a way that does not yet exist in the water sector.

Xylem is a member of the ISA Global Cybersecurity Alliance, where we are working across multiple product-making vendors of controllers to establish standards for cybersecurity of connected digital technology that leverages what has been learned during the creation of the IEC 62443 standards, and what we are learning now from the effectiveness of cloud-connected systems, to ensure that we can create connected digital technology for the water sector.

We believe this shared responsibility, multibarrier approach to cybersecurity will empower the water sector to combat cybersecurity threats in a way that is consistent with the sector’s values and unique challenges.

Prioritizing Cybersecurity Across The Water Cycle

As we continue to adapt our ways of working to maximize the digital opportunity, we must put cybersecurity at the center of the conversation and we must all do our part to help mitigate cybersecurity threats. This means collectively including cybersecurity in all critical phases of water, from product development and supply chain management through to sustainability efforts, so that assets stay current with regard to security best practices and standards. This also means keeping an open mind for new cybersecurity models built on shared responsibilities that specifically address the unique challenges the water sector faces. This approach will require innovation and evaluation to accomplish successful collaborative cybersecurity outcomes.

Xylem is partnering with customers around the world to help them build resilient networks. We embed cybersecurity in every new connected digital product and have a suite of cybersecurity assessment services available that can enable water utilities to understand their cybersecurity capabilities.



About The Author

Kenneth Crowther is the product security leader for Xylem Applied Water Systems. He also serves on the ISA Global Cybersecurity Alliance subcommittee for Industrial Internet of Things (IIoT) cybersecurity certifications and on a committee of the Military Operations Research Society to train and certify risk analysts for doing national security risk analyses. Crowther holds a PhD in systems and information engineering from the University of Virginia and a BS in chemical engineering from Brigham Young University and teaches applied quantitative risk analysis at the University of Virginia and Georgetown University. He has published dozens of peer-reviewed manuscripts on topics related to risk analysis and homeland security.