Protecting Business-Critical Applications: Key Considerations For Water Utilities

By Sadik Al-Abdulla

Water utilities, as critical infrastructure providers, are tasked with ensuring reliability, resiliency, and data security in their systems. Just like electricity and gas providers, water utility companies must adhere to government regulations and standards set by organizations like The Cybersecurity & Infrastructure Security Agency (CISA) in the United States and similar designations in the European Union (EU). These designations emphasize the importance of uninterrupted service delivery due to the significant human and economic impact any disruption may cause.

Recognizing the growing cyber-threat environment, the U.S. administration has also made critical infrastructures, including water utilities, a top priority in its National Cybersecurity Strategy. In response to this priority, the U.S. EPA has directed states to incorporate cybersecurity considerations into water utility audits and supplied guidelines for conducting these audits.

Balancing Cost Efficiency And Security In Digital Transformation

During the modernization of water utilities, digital transformation initiatives play a crucial role in cost reduction, particularly in operational expenses. These projects prioritize business-critical applications that form the foundation of the transformation process. By developing customized applications on top of Enterprise Resource Planning (ERP) modules, such as those for sales, distribution, order-to-payment processes, and inventory and human capital management, water utilities can achieve cost savings across their entire value chain.

However, it is essential to prioritize security when modernizing systems. Digital transformation projects expose sensitive data related to customer billing, service, delivery, maintenance, and field operations, making them vulnerable to cyberattacks. Not to mention that the frequency of cyberattacks targeting these critical applications has jumped from 20% to 40%, with recent instances like the SAP vulnerability making CISA’s top 20 most exploited list. The consequences of such attacks can be severe, ranging from financial fraud and theft of customer data to disruptions in critical infrastructure. 

Given these risks, water utilities should consider these five crucial factors when protecting their business-critical applications during their modernization projects:

1. Custom Code Development: At the heart of modernization projects lies the development of custom code for business-critical applications. These applications play a vital role in connecting various systems, leading to improved customer success and simplified asset management and maintenance, resulting in better service outcomes. By leveraging custom code development, water utilities can build applications that streamline logistics and operational costs, optimizing capital deployment and maximizing returns. However, to ensure the security of these custom code developments, it is essential to conduct thorough application security testing, particularly given that applications have become a prime target for cyberattacks.
2. Compliance Challenges: Water utilities are subject to rigorous government regulations in both the United States and Europe. Failure to comply with regulations, such as those set by North American Electric Reliability Corporation (NERC) and Federal Energy Regulatory Commission (FERC) and EU designations like Kritische Infrastrukturen (KRITIS) and Centre for the Protection of National Infrastructure (CPNI), can lead to catastrophic consequences in terms of both human and economic costs. For instance, the 2021 attempt to contaminate a city's water system in Florida serves as a stark reminder of the criticality of safeguarding water utilities. To protect critical systems and customer data, implementing security controls that align with compliance requirements is vital.
3. The Expanded Attack Surface: Modernization projects are crucial to meet the growing demand for affordable and safe water systems. However, this transformation also creates a larger attack surface, leaving organizations susceptible to exploitation by malicious actors. The convergence of operational technology (OT) and information technology (IT) systems introduces interconnected systems and increases the attack surface, necessitating robust security measures. As targeted attacks on water companies rise, code and application security become pivotal in custom business-critical applications developed for modernization. Comprehensive ERP threat intelligence also plays a crucial role in mitigating or preventing cyberattacks.
4. Cloud Migration: Water utility companies embark on cloud migration projects to leverage technology, reduce operational expenses, and enhance service delivery. The benefits are evident, especially in equipment and asset maintenance, as cloud-based business-critical applications enable condition-based strategies, limiting downtimes and enhancing efficiency. However, despite the advantages, many struggle to fully mitigate cyber risks associated with cloud adoption. A thorough understanding of application security best practices, shared security models, and identifying potential system or code issues beforehand is critical during the planning stage of cloud migration to avoid disruptions and penalties for service downtime.
5. Self-Service Experiences and Data Security: The development of self-service experiences through internet and mobile device portals is a key driver of transparency and customer satisfaction. These portals empower customers to make payments and manage their water consumption. While they provide immense convenience, interconnecting these systems with business-critical applications containing sensitive data exposes water utilities to potential external threats. Vulnerabilities affecting SAP applications, for instance, highlight the need for robust security measures to prevent direct attacks on business-critical applications. As water utilities continue to digitize customer delivery mechanisms, comprehensive cyber risk mitigation strategies are paramount.

The modernization of water utility systems presents both opportunities and challenges. As water utilities undergo digital transformation initiatives to optimize operational costs and improve service outcomes, security must be prioritized to protect against the growing cyber-threat environment. By taking these factors into consideration, water utilities can achieve successful digital transformation while safeguarding their critical infrastructure and customer data.

Sadik Al-Abdulla is the Chief Product Officer at Onapsis.