Aquatic Informatics organized a webinar on 13 July 2022 on “Demystifying Cybersecurity for the Water Sector”. A timely initiative because this topic is important but, for many, also intimidating.
Below a few takeaways:
Simple measures go a long way
Cybersecurity sounds terribly complicated. Yet a few simple measures go a long way in strengthening the defenses of a water resources agency against a cyber-attack.
Simple measures that are cheap and easy to implement include:
- Sensible password management: ensure that passwords are unique, not shared, and regularly changed; follow proper procedures when changing passwords (hint: do not circulate the new passwords in a group email or with a USB flash drive…)
- Periodically upgrade PCs, servers, internet routers, phones, and other network elements; older equipment and software are generally more vulnerable to cyber attacks
- Constantly install the latest patches in the operating software and other applications
- Constantly update antivirus software
- Do not allow unlicensed (cracked) software on agency computers
- Use a VPN (or a secure corporate network) to connect to the internet; do not use public Wi-Fi to connect to the organization’s servers
- Regularly update the software that protects the agency’s perimeter network (firewall)
- Create awareness in the organization about phishing emails and techniques
Cyber security is about people and awareness
For most organizations, the biggest cyber risks are associated with their employees, not with hardware or software components. In other words, cybersecurity is often a behavioral issue rather than a technical one. Creating basic awareness about cyber risks and establishing a set of best practices—and then make sure everybody follows them—are critical steps in reducing cyber risks. Education and awareness are key.
Reputable software
Select software from reputable developers who integrate cybersecurity from the onset in their application. Thus, avoid software where cybersecurity is an afterthought. This applies specifically to software that is used to share water data with the public.
In this regard—when it comes to cybersecurity—there are benefits associated with a cloud-based solution. Reputable cloud-based software providers should be very concerned about cybersecurity and will rigorously implement the set of best practices discussed above (constantly updating software and antivirus software, monitoring uncommon user behavior, making frequent data backups, etc.).
Thus, when deciding between a cloud-based or an on-premises solution for water data management, a key question should be: “do we have the IT staff and expertise—24/7—to ensure cybersecurity?”. If the answer is no, the organization may wish to consider a cloud-based solution.
Note that the reliability of could solutions depends on the software developer and the water agency is well advised to carefully check its reputation.
Complete and incremental database backup
A full and incremental backup of all water data will provide protection against a virus or a ransomware attack that has corrupted the primary database. Ensure frequent and automated backups—continuous or at least multiple times per day—and regularly test data recovery procedures.
The next level
Many water agencies will require more thorough cyber defenses. The appropriate level of protection—and the associated investment—will depend on a threat and risk assessment based on the question: “what are the consequences if the system is hacked?”. This is the domain of cybersecurity professionals and is outside the scope of this blog post. Nevertheless, below are some suggestions of next-level measures for a hydrometric agency:
- Encrypt the database, and the data transfer to and from the database
- Set up secure communication between data loggers and the server using the SSH File Transfer Protocol
- Use two-factor authentication with a One Time Password (OTP)
- Install dedicated and hardened hardware and software that acts as an agent to collect remote information from outside the firewall
- Use the https authentication and security protocol when making information available through browsers or web servers
Closing remarks: cybersecurity is an ongoing process
Cybersecurity has become a serious matter that warrants adequate attention from water managers. For a hydrometric agency, fortunately, a reasonable level of protection can be achieved by implementing a set of basic and cheap measures. Creating awareness across the organization about cybersecurity risks is an important first step. A risk assessment should determine whether more sophisticated security measures are required.
However, note that cybersecurity threats constantly evolve, and the water agency is advised to always keep cybersecurity near the top of its agenda. Cybersecurity is a continuous process that, unfortunately, cannot be achieved through a one-time intervention.