Much of modern society relies on stable, secure critical infrastructure, but cybersecurity threats constantly challenge our complex and connected systems, placing national security, economic stability, and public safety at risk.
This month, a GAO report examined 16 critical infrastructure sectors and their progress toward implementing the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity. Water and wastewater, a diverse and under-resourced space, is one of only three (along with government facilities and the defense industrial base) identified in the report as having determined the rate of framework adoption by entities within their sector.
Other critical infrastructure sectors were not as progressive in terms of framework implementation. Some industries—such as energy, food and agriculture, information technology, and transportation systems—have taken steps toward adoption, while the remaining nine—including critical manufacturing, dams, and nuclear facilities—have not, the GAO said in its report.
Use of Cybersecurity Controls in Water & Wastewater on the Rise
According to the report, voluntary technical assessments of 146 water utility sites conducted by the Environmental Protection Agency (EPA) identified a 32 percent increase in the use of cybersecurity controls recommended in the report.
"The data on improvements and progress made included growth that the entities have collectively made in each of the five functional areas of the NIST frameworks (identify, protect, detect, respond, and recover)," the report said of water's results.
Further, an initial assessment showed entities had implemented 38% of the activities that covered the five functional areas; two follow-up assessments later, and that number was up to 50%. Some of those specific activities include developing a sector-specific list of best practices and implementing training and awareness programs. The report also shares examples of water and wastewater organizations using the framework to improve cybersecurity, including assessing the comprehensiveness of security programs.
The NIST framework is considered the standard for risk management across industries and can be used to manage risk across sectors and technologies ranging from information technology (IT), Industrial Control Systems (ICS), cyber-physical systems (CPS), and the Extended Internet of Things (XIoT). The framework, however, is not a one-size-fits-all approach to managing cybersecurity risk because each space has unique threats, vulnerabilities, and risk tolerances. Each will vary in how they customize practices, but having an overarching strategy is an essential component of overall risk management.
Water & Wastewater Up to Bat in 100-Day Sprint
Water has been an opportunistic target for advanced attackers, prompting the EPA to publish a four-point cybersecurity action plan last month and kick off a 100-day sprint similar to others mandated last year by the Biden administration in its Industrial Control Systems Cybersecurity Initiative. Like many of the 16 critical infrastructure sectors identified by CISA, water and wastewater have their challenges. For example, while there are several large water and wastewater companies, most are smaller entities that operate at the county, municipality, or township scale.
The EPA said in a statement that the country's 52,000 community water systems and 16,000 wastewater systems are expected to strategize how to improve early cybersecurity threat detection and share threat indicators and other information to expedite action from the federal government.
Securing Connected Cyber-Physical Systems
Investing in technologies that can accurately identify connected assets and vulnerabilities, and also provide remediation strategies is paramount. A secure access solution can help facilities connect with confidence and provide role- and policy-based access controls, alerting, and the ability to audit, investigate, and terminate malicious activity.
Besides reducing risk and better managing cybersecurity threats, a solution for the XIoT can also help align and prioritize cybersecurity activities for converged enterprises. By identifying and prioritizing opportunities for continuous and repeatable improvement, organizations can apply risk management principles and best practices to improve security and resilience regardless of size, degree of cybersecurity risk, or cybersecurity sophistication.
Cybersecurity risk affects the bottom line. It can drive up costs, affect revenue, and harm the ability to innovate and get and retain customers. Cyber-physical security solutions enable management to focus on business drivers to guide cybersecurity activities and consider risk management processes. These tools can help organizations determine necessary actions for critical service delivery and prioritize ROI investments.
