The Water Sector Coordinating Council in April surveyed the water and wastewater sector about its cybersecurity practices, investments, and areas of need. What emerged were a number of challenges inherent in the sector that require help on a number of fronts ranging from training, to tools and threat intelligence, and probably most notably, money.
Michael Arceneaux, managing director of the Water Information Sharing and Analysis Center (WaterISAC), joined Claroty's Aperture podcast to provide his insight into the survey results and discuss the most pressing needs and encouraging signs to emerge from the survey results.
"Our purpose was to find out the challenges that utilities have, where they are in their cybersecurity posture, what can the sector do about it, and what can Congress and the EPA do about it," Arceneaux said.
WaterISAC is a member of the Water Sector Coordinating Council and hosted the survey. Complete survey results can be found here.
While there were encouraging signs around the amount of risk assessments happening within the sector, that is offset by data that shows a lack of visibility into connected IT and OT assets. Visibility is a fundamental first step that many organizations still need to take. The survey results show that 38% of utilities have identified all IT-networked assets, and only 30.5% have identified OT-networked assets.
"Identifying IT and OT assets is a critical first step in improving cybersecurity," the report says. "An organization cannot protect what it cannot see."
Respondents want to minimize the exposure of control systems, identify and remediate vulnerabilities, and secure remote access to OT systems. They also identified the top risk management challenges for drinking water, wastewater, and combined systems; those include minimizing control system exposure, identifying and remediating software and hardware vulnerabilities, securing remote access, and risk assessments.
Other topics from the discussion include:
A characterization of the resources available across the water sector compared to the communities they serve
How to satisfy the four areas of need identified by respondents in the survey
Whether the Oldsmar intrusion has spurred changes in the water sector
How the Bay Area water utility attack demonstrates the need for better information sharing
What resilience might look like in the water sector.