News: AWWA News

Cybersecurity: Does It Matter?

Thursday, May 31, 2018  
Share |














By Kevin M. Morley, PhD


It’s not a matter of if, but rather a matter of when a water utility will be impacted by a cyber incident. No water utility is immune from this threat.


So does size matter? The glib answer is of course it matters. The reality is that all water systems of any size now have virtual footprints that far exceed their physical perimeter. Cybersecurity is more than just ensuring that the customer service, accounting, and human resources folks protect personally identifiable information (PII) and conform to HIPAA (the Health Insurance Portability and Accountability Act of 1996) rules. It goes well beyond keeping your desktop or laptop operating systems updated with the latest patches from Microsoft or Apple. The growth in the Internet of Things (IoT), or more specifically, the Industrial Internet of Things (IIoT) has led to greater efficiency in leveraging data to optimize utility operations and processes. This includes all of the employees with smartphones, iPads, Kindles, and laptops that IIoT allows to remotely access, monitor, and manage the system. Included here are folks with personal devices that may ride along or otherwise “touch” a utility network, such as charging via a seemingly innocent USB cable or plugging in a memory stick from an unknown source.


#1. All water systems have people. Most, if not all, utility employees have computers that support some level of internet connectivity for business purposes like e-mail. This may or may not include the computer that runs supervisory control and data acquisition (SCADA). Most of these employees also have smartphones or similar devices that may or may not be provided by the utility.  Everyone is at risk of clicking on something that has a virus. Think about those e-mails from “friends” that say, “Here’s something you need to see:” or those e-mails from a long-lost relative who only needs a little bit of help.


As a result, this can expose a utility’s business and operating system to bad actors, which can have a significant financial or operational impact. “Bad actor” is a term used for cybercriminals. Ransomware is the most frequent and simplest attack, which basically blocks an owner from accessing various files and demands payment for recovery…rarely are those files returned. This type of attack is rampant, as represented in this graphic.



Source: Verizon, 2017. Data Breach Investigations Report,


#2. Operating systems are not consistently maintained/patched. A large percentage of successful attacks, across all sectors, have exploited vulnerabilities that have had mitigation patches available for decades. The only way to know that things are in good shape is to determine what controls are in place relative to what should be in place to protect a utility’s systems, especially process control systems. Resources such as the use-case tool developed by AWWA provide a utility with a clear set of prioritized controls that, if implemented, can mitigate the risks associated with cyberthreats. This does not mean the utility will not be targeted, but it does help lower the likelihood a hacker will be successful. This is a classic case of open versus closed—the more “doors” that are left open and unsecured, the greater the access and opportunity for bad actors. 


#3. Nobody knows ABC Water. It is reasonable for one to think that a large city’s water utility is a more attractive target when compared with Smallville’s utility. That concept does not work in cyberspace; while some attacks are targeted, many others are very opportunistic. In a few clicks and strokes of the keyboard, a hacker can distribute millions of e-mails to propagate their malware. In addition, consider that many control systems were installed before cybersecurity was something to even worry about. As a result, many utilities may not realize that portions of their system have publicly facing IP addresses that are easily targeted by bad actors using sources like SHODAN, a library of sorts for devices connected to the internet. Even if your IT staff or vendor says you’re not connected to the internet, verify that this exposure pathway is indeed closed. In this case, the size of the utility hosting a publicly facing device is completely irrelevant and unknown to the prospective exploiter. If these devices are important to your operations, protect them and manage them accordingly, using the recommended controls. That begins with securing these devices and turning on the security settings many devices already have in place rather than using default settings that anyone can look up online.


Bottom line: Cybersecurity matters. The size of your utility does not matter when it comes to cybersecurity. If a system is critical to your utility’s operations, you’ll need to implement controls to manage its cyber-risk. I suspect all your systems are critical; otherwise they never would have been installed, so get on it before it’s too late.



Kevin M. Morley, PhD, is AWWA’s Manager of Federal Relations. He can be contacted at

Membership Software Powered by YourMembership  ::  Legal