Smart utility network helps city reduce annual water loss by thousands of litres. Many drinking water and wastewater utilities across India today and a growing number rapidly, depend on networks and automated control systems to operate and monitor processes such as treatment, testing, and movement of water. Expanded technology intervention and connection through the internet of things is making water delivery smarter, but it comes at the cost of opening up earlier inaccessible equipment and processes to cyber-attacks. Authorities recognize the threat not only to these organizations but most importantly to consumers, whose lives could be at stake but there is no turning back from taking advantage of the benefits of remote monitoring and automated processes. The only option is for utilities to ramp up their security efforts as part of their short-term and long-term goals.
Water Utilities globally have already faced instances of cyber attacks in more than one way.
- Denial of Service attacks
- Tampering with Industrial SCADA systems
- Manipulating how water flows
- Altering the chemical treatment formulations
The damage from cyber-attacks can be lasting and costly to an operation’s infrastructure. A glimpse of how devastating a successful attack on a water supply was laid bare when an attacker hacked a water treatment facility in Florida, US, and raised the levels of Sodium hydroxide, or lye, in the water. Although the attack was detected and the effect minimized, officials accepted that it could have been dangerous. In India, water utilities must take a security-by-design approach that builds cyber security resilience into their transformation strategy. Sourish Dey, Director at Trisim Global Solutions, a company offering Cyber Security solutions for power and water utilities, said that “Insiders, disgruntled employees, ransomware attacks and independent actors trying to create chaos were always a threat for utilities. But now, nation-state actors are the biggest concern with huge resources and totally different objectives and motivations trying to cause disruptions that harm governments and national security.”
The corporate or IT networks and SCADA networks were separate because the network topologies are different. Increasingly, however, SCADA and business networks are getting interconnected to provide more integrated operations. Sourish Dey suggested that “With the eroding air-gap, which was anyways always a myth, it is high time that utilities have separate budgets for cyber security and not just try to make whatever possible as part of automation or SCADA upgradation projects. We are advising utilities to focus on creating cyber security roadmaps which are preambles for every other organization’s plans followed by regular vulnerability assessments. At Trisim, we offer a curated bouquet of technologies that are meant for OT Networks from a mix of global and Indian cyber security leaders for setting up the best possible defense.”
Budget constraints for cyber security will be a challenge as utilities in India modernize. Authorities must tailor their security strategies towards cybersecurity resilience instead of attempting to eliminate every possible threat. As a minimum, cybersecurity training must be made mandatory for everyone in the organization to recognize phishing or any other suspicious activity. Deep assessments by CERT-In empanelled organizations at regular intervals for both network and applications will help in identifying systems that need to be protected, legacy systems are phased out, and ensuring access control rules are in place.