The attack on critical infrastructures such as water systems has been increasing since the pandemic.
A survey conducted in the U.S. by the Water Information Sharing and Analysis Center (Water-ISAC) and the Water Sector Coordinating Council includes responses from more than 606 water and wastewater utilities, representing the approximately 52,000 community water systems and 16,000 wastewater systems.
Many of the water utilities, especially in rural communities, have disadvantages. They struggle to maintain and replace infrastructure, maintain revenues while addressing issues of affordability, and comply with safe and clean water regulations.
When it comes to specific cybersecurity challenges, more than 60 per cent of water utilities say they have not fully identified IT-networked assets in their networks, and only a little more than 21% of those utilities said they are working to do so. Furthermore, roughly 70 per cent said they have not fully identified all operational technology networked assets and fewer than a quarter are working to do so.
The respondents reported their top challenges were minimizing control system exposure, assessing risks and identifying hardware or software vulnerabilities.
Only four organizations confirmed a breach of their IT or OT systems in the past year, while dozens responded they were "not sure" if they had experienced an incident.
The risk of returning to work with devices that have been out of the office for over a year now is just as dangerous as sending employees home with office devices. Bad cybersecurity habits of employees working remotely puts companies at huge cybersecurity risks.
Businesses need to understand when, and why, people make mistakes so they can take action right away and prevent those mistakes from turning into data breaches.
Hackers are manipulating human behaviour. They are taking advantage of people's insecurities and emotions to trick people into clicking and opening on items such as messages or photos. Once the item is clicked on, ransomware is downloaded and takes over the device.
Very little employees report cybersecurity mistakes. Over a quarter of employees admit to making mistakes that compromised company security while working from home.
Create a company culture that gets people to work securely and allows a makes for people to speak up about mistakes.
Know your biggest vulnerabilities and build a strategy keeping your employees in mind.
Security is a business-critical issue so ensure that the company's IT and security leaders are involved in business reopening decisions.
Improve company security by encouraging long-lasting behaviour in employees. Tailor exercises for specific departments, provide tools to make smart decisions when there is a threat, and don't approach security training as a punishment.
New research (McKinsey & Company) shows that there is no direct correlation between cybersecurity spending and success of a program. Government and companies need to leverage new resources to fix cybersecurity issues.
Cybersecurity threats are not specific to certain sectors. Cybersecurity teams across sectors need to collaborate on talent, training, and solutions to work together to prevent attacks. By developing such a process of collaboration between the public and private sectors, the federal government can simultaneously scale its cybersecurity workforce.
Practice makes perfect. Provide the most updated resources to upskill existing teams is a critical component to building a robust defense. The federal government will never get ahead of the vastly growing threat landscape until more than just additional funding is offered as a potential solution to the persistent issues plaguing the industry. The best defense is a strong offense and the federal government must start setting an example for others to follow.