With the water industry embracing new technologies, cyber security threats are an unfortunate reality. WASA talks to Johan Potgieter, cluster industrial software leader, Schneider Electric, about securing water operations.

How can the water industry protect itself against cyber security threats?

JP: Your first line of protection are the people working for or contracted to water services authorities (WSAs), companies and municipalities. Are they aware of cyber security threats? Have they received cyber security training?

To illustrate the importance of cyber training, there was a recent case in Saudi Arabia, where an oil company underwent a series of penetration tests. The company’s network and software managed to thwart all attempts. As a last resort, a person handed out USB sticks (that hosted a virus) to the company’s employees and managed to infect computers with malware. Within minutes, the company was penetrated.

The next line of protection are processes, such as the way in which the network is maintained, how backups take place, types of vendors used and password management. Lastly, technology (such as firewalls and software) is used as a line of protection.

When should an entity start implementing cyber security measures?

Immediately. Data is a valuable asset for any company, so whether your company is entirely paperless or still stores data on paper, that data must be protected. It is important to  consider what technology a company plans to adopt in their digitalisation plans going forward, but it is even more important to secure a company in its current situation. Cyber security will adjust as a company reaches digital maturity. It is far more cost effective to adopt cyber security measures in the early phases of a business.

What is Schneider Electric’s approach to cyber security?

Schneider Electric works on three levels, starting at the bottom layer and working up to the cloud:

1. Connected products (hardware that connects to a SCADA system or the cloud) Here, cybersecurity measures would be implemented to prevent unauthorised people from controlling the drive.
2. Edge control (data storage, SCADA system) Routers, switchers, software, user security enablement and two factor authentication can be implemented.
3. Apps and analytics (cloud platforms) Gateways, and protocol secure connect can be installed.

With our systems, as soon as raw data is uploaded to the cloud or is on the dashboard, it cannot be altered or changed. Businesses use data to make decisions and as soon data is skewed, there is a risk that incorrect decisions are made. Data protection and how it is managed is very important.

Before proposing a cyber security solution, we always start with an assessment to understand a client’s needs. Cyber security can be daunting due to the vast number of available products. We evaluate a client’s network, system architecture, policies and procedures, industry compliance, risk assessment, security assurance level and a gap analysis.

The next phase is the design phase where a small cyber security agenda programme is developed and we list projects that need to be implemented, their cost and duration.

Step three is the implementation phase that covers an entity’s procurement, staging, system, commissioning, end user training, hardware and software, backups and data loss prevention. From there, Schneider Electric will continue to partner with the company, monitoring the cyber security policies and programmes in place as well as making sure that all systems are up to date and tested regularly and employees are regularly trained.

What misconceptions do companies have regarding cyber security?

The first misconception is that an entity is too small to implement cyber security measures. Small sized entities are prone to data loss, business disruption and intellectual theft.

The next misconception is that only IT should have cyber security. The water industry is increasingly relying on operational technology (OT) like sensors, PLCs and SCADA systems and OT is being  connected to IT. OT assets have a long-life cycle of several years or more, and their underlying operating systems tend to be more dated compared to IT assets which are routinely updated and replaced. This makes them particularly vulnerable to attacks that arise from IT issues, as the OT system could contain software loopholes that have not been patched.

How does Schneider Electric stay up to date with evolving cyber security threats?

We have developed strong partnerships with various companies such as Fortinet. Schneider Electric also has a dedicated cyber security business unit that constantly updates all software and tests for potential threats. There are 3700 engineers and cyber security specialists worldwide that constantly monitor and test our systems and our clients’ systems against cyber security threats.

Watch: https://www.linkedin.com/feed/update/urn:li:activity:6980823373115260928