Water management and cyber security management

Cyber security is of great importance to the water management world. Many water authorities and boards are hard at work to up their cyber security level. Conforming to the BIWA-standard and preparing for the Dutch cyber security legislation are top priority. How will water sector companies handle cyber security?

Hudson Cybertec, a worldwide cyber security solution provider in the Operational Technology (OT), has noticed that a lot of companies in the water sector are struggling with implementing cyber security for their primary processes. Adequate cyber security knowledge is often lacking, which often results in insufficient policies and OT networks which are focused on functionality. “Cyber security is still inadequately managed”, says Marcel Jutte, managing director at Hudson Cybertec, “We often speak various water sector companies and have noticed that there is a great need for help.”

Add structure

A structured approach is required. Just picking up some of the security matters and improving on them does not add structure and is unmanageable in the long term. To make the first step in cyber security and improving on security matters, is to know where the organization stands today. A cyber security assessment will give a clear overview of the current state of cyber security. All important factors need to be included. Which means attention is required for people, process and technology. Jutte: ”We have a lot of experience with cyber security assessments, for which we use the IEC 62443 standard. Herein all three factors are extensively discussed. Customers see, due to our holistic approach, that they can greatly improve on multiple fronts in their cyber security.”

IEC 62443

IEC

The IEC 62443 is the worldwide de facto standard for cyber security in Industrial Automation & Control Systems (IACS), also known as the OT domain. A security assessment performed according to this standard provides an unambiguously insightful view on the matters the water authorities will need to act. For example: an assessment, performed at a water authority, clearly showed a very low conformance to the IEC 62443. Not strange in itself seeing as the organization was not yet actively working according to the standard. What did become immediately obvious however, was the enormous gains the organization could achieve on process, technical and people factors.

Smart choices

Making smart choices allows for a water authority to still make some important steps in cyber security on a limited budget. On advice of Hudson Cybertec, the choice was made to update their security policy and implement network segmentation according to the zones & conduit model of the IEC 62443 standard. In the following years, new choices can be made, and the earlier choices will still be managed.

Watermanagement en cybersecurity management

Pentest the OT

Every company in the water management world is unique. The approach differs because of this. At another water company a combination of different pen-tests was performed to show just how vulnerable the OT infrastructure is. Several vulnerabilities were quickly found during these controlled pen tests, performed in the live environment as requested by the water company. Jutte: “Everyone within the OT organization was informed and on stand-by, this allowed to perform the pen-tests in the production environment. The goal was to see if it was possible to intrude in the systems. This resulted in various serious vulnerabilities being found.” Based on this, recommendations were made, and action was immediately undertaken to improve cyber security.

IACS Forensic Readiness

Companies need to be prepared for when an incident occurs. They should be able to view what is happening on the network at all times. The importance of forensic data is increasing within the IACS (OT) domain. The upcoming Dutch cyber security legislation necessitates that parties provide insight into matters. It is of great importance to be prepared for that. IACS Forensic Readiness ensures that organizations can secure the data necessary for a forensic investigation. For example: to determine the cause of an incident or determine, if any, causers. “Other critical infrastructure sectors have shown interest in our expertise” Jutte mentions, “The demand for forensic readiness has also been increasing in the water management world.” One could think of preventive design, maintenance and exploitation of the necessary infrastructure in order to facilitate incident response, monitoring and detection, logging and the management and maintenance of back-ups.

Managed services

Hudson Cybertec unburdens as much as possible. “Our clients are our partners. The mutual trust with our partners allows us to fully unburden them”, Jutte continues, “The goal for our managed services is to make cyber security as accessible and approachable as possible.” Companies of which the core business revolves around water management or drinking water, can keep focus on their primary process this way.

They can also profit from the specialization of Hudson Cybertec: cyber security for Industrial Automation & Control Systems. While the demand in general increases, Jutte sees an increase in demand for specialist support: “We know what is going on, due to our experience, in the OT environments of drinking water companies and water authorities, including the security challenges with which they have to deal. Because of this, combined with our cyber security expertise in the OT domain, water sector companies ask for our help. We unburden water sector companies by managing their cyber security. But the water management itself, we leave to them.

In the spotlight

Monitoring your OT environment is essential. You know what is happening on your network and see to what extent you are compliant with various cyber security standards and laws and regulations.

IEC 62443 Standard

The IEC 62443 standard offers your organization tools to improve the digital security and safety of your IACS environment. Implementation of the standard improves the cybersecurity level of your organization's OT / ICS / SCADA environment.

The IEC 62443 is the international cybersecurity standards framework for operational technology (OT). The framework consists of a collection of standards, technical reports and related information for securing Industrial Automation and Control Systems (IACS).

read more

Hudson Cybertec’s IEC 62443 Competence Center has extensive experience with this standard. We play an active role in the development of the standard, actively promote it internationally and have developed a training program around the IEC 62443.

read more

It is becoming increasingly important for organizations to be able to demonstrate that the digital security of the OT environment is in accordance with standards frameworks. It is therefore possible to certify (parts of) your IACS environment according to IEC 62443.

read more

If you want to know more about this standard and need training on how to apply it within your own organization or at your clients, Hudson Cybertec has a number of very interesting training courses for you.

read more

The IEC 62443 standard provides organizations with tools to improve the digital security and safety of OT / ICS / SCADA environments.

read more

How digitally safe is your organization?

Curious about the possibilities? Please contact us!

Contact us

Newsletter

Sign up for our newsletter. We will keep you posted on the latest developments in our cybersecurity services.

  • This field is for validation purposes and should be left unchanged.