Building a Cyber-Resilient Water Future

A criminal cyber-attack on a UK water company in August 2022, which saw hackers gain access to customer banking details, led utilities to urgently reassess cybersecurity strategies. In this Q&A, Philippe Willems, engineering manager at Ovarro, discusses the enduring challenge for the water sector and what it means for suppliers.
Building a Cyber-Resilient Water Future

TBox - Cybersecurity platform Claroty performed testing on Ovarro’s TBox RTU in 2021 (Image source: Ovarro Ltd.)

What are the biggest cybersecurity threats facing the water sector today?
The biggest cybersecurity hazard for water companies, and for all critical infrastructure companies, is an attacker taking control of their IT or OT [operational technology] systems to steal data and block or disrupt operations. Risks stem from water companies still using legacy systems which were installed many years, if not decades, ago.

These systems have minimal, if any, cybersecurity features and present a huge digital attack surface – this means there are many pathways an attacker can take to gain unauthorised access to a computer or network.

Protecting insecure legacy infrastructure can seem like a daunting challenge. The main task for water companies is to update or protect their existing systems. This requires a detailed analysis of their OT network vulnerabilities, before establishing an initial plan to protect the most vulnerable entry points for attackers.

Who is behind water sector threats and attacks, and what are their motives?
There are three main attacker types. Hackers who do it for the sake of doing it - they are perhaps the least concerning. Then there are the attackers who want to block access to computer systems using malicious software, such as ransomware, until a sum of money is paid.  The most dangerous and under-the-radar, unnoticed threat comes from state-backed attackers trying to gain access to water companies, and other critical infrastructure, in what is called cyber-warfare.

What steps should water companies take to protect their systems from attacks?
First and foremost, companies must undertake a full assessment of their security systems. The correct steps can then be taken to protect these systems. Actions may include replacing existing unsecured devices with cyber-secure devices, by using firewalls, or by segregating IT and OT networks, to ensure any access routes to critical operational networks are blocked to unauthorised users.

How does Ovarro, as a supplier, maintain awareness of emerging threats to your own systems?
As a supplier, we are in the process of obtaining IEC 62443, an international series of standards published by the International Electrotechnical Commission (IEC) that address cybersecurity for operational technology in automation and control systems. This includes not only the certification of our devices but also of our processes and procedures.

We receive security advisories from the Cybersecurity & Infrastructure Security Agency (CISA) about the software components we use in our devices and if we are affected, we publish a security advisory with a description of the fix or workaround we have implemented.

In the UK, Ovarro has joined the Industrial Control System Community of Interest (ICS COI), hosted by the National Cyber Security Centre, to further drive compliance and cutting-edge cyber security into products and practices.

How important is collaboration between water companies and their supply chain partners on this issue?
Water companies and the supplier community must use the same standards:

  • IEC 62443-4 for devices
  • IEC 62443-3 for integrators
  • IEC 62443-2 for owners of systems

This is a key concept of IEC 62443 - companies like Ovarro can provide certified devices, but these devices must be correctly installed and configured by the system integrator. Then the owner, in this case the water companies, must enforce best practices from their employees and other authorised users. If any of these practices are not implemented correctly, the cybersecurity of the whole system will be vulnerable to attacks.

In 2021, industrial cybersecurity platform Claroty performed testing on Ovarro’s TBox remote telemetry unit (RTU) and detected vulnerabilities. How does Ovarro manage vulnerabilities such as this when they are detected?
Any vulnerabilities found by cybersecurity companies are corrected and new versions of our software are released. If there is no correction possible, we establish a workaround. On very rare occasions, we may recommend our customers do not use the affected feature to eliminate risk.

If vulnerabilities are detected, we publish detailed security advisories to inform our customers of technical details and mitigation information and direct them to software updates and workarounds.

For Ovarro, how important is external product testing?
Thorough testing, including by external specialists, is vital. Ovarro carries out multiple stages of testing. The systems are tested in-house first, by engineers in charge of the development, then by a dedicated team assigned to software tests. We also provide beta versions to selected customers who help us to test the systems in real-world situations. Finally, we work with cybersecurity specialists for penetration testing.

Looking forward, is the scale and complexity of cyberattacks against the water sector likely to increase?
Unfortunately, yes, it is a never-ending game. Attackers will always find new ways to penetrate systems and companies are continually assessing how difficult it be to attack their system and how much money it will cost to protect them to an acceptable level.

However, alongside this, the technology to tackle threats is developing at a fast pace and is moving towards being fully automated, driven by artificial intelligence, including machine learning. Of course, robust security cannot be achieved through hardware or software alone, but through a joined-up strategy, comprising people, policies, products and procedures.

Ovarro ensures its products are protected from threats through a continuous process of learning, monitoring and updating. The TBox RTU, for example includes a firewall and can be used to protect downstream devices in the field and to forbid unauthorised accesses and protocols from upstream.

In addition, a VPN is available to add a cybersecure layer of protection.

Source: Ovarro Ltd.

More articles on this topic

Pinpoint Leak Detection on Plastic Pipes Now Possible

23.05.2024 -

As plastic water networks replace ageing Victorian mains, leakage detection methods are also evolving, writes Barbara Hathaway, Ovarro’s technology leader for leakage solutions. Major upgrades of ageing water mains are being planned across England and Wales between 2025 and 2030, as part of utilities’ commitments to cut leakage by more than a quarter.

Read more

Data-Driven Blockage Detection Cuts Pollution

15.05.2024 -

Anglian Water has applied Ovarro’s data-driven early-warning technology across all rising main sewers, meaning bursts and blockages are detected before serious pollution occurs. Anglian Water pledges in its 2025-2030 draft business plan to eliminate serious pollution and reduce total number of pollution incidents by 40%, with a strategy that includes bringing in machine learning.

Read more

Davao City Moves to Fixed Network Leakage Monitoring

26.02.2024 -

Installation of 320 Ovarro remote correlating loggers has taken place in Davao City in the Philippines, with a major leak detected just days later. The volume of water saved means a large-scale project to construct a new production well can be put on hold. Davao is the largest city on the island of Mindanao and the third largest in the Philippines. With a rapidly increasing population, the city is considered one of the country’s fastest economic growth areas.

Read more

Smart Platforms Enabling Faster Leak Detection

15.02.2024 -

Using cloud-based platforms for more efficient leak detection will be the subject of an Ovarro presentation at the Philippine Association of Water Districts (PAWD) annual convention. Channel manager Craig Abbott will highlight Ovarro cloud solutions that analyse network noise to provide actionable information for leakage reduction.

Read more

Update Gives Insights into Non-acoustic Leak Technologies 

08.02.2024 -

Technology company Ovarro has partnered with UK Water Industry Research (UKWIR) to update the sector on advancements in non-acoustic leak detection techniques. The update provides an overview of the current non-acoustic methods that have been trialled and deployed since 2016, when a first iteration of the study was published, and their relative cost and effectiveness. The report identifies successful applications, potential deployment pitfalls and best practice guidance for trials.

Read more