Lucas Young of Axis Communications explains the measures necessary for effective protection of water reserves against potential attack.
Drinking water supply systems are among the most important elements of our critical national infrastructure and require physical protection to guard against threats that are ever evolving in seriousness and complexity. Tampering with water quality or inflicting damage to pumps and purification systems could have devastating effects, potentially causing widespread illness and loss of life. With the UK’s terrorism threat level having been upgraded from substantial to severe, the most stringent measures are now required to mitigate the increasing risk. The UK government aims to work closely with water companies to ensure that security becomes a crucial focal point to be addressed through a range of measures.
As increased automation and connectivity reduces the scope for standalone or manual operation of the water supply, the UK’s Department for Environment, Food and Rural Affairs (DEFRA) outlined its vision for 2017-2021 of a ‘secure, effective, and confident sector, resilient to the ever-evolving cyber threat’. The ‘Water Sector Cyber Security’ strategy is designed around protecting and developing ‘strong preparedness to respond to emergencies’ and securing both information technology (IT) and operational technology (OT) systems. However, with 2021 fast approaching, many water companies across the UK are still yet to complete the necessary security upgrades and processes that will enable them to effectively respond to a cyber-attack.
Systems and partnerships to protect sites
If the water sector is to work as one, then standardisation across the estate is essential. With the UK water industry still currently seeing sites working in isolation, inadequately guarded remote water reserves and inferior consumer grade technologies are potentially left vulnerable to attack. Adopting appropriate measures – such as the installation of enterprise grade security systems – and working closely with trusted partners to proactively guard against attacks will be crucial. As the Centre for the Protection of National Infrastructure (CPNI) has warned, the consequences of failing to formulate a strategic security vision and investment in appropriate measures to mitigate the risk can be costly.
With new threat vectors placing mounting pressure on water companies, it’s important to continuously risk assess types of attack and the resulting protective measures required. For example, attacks may not come from a single point, but from multiple means; an approach which combines cyber-attack with a marauding physical assault can create panic and disorientation whilst limiting the effects of any crisis response. The compromise of information technology systems could lead to the theft of valuable data, while the control and sabotage of OT systems directly related to the quality and quantity of the water supply have the potential to put many lives at risk.
Protecting water: A multi-layered ‘defence-in-depth’
Modern solutions to guard and detect can be customised from site to site depending on requirements, with a combination of traditional intrusion detection measures and the latest cyber-secure physical security technologies resulting in a robust system. An example of such a solution might include surveillance cameras with onboard analytics, geophone acoustic vibration sensors, infrared motion detection, access control devices and a VMS system providing alarm verification, ensuring effective physical security of assets and operations. This multi-layering of different measures, commonly referred to as ‘defence-in-depth’ ensures that security is not significantly reduced with the loss of any single layer.
Simon Tuke, Senior Manager Asset Protection at Thames Water, commented: “We recognise that water is an important part of our critical national infrastructure and each site must be protected using the best tools and technologies available. Any attempt to sabotage our water supplies could have catastrophic consequences, so ensuring high levels of physical protection across all of our sites is of critical importance. Of course, when seeking to roll out such solutions it’s essential that we look at devices that have a hallmark of quality and are themselves deemed to be secure from a cybersecurity perspective. A security system is only as strong as its weakest link and its imperative that these systems are not left open to attack, compromising the physical security of a site or multiple sites.”
The importance of effective cybersecurity
As with all technology, there are inherent risks when improperly secured IoT devices are installed on a network. For example, network surveillance cameras which are not cyber secure can be used as a backdoor to gain access to the IT network – this can be either from an insider threat or a remotely triggered assault. Consumer grade security technologies might appear to offer adequate protection, but in reality, they can come with none of the assurances around quality of manufacture or adherence to cybersecurity principles. Secure technologies, built with cybersecurity considerations at the forefront, should form an essential part of any enterprise asset protection strategy.
The water sector should look for guarantees when partnering with the providers of such technologies, such as Secured by Design or Secure by Default, an accolade awarded by the Surveillance Camera Commissioner (SCC) and Cyber Essentials Plus. This offers evidence of operation in accordance with advanced security principles, aligned with regulation and best practice. From a network perspective, the success of the IoT should not be hampered by weaknesses in physical systems and should be secured across every touchpoint and unexpected vulnerability. There is a requirement for water sites to harden their security networks, locking down exposed connections to reduce access to IP-based Industrial Control Systems (ICS). Automating the 24/7 health and cybersecurity monitoring of devices also adds an additional layer of cyber protection.
Collaboration with trusted partners and vendors
Through trusted relationships with partners and vendors, the UK water sector can ensure that it has smart and effective cyber secure solutions in place. Whether the threat takes the form of small level criminal damage, or a larger scale cyber-attack, a converged approach whereby water providers (following the guidance of government) form trusted partnerships with the reliable vendors of high-quality security systems, is the best line of defence.
Such partnerships will enable vulnerabilities to be addressed and resistance to be maximised across all sites. Regulations such as the GDPR, as well as the NIS Directive, are placing more onus on industry sectors to demonstrate security understanding, compliance and to ensure the integrity of their systems. A scalable, future-proof solution, backed by the full support of a trusted partner as well as government guidance, will create a united front against the next generation of attack.
Find out more information about Axis Communications by visiting: https://www.axis.com/en-gb
This article was originally published in the February 2021 edition of Security Journal UK. To pick up your FREE digital copy click here.