Water supply remains “too weak” in terms of cybersecurity

The stunning Thai islands made famous by the Hollywood film The Beach are facing severe water shortages following a heatwave that has hit Asia – Copyright AFP Mladen ANTONOV

In the United States, the Environmental Service (EPA) recently issued a water system security alert highlighting the acute cybersecurity threats and vulnerabilities facing municipal drinking water systems.

Howard Goodman, Technical Director at Skybox Security, said Digital Journal about the critical issues related to the OT/IT cybersecurity gap.

According to Goodman, the key word is “update”: “EPA’s recent advisory on cybersecurity threats to water utilities highlights a pressing problem: the gap between operational technology (OT) and information technology (IT). This gap has not only exacerbated vulnerabilities but also increased the attack surface, making the task of achieving comprehensive visibility and control more difficult.”

The scale of the problem appears to be significant, Goodman notes: “Disturbingly, EPA inspections have found that over 70 percent of water systems do not meet the cybersecurity standards required by the Safe Drinking Water Act.”

The Safe Drinking Water Act (SDWA) is a U.S. law designed to establish a minimum standard for water quality. The law was originally passed by Congress in 1974 to protect public health by regulating the nation’s public drinking water supplies.

In terms of implementing corrective actions, Goodman recommends, “Addressing OT/IT convergence in these utilities requires a robust, multi-pronged strategy. First, improving security management by integrating advanced threat detection technologies is critical.”

There are other benefits: “These technologies enable real-time monitoring and rapid response capabilities. Second, automating compliance processes ensures consistent adherence to regulatory standards, reduces the risk of human error and improves efficiency.”

In terms of additional measures, Goodman advises: “In addition, promoting a unified security framework requires comprehensive network modeling that can provide a holistic view of both OT and IT environments. This approach helps identify and mitigate potential security gaps. Organizational silos must be broken down to eliminate security blind spots; a collaborative culture is essential for effective cybersecurity.”

For longer-term solutions, Goodman suggests: “Finally, it is essential to optimize remediation strategies beyond traditional patch management. Using advanced techniques such as behavioral analysis and predictive maintenance can significantly reduce downtime and improve system stability.”

These should lead to robust preventive measures, says Goodman: “These measures are not just precautionary; they are essential to strengthening the resilience of critical infrastructure to the evolving landscape of international cyber warfare. Proactive and integrated cybersecurity practices will be critical to protecting our water utilities and ensuring the continuity of essential services.”