The Future of Cybersecurity: Preparing for Current and Future Threats
By Andrew Ohrt, Resilience Practice Area Lead, OTCR
Cybersecurity is as hot a topic in the water sector as it has ever been. The White House, National Security Council and individual State Agencies are hyper focused on attempting to issue guidance and requirements to spur action amongst water and wastewater utilities who, in their determination, are in the crosshairs of multiple threat actors. Even some of the popular podcasts that I listen to regularly are highlighting the reports of extensive vulnerabilities of utilities in our sector. When my professional practice merges with the zeitgeist, I have to take a step back and really consider my perspective on the headlines.
As a member of the West Yost team for over 5 years, I have had the unique opportunity opportunities to support the widest range of water utilities, from Tribal Nations to some of the largest in the country while also working with Idaho National Laboratory (INL) and Federal partners with cutting edge cybersecurity projects. West Yost was the first Consequence-Driven, Cyber-Informed Engineering (CCE) methodology licensee and continues to work with INL as Certified National and Homeland Security Trainers and in support of Cyber-Informed Engineering (CIE) initiatives. We believe that CIE is the best approach to building cyber-resilience for any organization with an OT (e.g. SCADA) system. CIE can appear daunting at first. However, we have boiled it down to three initial questions each water utility should ask themselves when considering their CIE maturity:
- Are your systems designed and implemented to support response and recovery operations in the absence of automation?
- Are your staff ready to implement response and recovery operations in the absence of automation? And have they practiced these capabilities?
- Do you have cyber-physical protections in your engineered systems to prevent accidental and intentional damage?
If the answer to these is “I don’t know”, consider an A Day without SCADA® exercise. During the exercise the teams responsible for both the SCADA system and maintaining operations have an opportunity to work together to respond to a simulated cyber-incident. We have found that this is an excellent operations-focused exercise for utilities to begin their CIE journey. In addition, we have found that conducting CIE reviews of engineering projects in-flight is an excellent way to catch potential issues before designs are even finalized. If the answer is “no” then it may take some time to “unwind” some of the operations and engineering decisions that have been made in your organization. If the answers are an unequivocal “yes” then immortalizing these practices in engineering specifications and policies is critical to maintain them as time passes and generations of new staff join your organization.
At West Yost we have the privilege to work with some exceptional water and wastewater utilities and thought-leaders across sectors.
At West Yost we have the privilege to work with some exceptional water and wastewater utilities and thought-leaders across sectors. This has led me to wonder – is it possible that our clients have a healthy user bias (i.e. they are taking it seriously through investments and improved practices) as far as cybersecurity practices go, and skewing my perspective? I believe this may be the case. However, it also shows that water utilities can 1) successfully build cyber-resilience and 2) the sky isn’t falling for our sector.
The upcoming America’s Water Infrastructure Act of 2018 (AWIA) Risk and Resilience Assessment requirements are coming back around in 2025-2026. In the last five years, there has been a growing recognition of the cyber-physical risks to water systems by malicious actors.
The upcoming America’s Water Infrastructure Act of 2018 (AWIA) Risk and Resilience Assessment requirements are coming back around in 2025-2026. In the last five years, there has been a growing recognition of the cyber-physical risks to water systems by malicious actors. CIE directly addresses these risks in ways other cybersecurity methodologies do now. AWIA provides an excellent opportunity to explore cyber-physical risks to our water systems and how CIE may be used to build cyber-resilience in the face of ever evolving current and future cyber-threats.
We look forward to sharing more in the future on our approach to helping our clients build cyber-resilience. Please stay tuned and stay vigilant.
Further Reading:
- Wright, Virginia, Andrew Ohrt and Andy Bochman. Engineering Cybersecurity into U.S. Critical Infrastructure. Harvard Business Review. https://hbr.org/2023/04/engineering-cybersecurity-into-u-s-critical-infrastructure – Ohrt, Andrew et al. Engineering Cyber-Physical Resilience. Journal AWWA. May 2021.
- Idaho National Laboratory. Cyber-Informed Engineering Implementation Guide. August 2023. https://www.osti.gov/biblio/1995796.
By Andrew Ohrt, Resilience Practice Area Lead, OTCR
Andrew Ohrt, PE, CISSP is a water sector resilience specialist, with a focus on cyber-resilience. In addition to leading West Yost’s Resilience Practice, he also oversees our partnership with Idaho National Laboratory and the American Water Works Association to implement Cyber-informed Engineering (CIE) in the Water Sector. Andrew has led numerous initiatives, including supporting clients’ compliance efforts with the America’s Water Infrastructure Act of 2018. Over his career he has led over 50 risk and resilience assessments and numerous related cybersecurity and emergency preparedness projects. Through West Yost’s partnership with INL and AWWA he has helped shape cross-sector and water-sector guidance since 2019. In 2023, he coauthored a Harvard Business Review article entitled Engineering Cybersecurity into U.S. Critical Infrastructure.