In this final post on cybersecurity in the water utilities industry, we’ll look at remaining areas of interest that center around information and communication. It’s evident by this point that lack of knowledge is one of the greatest threats to infrastructure security. The more awareness an organization has, the simpler it is to take the necessary steps to create an environment that is resistant to cyber threats.
Who needs to be educated about security practices, policies, and procedures? Internal employees are at the core of any training program. But clients and service providers shouldn’t be overlooked. Any third party that is involved with PCS systems or other vital technology should be aware of potential risks. SLAs should include relevant certifications. As a whole, the water utility should participate in water sector programs that are designed to identify and implement best practices.
Here are a few of the other actions that the AWWA recommends in terms of education:
- Regular testing of security procedures to evaluate security awareness and incident response
- Cross-training for IT and PCS staff so knowledge is shared and potential gaps in security can be more readily found
- Training for all staff to identify common risks and threats such as social engineering
- Communications training (network & radio) for PCS technicians to ensure proper, secure communication and crisis response capability
From hiring through termination—and even after—employees and contractors can hold the keys to cybersecurity for an organization. Ensuring that each worker has only the access level required to accomplish their assigned duties is an important aspect of personnel security. Network and facility access should be set up for immediate, automatic revocation upon termination so that no unauthorized individuals are able to infiltrate the system after leaving the organization.
Vetting prospective workers prior to hiring may help spot red flags and at-risk candidates. A formal (standardized) background check process should be implemented for each level of responsibility within the agency. All new hires should also be required to sign appropriately worded confidentiality and cybersecurity policies. Such policies should be reviewed and signed again annually by all workers.
That’s it for our Water Utility Cybersecurity series. We hope you have found this overview helpful. For more information on keeping your facilities and workers safe, contact DKF Solutions for a consultation.