October had no shortage of reminders to protect against the number of frequency of data breaches, especially in terms of customers’ personal data or payment details from water utility billing systems. Of greater consequence than loss of individual financial information is protecting the quality and resiliency of water supplies. External threats get more than their share of attention. However, the primary causes of data loss are internal, mishandling of data and overlooked aspects of security compliance. Let’s consider some essential elements to prioritize:
Data Access Control
As water distribution systems increasing rely on elaborate SCADA and operations technology, cybersecurity becomes a part of every employee’s job – but employees have different jobs and different skills. KISTERS’ integrated process control software enables IT administrators to assign data access privileges on extremely granular levels. Some roles may only need read-only capabilities, while another group is tasked with importing, validating and perhaps editing data. The distinction of individual or group rights may also limit access to specific datasets in order to generate water quality compliance reports, or drive automated workflow processes.
Appropriately matching user needs and privileges discourages insider attacks, which may result from excessive privileges. Supervisors as well as system administrators may periodically review access logs for usual digital behavior, such as logins during odd times or from unexpected locations. The same tools for configuring and applying QA/QC rules to assess water quality data and trigger notifications can be used to detect anomalies in employee access. Note: To ensure data system resiliency, we recommend training local IT administrators to be able to perform manual backups and system restoration procedures although KISTERS’ systems have automatic and reliable backup processes with failover and redundancy features.
Web Application Security
The best technology meets critical needs, but security must be integrated from the beginning of design. It cannot be an after-thought. All KISTERS’ web applications have been developed under consideration of the OWASP Top 10 guidelines, or consensus among global security experts to minimize the most critical risks to open web applications and produce secure code that supports informed decisions. Features include defense against injection attacks as well as cross-site scripting (XSS), in particular. Data sanitization and input validation are key to prevention. Other features include only reaching web applications via the secure HTTPS browser protocol and further equipping the proxy server with tools that detect and defend against attacks. Data transfer is usually done via Transport Level Security (TLS) certificates that encrypt information. In addition, leveraging the API manager can defend against denial-of-service attacks, unintended use or misuse of API consumers. Over time, KISTERS’ applications benefit from multi-tiered software architecture and have successfully resisted multiple penetration and security tests executed by external companies.
Vet Outsourcing Partners
As you assess the risks your drinking water system faces from outdated infrastructure, manual processes, Excel-based or fragmented data management, a cultural change may be needed. Cybersecurity isn’t only an IT issue. It’s for everyone because they often share the same water supply. While young professionals are eager to help sustain the water industry, water utilities may still find it hard to recruit tech-savvy professionals. If you’re thinking about outsourcing data hosting and cyber security services to minimize potential threats, consider private-public partnerships.
United we stand; divided we fall. Amazon Web Services, Microsoft Azure, and KISTERS’ Data Centers have been awarded ISO certification to assure clients the latest security protocol requirements are met. Data privacy is of utmost importance. KISTERS’ hosted systems are run as independent solutions in the client’s data center of preference, with a guarantee that only a client’s users may access the system and data. Each client maintains exclusive rights to its system and data. Other benefits of third-party hosting include 24/7 system performance and breach monitoring, regular software / patch updates, as well as integrated services offerings such as open data web portals like the U.N. Global Environmental Monitoring System water quality portal for water assessments and capacity building initiatives.
Although National Cybersecurity Awareness Month has ended, efforts to protect the quality of drinking water and associated data systems should continue long into the future. Prevent against internal threats by properly delegating systems and data access rights to staff, using the OWASP Top 10 to quickly assess the security of web applications, train employees at all levels to take cybersecurity serious and consider the value-added by outsourcing services as needed.