A Practical Case for Prioritizing Utility Cybersecurity

istockphoto.com/yangphoto

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By David Lynch,
Co-founder and CEO, Klir
 

Connecting state and local government leaders

By David Lynch

|

COMMENTARY | Utility leaders are behind the curve in cybersecurity policies and practice that will protect states and localities. It’s time for that to change.

Utility leaders, do you want the blame for a cyber incident that knocks out a city’s critical infrastructure, hands over control of a dam, or harms the general public?

Do you want to be the next highprofile victim of a ransomware scheme demanding the payment of millions of dollars otherwise lethal damage will ensue to the utility’s operations and your reputation?

Do you want a simple user error or outdated piece of IT equipment to leave your organization vulnerable to hacks, or worse, active attempts to poison a community’s water supply? 

From my own experience working with water managers for over a decade, I know that the answer is a resounding no. But with intensifying skills on the hacker side and aging IT infrastructure on the utility side, becoming a negative headline could be one keystroke, application upgrade fail or credential theft away. 

The Stark Reality Facing Utilities

In today’s vast and ominous cyberthreat environment, utility cybersecurity is not just an IT problem. It’s a systemwide issue with potentially massive business, financial, public health and safety implications. 

As utility-focused ransomware incidents in Florida and Texas illustrate no one is immune and the next attack could always be worse. Utility executives and IT leaders are becoming increasingly aware that they need to operate like their organization could be next. Not because it’s a best practice, but because they might, in fact, be next.

While the Biden administration rolls out a federal cybersecurity framework complete with suggested performance goals for critical infrastructure, the practical accountability remains squarely on local and state utilities to improve IT security and make adjustments that fit the context of their services (e.g. water, waste or electricity).

Another stark reality is that utility budgets and staff commonly lack bandwidth to dedicate to cybersecurity that mitigates rapidly evolving threats like email hacks, ransomware attempts and remote network infiltrations. 

Meanwhile, the days of trying to integrate a dozen different IT systems requiring 6,000+ pages of documentation submitted over 24 months to navigate procurement red tape ramble on. This dated, time-guzzling approach to utility IT needs to catch up with the times. There’s simply too much at risk in thiscyberthreat environment. 

Additionally, with being in the midst of a rapid-market shift towards end-user-led product sales (known in the sector as product-led growth), the IT landscape is speeding into the future—with or without your government IT manager’s approval.

Cybersecurity Best Practices

Drawing from my career designing, procuring and implementing massive IT systems for water utilities, the best approach to improve cybersecurity efforts for utilities is to conduct the following: 

  • Educate your workforce on the risks of dodgy or outdated software. There are countless examples of cyberbreaches that occurred because regular software updates were not maintained. These examples should make for an engaging dialogue (not a one-sided scolding).
  • Establish an amnesty-like program for employees to reveal any software applications they know or use in the utility ecosystem. This allows you to become aware of every IT system and piece of hardware in use by staff and stakeholders. And by using the carrot versus the stick, you get better results. 
  • One way to successfully structure this program is to offer a quick security check of all software your colleagues use without mandating they change it right away. This should be a regular process throughout the year rather than a once off practice, which allows you to ask for the complete list more than once because new or different software could creep in mid-survey.
  • Conduct an audit of systems to locate both critical and potential gaps in IT security.
  • Make a risk-oriented digital transformation plan that outlines why system upgrades are necessary and underscores the urgency for governing boards, executive teams, employees and other stakeholders. Some, 58% of water utilities have launched such plans which include cyber elements.
  • Prioritize software with multiple offerings in a single platform. This limits risk in integration. But word of warning: check under the hood. Ask questions like is this software truly integrated or just a mish mash of random products purported to be one system? 

The key here is time. As counterintuitive as this sounds, perfect is the enemy of good. Utility leaders need to rally in-house IT staff around moving quickly and sharing notes so they can learn from each effort and each other along the way.

Cybersecurity Requires IT Modernization

The utilities leading the way in cyber efforts have embraced digital transformation efforts and invested in cloud-based software to help isolate security gaps while mitigating broader risks. It is time for the industry as a whole to catch-up:

  • Launching systemwide efforts to modernize infrastructure and replacing legacy and underperforming software with solutions built to address modern issues like ransomware or credential theft.
  • Communicating why it’s important to upgrade systems and provide employees with training (if necessary).
  • Embracing a utilitywide culture of IT best practices focused around adding a systemwide layer of cybersecurity.
  • Making regular assessments of IT infrastructure to ensure operational efficiency and security for years to come.

That said, it’s not enough for utility executives and IT leaders to invest in technology and encourage people to embrace a security-focused mindset. They need to shift theirattention from managing the status quo and following protocols in place for decades to accelerating every action possible to boost overall cybersecurity—and inserting efficiency into IT processes whenever possible. 

Regardless of the specific makeup of a utility’s IT infrastructure, efforts like these should center around elevating cybersecurity as a top priority for every stakeholder from the utility’s chief executive to a customer paying their bill online. This is a feat that’s much easier said than done. In fact, a recent survey of water sector executives found that creating a systemwide culture around cybersecurity is the biggest challenge in the path of utilities serving over 100,000 people. 

Addressing cyberthreats with modern software architecture is a game of quality over quantity. For utility executives and IT leaders, success requires hands-on work to boost cybersecurity with strategic digital transformation and concerted efforts to bring users (staff, consultants, customers) into the fold along the way. 

Regardless of how things play out, utility leaders in the C-suite and the IT department need to do everything possible to avoid a scenario where one small action, error, upgrade failure or breach takes down an entire IT system, critical infrastructure function or community resource. The alternative is simply too perilous and lethal to even consider.

David Lynch is the CEO of Klir, headquartered in Reno, Nevada.

Technology Case Studies
Powered By
Browse The Atlas full case study database or read more case studies about Technology.
Smart Loading Zones in Pittsburgh Manage Curbside Congestion
Pittsburgh, PA
Applied Learning at Wichita State Gives Students Real-World Technology Experience
Wichita, KS
Pilot project comparing Utilis to traditional acoustic: Prince William County, VA
Prince William County, VA
BROWSE LOCAL GOV CASE STUDIES

NEXT STORY: Saildrone helps NOAA capture hurricane data

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.