Connecting state and local government leaders
COMMENTARY | Utility leaders are behind the curve in cybersecurity policies and practice that will protect states and localities. It’s time for that to change.
Utility leaders, do you want the blame for a cyber incident that knocks out a city’s critical infrastructure, hands over control of a dam, or harms the general public?
Do you want to be the next highprofile victim of a ransomware scheme demanding the payment of millions of dollars otherwise lethal damage will ensue to the utility’s operations and your reputation?
Do you want a simple user error or outdated piece of IT equipment to leave your organization vulnerable to hacks, or worse, active attempts to poison a community’s water supply?
From my own experience working with water managers for over a decade, I know that the answer is a resounding no. But with intensifying skills on the hacker side and aging IT infrastructure on the utility side, becoming a negative headline could be one keystroke, application upgrade fail or credential theft away.
The Stark Reality Facing Utilities
In today’s vast and ominous cyberthreat environment, utility cybersecurity is not just an IT problem. It’s a systemwide issue with potentially massive business, financial, public health and safety implications.
As utility-focused ransomware incidents in Florida and Texas illustrate no one is immune and the next attack could always be worse. Utility executives and IT leaders are becoming increasingly aware that they need to operate like their organization could be next. Not because it’s a best practice, but because they might, in fact, be next.
While the Biden administration rolls out a federal cybersecurity framework complete with suggested performance goals for critical infrastructure, the practical accountability remains squarely on local and state utilities to improve IT security and make adjustments that fit the context of their services (e.g. water, waste or electricity).
Another stark reality is that utility budgets and staff commonly lack bandwidth to dedicate to cybersecurity that mitigates rapidly evolving threats like email hacks, ransomware attempts and remote network infiltrations.
Meanwhile, the days of trying to integrate a dozen different IT systems requiring 6,000+ pages of documentation submitted over 24 months to navigate procurement red tape ramble on. This dated, time-guzzling approach to utility IT needs to catch up with the times. There’s simply too much at risk in thiscyberthreat environment.
Additionally, with being in the midst of a rapid-market shift towards end-user-led product sales (known in the sector as product-led growth), the IT landscape is speeding into the future—with or without your government IT manager’s approval.
Cybersecurity Best Practices
Drawing from my career designing, procuring and implementing massive IT systems for water utilities, the best approach to improve cybersecurity efforts for utilities is to conduct the following:
- Educate your workforce on the risks of dodgy or outdated software. There are countless examples of cyberbreaches that occurred because regular software updates were not maintained. These examples should make for an engaging dialogue (not a one-sided scolding).
- Establish an amnesty-like program for employees to reveal any software applications they know or use in the utility ecosystem. This allows you to become aware of every IT system and piece of hardware in use by staff and stakeholders. And by using the carrot versus the stick, you get better results.
- One way to successfully structure this program is to offer a quick security check of all software your colleagues use without mandating they change it right away. This should be a regular process throughout the year rather than a once off practice, which allows you to ask for the complete list more than once because new or different software could creep in mid-survey.
- Conduct an audit of systems to locate both critical and potential gaps in IT security.
- Make a risk-oriented digital transformation plan that outlines why system upgrades are necessary and underscores the urgency for governing boards, executive teams, employees and other stakeholders. Some, 58% of water utilities have launched such plans which include cyber elements.
- Prioritize software with multiple offerings in a single platform. This limits risk in integration. But word of warning: check under the hood. Ask questions like is this software truly integrated or just a mish mash of random products purported to be one system?
The key here is time. As counterintuitive as this sounds, perfect is the enemy of good. Utility leaders need to rally in-house IT staff around moving quickly and sharing notes so they can learn from each effort and each other along the way.
Cybersecurity Requires IT Modernization
The utilities leading the way in cyber efforts have embraced digital transformation efforts and invested in cloud-based software to help isolate security gaps while mitigating broader risks. It is time for the industry as a whole to catch-up:
- Launching systemwide efforts to modernize infrastructure and replacing legacy and underperforming software with solutions built to address modern issues like ransomware or credential theft.
- Communicating why it’s important to upgrade systems and provide employees with training (if necessary).
- Embracing a utilitywide culture of IT best practices focused around adding a systemwide layer of cybersecurity.
- Making regular assessments of IT infrastructure to ensure operational efficiency and security for years to come.
That said, it’s not enough for utility executives and IT leaders to invest in technology and encourage people to embrace a security-focused mindset. They need to shift theirattention from managing the status quo and following protocols in place for decades to accelerating every action possible to boost overall cybersecurity—and inserting efficiency into IT processes whenever possible.
Regardless of the specific makeup of a utility’s IT infrastructure, efforts like these should center around elevating cybersecurity as a top priority for every stakeholder from the utility’s chief executive to a customer paying their bill online. This is a feat that’s much easier said than done. In fact, a recent survey of water sector executives found that creating a systemwide culture around cybersecurity is the biggest challenge in the path of utilities serving over 100,000 people.
Addressing cyberthreats with modern software architecture is a game of quality over quantity. For utility executives and IT leaders, success requires hands-on work to boost cybersecurity with strategic digital transformation and concerted efforts to bring users (staff, consultants, customers) into the fold along the way.
Regardless of how things play out, utility leaders in the C-suite and the IT department need to do everything possible to avoid a scenario where one small action, error, upgrade failure or breach takes down an entire IT system, critical infrastructure function or community resource. The alternative is simply too perilous and lethal to even consider.
David Lynch is the CEO of Klir, headquartered in Reno, Nevada.