search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
PC-MAR23-PG42.1_Layout 1 06/03/2023 14:29 Page 42


WATER & WASTE TREATMENT RISING TO THE CYBERSECURITY CHALLENGE


In this Q&A, Philippe Willems, engineering manager at Ovarro, discusses the enduring challenge of


cybersecurity hazards for the water sector


The biggest cybersecurity hazard for water companies, and for all critical infrastructure companies, is an attacker taking control of their IT or OT (operational technology) systems to steal data and block or disrupt operations. Risks stem from water companies still using legacy systems which were installed many years, if not decades, ago.


W


These systems have minimal, if any, cybersecurity features and present a digital attack surface – so there are many pathways an attacker can take to gain unauthorised access to a computer or network. Protecting insecure legacy infrastructure can seem like a daunting challenge. The main task for water companies is to update or protect their existing systems. This


requires a detailed analysis of their OT network


vulnerabilities, before establishing an initial plan to protect the most vulnerable entry points for attackers. Who is behind water


sector threats and attacks, and what are their motives?


There are three main attacker types. Hackers who do it for the sake of doing it - they are perhaps the least concerning. Then there are the attackers who want to block access to computer systems using malicious software, such as ransomware, until a sum of money is paid. The most dangerous and under-the-radar, unnoticed threat comes from state-backed attackers trying to gain access to water companies, and other critical infrastructure, in what is called cyber-warfare. What steps should water companies take to protect their systems from attacks? First and foremost, companies must undertake a full assessment of their security systems. The correct steps can then be taken to protect these systems. Actions may include replacing existing unsecured devices with cyber-secure devices, by using firewalls, or by


42 MARCH 2023 | PROCESS & CONTROL


hat are the biggest cybersecurity threats facing the water sector today?


Ovarro ensures its products are protected from threats through a continuous process of learning, monitoring and updating


segregating IT and OT networks, to ensure any access routes to critical operational networks are blocked to unauthorised users. How does Ovarro, as a supplier, maintain awareness of emerging threats to your own systems?


As a supplier, we are in the process of obtaining IEC 62443, an international series of standards published by the International Electrotechnical Commission (IEC) that address cybersecurity for operational technology in automation and control systems. This includes not only the certification of our devices but also of our processes and procedures. We receive security advisories from the Cybersecurity & Infrastructure Security Agency (CISA) about the software components we use in our devices and if we are affected, we publish a security advisory with a description of the fix or workaround we have implemented.


In the UK, Ovarro has joined the Industrial Control System Community of Interest (ICS COI),


hosted by the National Cyber Security Centre, to further drive compliance and cutting-edge cyber security into products and practices. How important is collaboration between water companies and their supply chain partners on this issue?


Water companies and the supplier community must use the same standards: • IEC 62443-4 for devices • IEC 62443-3 for integrators • IEC 62443-2 for owners of systems This is a key concept of IEC 62443 - companies like Ovarro can provide certified devices, but these devices must be correctly installed and configured by the system integrator. Then the owner, in this case the water companies, must enforce best practices from their employees and other authorised users. If any of these practices are not


implemented correctly, the cybersecurity of the whole system will be vulnerable to attacks. In 2021, industrial cybersecurity platform Claroty performed testing on Ovarro’s TBox remote telemetry unit (RTU) and detected vulnerabilities. How does Ovarro manage vulnerabilities such as this when they are detected?


Any vulnerabilities found by cybersecurity companies are corrected and new versions of our software are released. If there is no correction possible, we establish a workaround. On very rare occasions, we may recommend our customers do not use the affected feature to eliminate risk. For Ovarro, how important is external product testing?


Thorough testing, including by external specialists, is vital. Ovarro carries out multiple stages of testing. The systems are tested in- house first, by engineers in charge of the development, then by a dedicated team assigned to software tests. We also provide beta versions to selected customers who help us to test the systems in real-world situations. Finally, we work with cybersecurity specialists for penetration testing.


Looking forward, is the scale and complexity of cyberattacks against the water sector likely to increase?


Unfortunately, yes, it is a never-ending game. Attackers will always find new ways to penetrate systems and companies are continually assessing how much money it will cost to protect them to an acceptable level. However, alongside this, the technology to tackle threats is developing at a fast pace and is moving towards being fully automated, driven by artificial intelligence, including machine learning. Of course, robust security cannot be achieved through hardware or software alone, but through a joined-up strategy, comprising people, policies, products and procedures.


Ovarro www.ovarro.com


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62