Cyber safety, resilience and critical water infrastructures

Water systems are highly vulnerable to a variety of threats, due to their physical size, large number of visible and non-visible components, and large number of open access points. Resilience, as the ability to prepare for and adapt to changing conditions and recover rapidly from disruptions, also includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. Examples of digital threats in the water sector are, among others, virus, malware, former employers not re-engaged, CEO fraud, use of not updated software, crime as a service (e.g. for a small amount of money a cyber-attack can be ordered), national state as a threat (e.g. invasion of computer hackers), or IoT sensors being used to lighten up the water sector.

Risks typically out of control for water utilities include loss of electricity, loss of chemicals/supply chain, widespread flooding and other extreme climate events, state action or global conflicts, but others risks lie completely on utility control, examples are OT/IT up to date, protected IT, site security, network quality and appropriate staff employment selection. Security has been traditionally focused on physical protection, e.g. fences, locks, alarms and access control, but electronic security measures are assuming increasing relevance.

Life in the city depends on how resilience is managed, which imply a clear identification of threats, performance, interdependencies among critical services, associated impacts and cascading effects. Managing resilience requires response models to digital or nom digital hazards and finally on response models based on measures and strategies to deal with it properly. But the water sector, by its inertia, is typically very conservative with respect to significant changes, due to the large lifespan of its main components, such as pipes and other civil works. Changes with impacts on the water sector are driven by relatively cheap technology, sensors, OT-IT integration and, in general, adaptive, flexible and distributed information sources feeding advanced management systems. By the end of 2020, 250 million smart meters are expected to be in use in Europe.

RESCCUE, presented at CYBERWATER 2018 to raise awareness on risks and resilience on water and wastewater services

In Oslo, Norway, a NATO Advanced Research Workshop on “physical and cyber safety in critical water infrastructure” (CYBERWATER 2018) was held between 8^th-11^th October 2018. CYBERWATER 2018 aimed to increase the awareness of the risks that threats pose to current and future water utilities and services, to share experiences from leading utility managers and specialists, and to disseminate how to increase surveillance, preparedness, as well as crisis minimisation if all else fails. In CYBERWATER 2018, an invited lecture was presented by the HIDRA CEO on “risks and resilience on water and wastewater services”, where RESCCUE and the HAZUR tool were briefly outlined.

In the road to more safe and resilient cities, physical infrastructures, including warning systems and a multiplicity of assets are needed, but their value lies on the way they are explored and optimized and the way complementary approaches are implemented, playing also an essential role, the communication, the education, and the awareness of the community. A sustainable city is a resilient city, and a resilient city should be a cyber safety city.