Black & Veatch 2024 Water Report: Cybersecurity
Growing Concern About Cyberattacks Calls for Additional Guidance
Originally published on Black & Veatch Perspectives
As the federal government investigates multiple cyberattacks, it’s becoming abundantly clear that water utilities are a particularly vulnerable part of the nation’s critical infrastructure.
Last November, as reported by Politico, politically motivated hackers breached a Pennsylvania water utility’s booster station. While that attack was diverted before any major impacts were made on water quality or availability, U.S. lawmakers have demanded more proactive cybersecurity measures. Last year, the Environmental Protection Agency (EPA) unveiled (and later rescinded) new federal mandates requiring water system inspections to include assessments of cybersecurity threats. While emerging standards are a step forward, there are worries about whether basic observance would give water utilities a false sense of security; compliance often does not necessarily equal a robust cybersecurity program.
Based on expert analyses of data from nearly 630 survey respondents, Black & Veatch’s 2024 Water Report illustrates a water sector navigating the challenges of cybersecurity, confidence in their current cybersecurity strategies, proactivity in financing upgrades and willingness to seek expert guidance.
Utilities Acknowledge that Cybersecurity is Essential
Eighty-six percent of respondents reported that cybersecurity is “very important,” while 73 percent categorized physical security in that way. Utilities are recognizing that cyberthreats have an exponentially growing reach, with even greater potential compromise than physical threats. For example, if a whole network system is compromised in a cyberattack, it could impact the entire utility; if just a single pump station is physically vandalized, the effects might be limited and addressed without a widespread service outage.
If the data for “very important” and “important” are combined, 97 percent of respondents believe that both cybersecurity and physical security are essential to the security of their assets (Figure 4). While there were no significant changes in the data regarding cybersecurity from 2022 to 2024, it’s worth noting that physical security had a 7 percentage point increase in “very important” and “important” responses from 2023 to this year. Respondents correctly may be recalling the increase in physical attacks on electrical substations in the Pacific Northwest in November 2022 that caused significant customer outages.
These observations are further validated in the digital water section of the 2024 Water Report; cybersecurity and asset management were tied at 58 percent among top objectives in the utilities’ digital solutions strategy.
As promising as that sounds, utilities cannot have robust cybersecurity without equally robust physical security, and vice versa. Here’s why: network devices and endpoints need physical protection to prevent unauthorized electronic access by an adversary. Conversely, the technology that supports physical security needs cybersecurity protection to prevent unauthorized physical access by an adversary. Utilities should consider having their cybersecurity and physical security professionals collaborate to strategically align efforts. For example, if an adversary were to access a computer physically, they are more easily able to hack into the computer, affecting the utility’s cybersecurity as well.
Hinderances Include Lack of Personnel Training, Funding
When asked what is preventing utilities most from advancing the cybersecurity of their control systems, staff resources (47 percent) and budget or funding (37 percent) led the way (Figure 5). In the past year, it appears that staff resources became slightly less of a concern, decreasing from 51 percent in 2023. Budgeting became more of a hinderance, increasing from 33 percent in 2023. Respondents who selected cyber expertise slid from 33 percent in 2023 to 23 percent in 2024; this reveals that although there still are knowledge gaps within their organizations when it comes to cybersecurity, utilities are beginning to feel more confident in their abilities to address it.
A takeaway: utilities should provide their control systems’ engineers with additional cybersecurity training to work toward closing this knowledge gap completely while simultaneously mitigating their staff resource obstacles.
Utilities Seek External Support to Address Cyber Challenges
Without question, utilities agree that cybersecurity is a growing concern — but a few key obstacles stand in their way. Black & Veatch’s survey found that utilities may be struggling to determine the best path forward and are seeking external support to address it. Of all the areas that can be outsourced, 35 percent of respondents reported a preference to do so with cybersecurity assessments, closely followed by personnel training (31 percent) (Figure 6). There’s a correlation between these two majority selections, in that utilities need assessments to embark on their cybersecurity journey and need training to maintain the strategies implemented.
Sixty-one percent of utilities reported that they already have consulted with outside cybersecurity experts; an additional 37 percent hired cybersecurity experts as either part-time or full-time permanent staff (Figure 7). Only 18 percent hadn’t consulted with external experts at all — an encouraging showing of the willingness of utilities to seek external expertise to protect their assets in the most strategic way possible. It could also mean that in that 18 percent, utilities may have internal IT and SCADA departments, with experienced resources and the ability to take on cybersecurity without external consultants.
Next Steps: Connecting the ‘Why’ to the ‘How’
Given the proliferation of digital attacks and growing vulnerabilities, it’s more important than ever to take cybersecurity seriously. Black & Veatch’s survey demonstrates that utilities agree on the “why” behind cybersecurity, but not all are confident on the “how.” When it comes to cybersecurity, the areas where utilities need the most support are training, technical design and funding. Regarding technical design, utilities are seeking alignment for their people, processes and technology in addition to ongoing management, with a growing chorus among utilities of “help me build it, then help me run it.”
Funding remains a hindrance; due to inflation, costs for utilities are rising across the board — not just for cybersecurity services. This makes it challenging to make impactful progress when fewer “real” dollars are available to be applied to these initiatives. Underfunded utilities also are more likely to be using outdated equipment that isn’t protected from modern cyberattacks.
The bottom line: utilities should consider a holistic approach to cybersecurity, understanding that it’s not just about addressing vulnerabilities but about how cybersecurity fits into the overall modernization strategy and existing system of operations. It’s also about balancing multiple priorities that shouldn’t have to compete. Many utilities are doing a great job of bolstering resiliency in the face of climate change but are lacking in cybersecurity. These don’t have to be competing priorities, and it’s essential to find ways to address both.
Following the data trend of seeking external consultants, utilities benefit from collaborating with expert advisory partners such as Black & Veatch who can provide an overall cybersecurity roadmap that considers initial costs, lifecycle costs and process integrations to best fit their unique needs.