Americans expect their towns to provide safe drinking water; there are major news stories and investigations when they fail at this. But how many municipalities consider their information security processes critical to delivering safe water?

The potential real-world harms of poor information security were exposed when a Florida town’s water supply was hacked and the intruder attempted to increase the level of lye. Fortunately, no harm was done in that incident, but it should serve as a wakeup call for municipalities to review their cybersecurity strategy and make sure they protect people from physical harm well as damage to data.

Information Security Strategies

The security methods to protect water supplies and other utility services are the same as to protect all IT systems; it’s a matter of applying them effectively. They include:

1. Know your assets and their risks.

You won’t protect systems and devices you aren’t aware of, so inventories of both hardware and software are critical. For water supplies and other utility services the municipality delivers, control systems are particularly important. Don’t overlook internet of things devices, which can introduce high levels of risk.

2. Isolate sensitive systems.

Design networks to separate control devices and other sensitive systems from those which are lower risk. Use firewalls to restrict access to these services. Don’t allow remote access where it isn’t needed; where it is needed, require use of a VPN. Make sure sensitive systems are safely physically isolated, too.

3. Manage identity and privileges.

Don’t grant privileges to individuals haphazardly. Define a set of roles, identify the access needed to perform those roles, assign privileges to the roles, and then assign employees to roles based on their responsibilities. Enforce strong password policies and use multifactor authentication when accessing sensitive systems.

4. Keep systems updated.

Have a patch management process that ensures that critical patches are deployed urgently and less critical patches within a reasonable time period.

5. Control mobile device usage.

Mobile devices are important for providing access to employees, but they can also introduce risks. Define a mobile device policy and implement tools to enforce the policy and ensure devices are used safely.

6. Check supplier safety.

Third-parties with connections to systems also present a risk. Make sure suppliers have strong information security policies.

7. Train employees in safe computing.

Help employees protect systems by teaching them how to identify and avoid risky online behaviors.

8. Monitor systems for intrusions.

Make sure you detect intrusions as soon as they occur with effective monitoring.

9. Define your incident response plan.

Know how you’ll react to an incident before it occurs. Document an incident response plan and train the affected personnel so they know what’s required.

Prescient Solutions provides information technology and cybersecurity services to municipalities and emergency call centers. Services are cost-effective, with a shared services model ensuring that even small communities can access sophisticated, secure IT services. Contact us to learn more about protecting vital municipal services with IT support from Prescient Solutions.