Event round-up: Cyber and the water sector: progress and next steps
On Wednesday 18 November – with the support of our member organisation Forescout – techUK brought together professionals from across the cyber security and water sectors to reflect on the progress made in compliance over the last four years – during which time the Water Sector Cyber Security Strategy, National Cyber Security Strategy and the NIS Directive (NIS D) have all come into effect.
Ever since the introduction of NIS D, techUK has been looking at the challenges around the cyber space for CNI sectors, with respect to industrial control systems and the OT environment. This well-attended webinar explored this further, with a particular focus on the water sector, as well as looking at the impact of COVID-19 and potential next steps as we approach next iteration of the NCSS.
The session was kicked off by Wissam Al-Nasairi and Rebecca Blair from Accenture who gave attendees a high-level overview of standards and the challenges they present (in particular NIS D); the regulators; and what industry peers are doing on expenditure relating to compliance and security.
A summary was provided of the evolving threat landscape in OT security, the NIS D objectives and focus areas when it comes to addressing security within water utilities: the latter being broken down by people, process and technology and services. Two notable recommendations here were the need to closely track risks until closure and embrace new technologies. Accenture also took attendees through some use cases where their clients had asked for an IT & OT maturity assessment aligned to the principles of NIS D, which demonstrated the importance of understanding what your business’s current posture is in order to build, manage and monitor your compliance goals.
Another key message was the recognition that NIS D has driven improvements, however, changes to this legislation are expected. Furthermore, COVID-19 has provided adversaries with the opportunity to infiltrate networks and, although industries are getting better at implementing controls, security still isn’t typically viewed as a business enabler.
Next on the virtual stage was Julian Bowles who took attendees through Welsh Water’s journey towards compliance – looking at its OT Cyber Programme and the role of technology in addressing the challenges it’s faced, specifically around NIS D.
It’s safe to say that many of those challenges are not unique to Welsh Water. The round-the-clock nature of water provision means that the systems have historically been designed around safety and availability, not with security in mind. There’s also the scarcity of knowledge and experience on legacy systems – a problem familiar to most of the CNI sectors. And this year’s pandemic has dictated that senior operatives have had to keep their ‘eye on the assets’ from an alternative location – the cloud.
Key insights from this popular presentation included the importance of collating and, crucially, maintaining, an OT asset inventory; and the admission that technology can be used to support compliance objectives, but it can’t work alone – people and processes are critical in order to embed sustainable change.
Our final presenter was Daniel Trivalleto, who talked the audience through Forescout’s research around how to keep pace with threats, as well as increasingly demanding compliance requirements. An overview was also provided on OT trends and challenges; the evolving threat landscape; more about the compliance requirements themselves: and some ideas and recommendations on how industry can follow best practices to relieve some of the pressure – leveraging technology and processes to help.
A useful panel discussion followed the presentations, taking a high-level look at the impairments to faster compliance. Points touched upon included:
- the need to look at OT data and utilise it as much as possible;
- the recommendation to align positive strategic outcomes with the Cyber Awareness Framework (CAF);
- industry feeling that the NIS D needs far more power around it;
- a recognition of the distance the industry has come since the legislation was published;
- and a strong emphasis on having a robust asset inventory in order to monitor and link it to actionable events.
To finish on a familiar adage highlighted by Welsh Water’s Julian Bowles, a key conclusion of this session was that compliance “is a journey, not a destination”. It’s clear that continuous review and the maintenance of policies, process and systems will be required to maintain appropriate controls and manage risk effectively … And this is important not just to the water utility sector, but across the board when it comes to taking a proactive approach to cyber security – which in itself must be recognized as a key business enabler for the long term.
Watch the presentations from this event in full here.
Dan Patefield
Dan leads the techUK Cyber Security programme, having originally joined techUK in August 2017 as a Programme Manager working across the Cyber and Defence programmes. He is responsible for managing techUK's work across the cyber security eco-system, bringing industry together with key stakeholders across the public and private sectors. Dan also provides the industry secretariat for the Cyber Growth Partnership, the industry and Governmnet conduit for supporting growth across the sector. A key focus of his work is to strengthen the public-private partnership across cyber security to support further development of UK cyber security policy.
Jill Broom
Jill is techUK’s Programme Manager for Cyber Security, working across the cyber eco-system to bring industry together with key stakeholders across the public and private sectors.
