Let’s face it: our water management systems are some of the most critical infrastructures in our communities. They keep the water flowing, the public safe, and life running smoothly. But with cyberattacks targeting operational technology (OT) like industrial control systems, protecting these systems has become a top priority. The Secure by Demand: Priority Considerations for Operational Technology Owners and Operators guide, created by CISA and global cybersecurity agencies, breaks down how to make smarter, safer decisions when purchasing OT products.
Want to dive deeper? You can check out the full guide here.
Why Water Management Systems Are a Big Deal:
Water systems are tempting targets for cybercriminals. They’re critical to public health and safety, which means an attack could cause chaos, service shutdowns, or worse. Unfortunately, a lot of these systems rely on outdated tech that wasn’t built with cybersecurity in mind. This guide is here to help municipal teams focus on security from the start, especially when buying new OT products.
The Big Takeaways for Municipal Teams
Here are the top tips from the guide that every water management team should know:
1. Keep Tabs on Configurations
What This Means: Look for products that securely track and manage changes to system settings.
Why It’s Important: It helps prevent tampering and makes it easier to bounce back from system failures.
2. Built-In Logging Is a Must
What This Means: Systems should come with default logging to track what’s happening—like changes, restarts, or security events.
Why It’s Important: Logging is like the breadcrumbs you follow after an incident to figure out what went wrong.
3. Choose Open Standards
What This Means: Products should use widely accepted standards to make them easier to upgrade or replace.
Why It’s Important: Avoid getting stuck with one vendor, and ensure your system can grow with your needs.
4. Own Your System
What This Means: Your team should have full control over the system—no unnecessary vendor dependencies.
Why It’s Important: When a problem hits, you don’t want to wait for a vendor to step in.
5. Data Safety is Key
What This Means: Look for systems that encrypt data both at rest and in transit.
Why It’s Important: It keeps critical information secure from prying eyes.
6. Secure by Default
What This Means: Products should come with security settings enabled right out of the box—no extra setup needed.
Why It’s Important: You won’t have to worry about missed settings or outdated defaults making your system vulnerable.
7. Threat Modeling
What This Means: The manufacturer should identify possible risks and explain how they’ve designed the product to handle them.
Why It’s Important: It ensures you’re prepared for modern cyber threats.
8. Make Authentication Stronger
What This Means: Use tools like role-based access controls and multi-factor authentication (MFA).
Why It’s Important: This prevents unauthorized people from accessing critical parts of the system.
What’s Next for Your Team?
Securing your water systems might feel overwhelming, but it all starts with making smarter buying decisions. Start by using the tips above during your next OT procurement process. Ask tough questions to vendors, prioritize products that meet these security guidelines, and educate your team to maintain these systems properly.
For more in-depth guidance, visit the full Secure by Demand guide. Taking these steps now can save you a lot of headaches (and potential disasters) down the road.
Remember: Secure systems mean a safer, healthier community. Let’s keep the water flowing!
Learn more about how you can qualify for NOVO’s grant-sponsored state and local government entity public sector services.
NOVO has a track record of protecting our customers’ data through the implementation and management of Microsoft solutions that mitigate data exfiltration risks.
Cornerstones of protection include:
- Azure Information Protection enables data classification and labeling, ensuring sensitive data is recognized and handled securely.
- Microsoft Defender for Cloud provides advanced threat detection and alerts, helping identify suspicious activity within cloud and on-premises environments.
- Endpoint security through Microsoft Defender for Endpoint safeguards devices by identifying and isolating potential threats, while Microsoft Intune manages and secures devices across the organization, enforcing security policies and limiting data transfer.
- Microsoft Purview, with its data loss prevention (DLP) capabilities, monitors and controls the movement of sensitive data, preventing it from being shared inappropriately or leaving the organization’s control.