A recent study by France’s national Agence Nationale de Sécurité des Systèmes d'Information (ANSSI) information systems security agency assessed the risks to which businesses and local authorities are exposed. At least 31 compromises affecting players in the water sector in France have been examined by ANSSI since 2021, warning of clear vulnerabilities in water and wastewater services.
While efforts have already been made, organisations still need to strengthen their defensive stance, as befits the critical nature of their business.
Facing up to cyberattacks
Like all other industrial sectors, the water sector is affected by opportunistic cyberattacks. But it is also directly targeted by deliberate cyberattacks, which are often carried out by state actors or organised groups whose aim is to destabilise a country or an economy. After all, water is a vital and critical resource. A successful attack can therefore have serious consequences if, for example, it leads to supply cuts or contamination of drinking water.
For this reason, public authorities are gradually tightening cybersecurity requirements for critical infrastructures, including those in the water sector. The European NIS2 directive, which has just been adopted by the French Senate and is now in the hands of the its National Assembly, is expected to require organisations in the water sector to put in place enhanced governance, defence, protection and resilience measures in the face of cyber-threats. Although the directive aims to provide better protection for essential services against cyberattacks, its practical application will still require the adoption of several decrees by the Conseil d'État.
Rely on guides and recommendations to deal with cyber threats
With this in mind, over and above the need for compliance, it is already possible to implement certain approaches to protect against cyber-threats. Players in the water sector can follow the recommendations of Astee (a leading association in the French water sector), which recently published a guide aimed at small and medium-sized local authorities in order to improve their level of security. They can also follow ANSSI recommendations, such as defence in depth. This approach is based on a number of key principles including network segmentation, under which different systems are partitioned to limit the propagation of an attack by isolating sub-systems. This involves separating IT networks from OT networks, which include the operational systems that control equipment. But segmentation can also be internal, within the operational infrastructures themselves.
In addition, by installing hardened firewalls – focused on the industrial world – and anomaly detection systems, organisations obtain the ability to spot any attempt to manipulate network protocols or PLC commands. This increased surveillance ensures the integrity of processes and anticipates any potential threats. The industry should progressively adopt more secure solutions, while integrating cybersecurity principles into every stage of operations. This implies a continuous effort to modernise infrastructures and regularly update systems.
In addition, infrastructure operators and managers require training in good cybersecurity practices so that they can respond effectively in the event of an incident. Raising awareness is essential to developing a culture of security and improving resilience in the face of attacks.
Faced with increasingly sophisticated cyberthreats, securing water sector infrastructures is a major strategic challenge. The modernisation of systems, the segmentation of networks, the deployment of advanced surveillance solutions and the ongoing training of players in the sector are all key ways of strengthening resilience in preparation for possible attacks. While initiatives have been put in place, they need to be stepped up to ensure effective protection of this vital resource. A proactive, collaborative approach between public and private players is essential if we are to meet these challenges and ensure the continuity of water and wastewater services, against a backdrop of constantly evolving digital technology and omnipresent cyber-threats.
