Skip to content

🚰 "The Cybersecurity Approach of a Large Utility"

Words on Water

Photo by Nahel Abdul Hadi / Unsplash

Table of Contents

Host: Travis Loop
Guest: Kevin Davis | Chief Technology Officer | Middlesex County Utilities Authority
Category: 🚰 Utility

Podcast’s Essential Bites:

[2:01] “With Middlesex County Utilities Authority we are the second largest wastewater treatment facility in New Jersey. [To] put that in perspective as far as flow numbers, we do roughly an average flow of 100 MGD (million gallons a day) and we've seen max flows of 435 MGD. We have a lot of different activities that go on here […]. We have a sludge drying facility which shows about 400-500 tons per day. We have a cogeneration facility […]. We try to power most of our plants with some renewable energy. We have a landfill, [which] does about 500,000 tons of waste per year. And we take the methane from the landfill and we power a cogent facility. And we have some remote locations, we have five pump stations […] and we have 75 meter chambers, where we monitor the flow coming into our system.”

[3:03] “My responsibilities include the OT (Operational Technology) and the IT (Information Technology) side of things. […] I have a PE license and control systems engineering and overtime just really started to realize you had to adopt IT principles and practices on the OT side to move forward. I did that cautiously with cybersecurity and overtime just was put into a position where I […] merged both departments.”

[4:25] “My first reaction [on the Florida utility hack] is [that] I’d like to know the details of what took place so I can understand [if] we [are] vulnerable to this. And so my understanding is, they're running an older version of Windows. They had some shared passwords and they had an older version of a remote viewing software [that] they weren't using anymore. It was outdated and it got hacked. So the first thing I thought of was just asset management. Asset management isn't always just hardware and software, but it’s people, it’s access to your computers and your software.

[6:23] “We follow the NIST cybersecurity framework, [which is] a remediation cycle. […] In the NIST framework, they have specific categories, which are: You identify, you protect, you detect, you respond and recover and it's a constant cycle. […] It's something that you have to purposely determine to do, it's not just going to happen. It's not a one piece of technology that is going to fix your needs, there's multiple cycles. So we have weekly or monthly cycles for patching and for hardening of devices that we got to constantly review. […] And then there's yearly cycles, where you want to go and review your policies and procedures and you may do like a cybersecurity framework, which allows you to go on a larger level and make sure that there's not any holes in your philosophy and your system. So we do this based on risk. You look at […] what's our risk in this area and you analyze it. […] There's many different packages or software to help you do that, but just technology alone isn't going to help you accomplish your cybersecurity goal.”

[13:12] “This [utility] I think [is] a good size. And I say that because there's a lot of facilities that are smaller than us that may have a hard time with funding. […] We have limited resources, but we're a good enough size where I […] get funding to accomplish a lot of our cybersecurity goals. […] With diversity and everything that we do, it's a little challenging in some regards, because […] it's [all] about communicating and planning. The biggest challenge I think we have is just network segmentation and communication between departments that are small but remote.”

[20:06] “MS-ISAC [is] about [increasing] cybersecurity awareness. And I think […] it helped us in our journey and I think it'll help everyone else who joins as well. It allows you to see the good you're doing and confirms that. [It] shows you where you need improvements and they have a lot of resources to help you, especially when you're starting out. […] You get a weekly report and you get critical alerts [that] you can verify […] if these are a risk to you and if they are to take action. We get weekly malicious domain and IP reports. […] If you have a problem they give incident response service and they encourage you to participate and in cybersecurity frameworks that are out there such as the NIST framework […]. What they're trying to do is develop a cybersecurity culture and improve your cybersecurity posture and understanding.”

[22:46] “I think there's a lot of new technology coming out for the OT environment that wasn't available before IT companies are getting involved. You have new OT companies popping up and I think there's a lot of good things that are going to happen. […] There has to be a culture change to implement cybersecurity best practices. […] The technology assists you, [but] it's not going to do everything for you.You have to make the commitment in the plan. […] Think big, start small. […] I also think it would be good for different agencies, especially utilities and smaller local government, to start sharing resources.”

Rating: 💧💧

🎙️ Full Episode: Apple | Spotify
🕰️ 25 min | 🗓️ 03/25/2021
✅ Time saved: 23 min

Additional Links:
WEF (Water Environment Federation)