Cyberattacks on water infrastructure are a growing concern in both the United States and the United Kingdom. The lack of centralized regulations and enforceable national standards for securing Programmable Logic Controllers (PLCs) in water facilities is a challenge faced by both countries [1dd564e8]. The US Cybersecurity and Infrastructure Security Agency (CISA) recently revealed that an unnamed facility in the US had to switch to manual operation after its PLCs were compromised [75c36a51]. In response, the National Cyber Strategy aims to enhance cybersecurity regulations to protect public drinking water in the US [1dd564e8]. Similarly, the UK's National Cyber Security Centre (NCSC) is urging water companies in the UK to secure their control systems [75c36a51] [4a48fb38].
Implementing zero-trust cyber protection at the device level is essential to defend against both insider and outsider threats [1dd564e8]. Device-level controls provide security at the source, remain effective against evolving threats, and mitigate unintentional insider actions [1dd564e8]. The NCSC is urging organizations using PLCs to follow the steps outlined in CISA's cybersecurity advisory [75c36a51] [4a48fb38]. Device hardening is becoming a fundamental cybersecurity measure [1dd564e8].
Protecting industrial control systems with a device-level, zero-trust approach is crucial for ensuring the continuity and integrity of operations [1dd564e8]. Controlling privilege at the device level is key to adopting a device-level zero-trust mechanism and providing cyber resilience and safety assurances [1dd564e8].
The importance of device-level cybersecurity in the water infrastructure sector cannot be overstated. With the increasing frequency of cyberattacks and the significant risk posed by insider threats, it is essential to have centralized regulations and enforceable national standards for securing PLCs [1dd564e8]. The involvement of private-sector cybersecurity companies and industry groups is crucial in achieving this goal [1dd564e8]. By implementing zero-trust cyber protection at the device level and focusing on securing PLCs, restricting access, and implementing zero-trust controls, the water infrastructure sector can enhance its cybersecurity posture and ensure the continuity and integrity of operations [1dd564e8].