Cyber Security of / for Water Utilities in Africa
With increasing population and the increasing impacts of climate change around the world, the delivery of clean water and sanitation services by utilities have become more indispensable and more challenging. A situation which has necessitated the need to shift from the traditional water and sewerage systems to a more current, digital, efficient mode of operation among many utilities across the globe. Digitalizing water and sanitation systems is unequivocally a more efficient way of managing non-revenue water, optimizing water resources and bridging the gap between demand and supply.
Africa has not been left out in this global transition. Most African water utilities are introducing digitalisation in several areas of the water sector. Predominantly, automation – the ability of the treatment works and network systems to control themselves, real-time capability – the capability to collect and analyse data and provide the insights immediately, and virtualization – advanced treatment works that have process models that control aspects of the treatment works, are being adopted by most African water utilities.
Why water utilities in Africa need to make cyber security a priority
As African utilities continue to record improved efficiencies because of the increased reliance on digital technologies over time. Therefore, one critical area that needs much attentiveness is the security of these digital systems. Security of these digital systems is very important, because increased automation and connectivity reduces the scope for standalone/manual operation of the water supply system or even eliminates it completely. That means a hack of the digital system of a utility could result in its collapse and in the worst scenario, could be an avenue of causing harm to the people that they serve.
Water utility systems such as process control systems and enterprise systems are all potential targets for cyber-attacks. For instance, systems control and data acquisition (SCADA) systems used to manage automated physical processes essential to water treatment and distribution systems have become standard in medium to large drinking water utilities and in many small water systems. Though, the application of standard information technology cybersecurity best practices are observed, these types of systems have proven to be vulnerable to cyber-attacks.
Enterprise systems such as employee payroll, electronic billing systems and customer records are critical systems that are targeted by cyber-attacks. Cyber-attacks and threats are carried out in various forms including but not limited to, phishing, social engineering, DDoS (distributed denial-of-service) attack, virus, worms, malware, trojan, ransomware, spyware/adware, sequel injection, MITM (man-in-the-middle) attack, vulnerabilities in web applications and networks, zero-day attack, and several other forms.
Africa needs to put in more efforts to build sustainable resilient cyber security systems to protect its water utilities. This is crucial due to the continent’s high vulnerability to cyber-attacks, especially when developmental resources are not enough in the continent. In Kaspersky Lab reports on cyber threats in Africa, Kaspersky stated that about 49 million cyber-attacks took place in Africa during the first quarter of 2014. IT services and consulting firm Serianu, estimated the loss to African businesses from cyber-crime in 2017 stood at 3.5 billion USD, with Nigeria, Kenya and Tanzania being the hardest hit. Serianu also pointed out a sad fact that about 95% of public and private institutions spent less than 1,500 USD on cyber security annually.
All these figures show how widely exposed African countries are to cyber-attacks, compared to other economies. Sadly, Serianu’s Africa Cyber Security Report 2017, mentions that as many as 96% of cybersecurity incidents in Africa are not reported or remain unsolved. This further explains how cyber security has been overlooked by the African continent.
What needs to be done
Addressing the cyber security needs of water utilities in Africa starts from the acceptance of the threats that comes with the adoption of digital processes and making the safety of these systems a priority. To improve efforts being made by African water utilities in the area of cyber security the following recommendations can be considered.
Combining Efforts – Rightly, many utilities in Africa are building or thinking of establishing their own cyber security protocols within their organizations. As much as, tackling the menace of cyber-attacks individually is good, considering a collaborative and centralized system will be amazing. All African governments through the African Union (AU) and led by the African Ministers’ Council on Water (AMCOW) should come together to produce a cyber security law, framework or policy for the water and sanitation industry on the continent. This will help regulate and ensure that enough attention is given to cyber security by the water utilities.
On the other hand, all utilities in the region should join forces to establish data and cyber security centres across the continent. This act will reinforce the security of these utilities and the fact that is a collaborative effort makes it more difficult for cyber criminals to succeed with an attack on a particular utility. The Africa Water Association (AfWA) can lead the way in implementing this solution.
Robust Technology & Processes – The digital technologies being implemented in the utilities should be strong to provide security to some extent. For instance SCADA systems should come with in-built security features, genuine anti-viruses should be used and updated regularly. Full audits of digital systems such as electronic billing systems, smart metering systems, geographical information systems, etc. need to be carried out consistently to identify specific risks and mitigate them.
Processes for dealing with cyber threats need to be developed, documented and updated regularly considering the dynamic and evolving nature of the cyber space. Documented processes should also clearly define roles and responsibilities, and specify the procedure to follow when there is a suspicious cyber-attack.
Informed people – In most cases, malwares will require a human interphase to reach the target network. Therefore, better cyber awareness among water utility employees and their consumers is very necessary. According to the Water World Magazine, over 90% of cyber-attacks were linked to some form of human error in the last quarter of 2015. Routine training has to be organised for employees to sensitize them on their role in preventing and reducing cyber threats. Staff dedicated to cyber security need to be current with the latest cyber risks and solutions to mitigate and respond to cyber-attacks effectively.
The African water industry has to learn lessons from the cyber gaps of water companies around the world, especially in America and Europe, to gain a better understanding of how they can protect their systems and manage such attacks in case they happen. Water utilities need to put in measures to ensure that even in the event of a cyber-attack, they are able to ensure their reliable services, to serve their consumers. This even more, considering the fact that access to clean water and sanitation is a human right. Water is life.