The digital revolution is generating multiple and important benefits for the management of a precious resource such as water. However, there are also certain risks, and among them cybersecurity stands out. We interview Víctor Fidalgo, expert in Industrial Control Systems at the Spanish National Cybersecurity Institute (INCIBE).
Computer Engineer, with a Master in Cybernetics Research and another Master in Cybersecurity, Víctor Fildalgo has been working in robotics, industrial control, embedded systems and cybersecurity for more than ten years. In addition, he participates actively in groups of experts such as EICS (ENISA Industry 4.0 Cyber Security Experts Group).
He has worked in several countries and different domains, such as academia, consulting and auditing, and in positions as diverse as programmer, analyst, project manager, cybersecurity researcher, etc. Each of those jobs allowed him to gain professional experience to work now at INCIBE as an expert in the area of Industrial Control Systems.
Question: The digital transformation is a fact affecting all aspects of our life. I understand this has translated into a paradigm shift for cybersecurity. How is the 4.0 affecting cybersecurity?
Answer: The truth is that the implementation of the industry 4.0 paradigm is benefiting the cybersecurity sector. This is the first time we are focusing on the need to connect multiple devices in very diverse working environments. And this is the game changer: earlier on, industries used to buy large and costly devices they needed for production, but they never thought those devices would need to be connected to a mobile phone to show certain information in real time. And it was at that point that things would turn ugly, in terms of security. Systems that were not ready for those uses would be adapted and exposed to the Internet.
The 4.0 paradigm explains very clearly the need for everything to be connected, and therefore, protected from the development stage.
The 4.0 paradigm explains very clearly the need for everything to be connected, and therefore, protected from the development stage
Q: Broadly speaking, how does the INCIBE help promote cybersecurity?
A: INCIBE is a cornerstone of the Spanish institutional framework for cybersecurity protection, thanks to the transposition of Directive 2016/1148 of the European Parliament and of the Council of 6 July 2016 on the security of network and information systems (the NIS Directive), done by Royal Decree-Law 12/2018 of 7 September. Thus, the INCIBE was recognised as the national leading entity to respond to security incidents involving citizens and the private sector. In addition, and jointly with the Spanish National Centre for Critical Infrastructure Protection (CNPIC) under the Ministry of Interior, it manages the incidents that affect critical private sector operators.
Aside from these responsibilities, INCIBE has programmes to disseminate, provide training and develop technologies, ranging from the protection of minors in the Internet to research in Industrial Control Systems.
Q: Let us focus on the water sector. What is the role of cybersecurity in the different water management settings?
A: Cybersecurity is a cross-cutting element affecting every industry. Because it is a critical sector, the water resource management sector — every aspect of it — was included in Law 8/2011 in 2011 as a critical sector that has to adapt to existing controls and regulations.
We must be aware that an incident in this sector can affect people directly, and therefore, from water supply and treatment, to aquaculture systems or agriculture irrigation, water is an essential good for society, and therefore cybersecurity measures have to be applied in water related settings.
Q: Does the water sector have enough human and material resources to guarantee its security?
A: In this regard, we can say that all parties involved in water management (manufacturers, service operators, those in charge of security, etc.) are on board to constantly increase cybersecurity controls.
In terms of material resources, there are multiple specific tools to ensure water settings are secure. Even major manufacturers of controllers and industrial instruments in the sector have been creating specific security devices for years, and adapting existing devices to increase their functionality in terms of cybersecurity.
The inclusion of the IIoT (Industrial Internet of Things) paradigm in the application of industry 4.0 is one of the main challenges for the sector
Q: Is water management infrastructure vulnerable?
A: The answer to that question always raises a lot of expectations. The most objective answer is yes, but not because that infrastructure is vulnerable, but because any element connected to other type of environment or system can be vulnerable at some point. Nobody can say that any infrastructure is not or will not be vulnerable at some point of its life cycle.
And this is where all stakeholders must focus with the application of security measures, staff training, or drafting and implementing appropriate procedures and policies to prevent security problems. These are the pillars that must underpin security in this type of settings.
Aside from the measures that the organisations and manufacturers themselves can apply in this sector, at INCIBE we offer several services to uncover and prevent vulnerabilities in industrial environments.
ICS Scan is an industrial monitoring service which enables detecting vulnerable systems exposed through the Internet in real time. Another service, known as ICS Arsenal, is a customised security distribution. With this service, the organisations themselves can assess their infrastructure and check for vulnerabilities using specific tests for industrial devices.
Companies can contact us to sign up for any of these services.
A milestone to meet in the coming years is the generation of cybersecurity standards and guidelines specific for the sector
Q: What are the main challenges ahead for the water sector in terms of cybersecurity?
A: The inclusion of the IIoT (Industrial Internet of Things) paradigm in the application of industry 4.0 is one of the main challenges for the sector. It will affect smart water (smart metering, customer information & data) and all the sharing of information from and to water management infrastructure, towards the customer.
A milestone to meet in the coming years is the generation of cybersecurity standards and guidelines specific for the sector and sub-sectors.
Training and creating a cybersecurity culture is also a constant challenge that should involve everyone in the sector.
Finally, I think that incident management and reporting this information to the Computer Emergency Response Team (CERT) and similar organisations needs to increase exponentially, in order to ensure companies are better prepared for potential future incidents.