We asked a cybersecurity expert: Can the cloud help water utilities?

Eric Suesz Eric Suesz August 17, 2023

13 min read

Water utilities in the US have been given a mandate by the federal government that they need to improve their cybersecurity. It’s a serious issue, but this directive is also competing with the US’s aging water infrastructure, limited funding, and a host of other needs.

We wanted to talk to an expert with experience across industries about the wisdom of using the cloud for cybersecurity, so we sat down for a conversation with Maggy Powell.

Maggy joins us from the AWS Security Assurance team. She is a Principal Security Industry Specialist focused on security and compliance for the Energy and Utilities Sectors. She joined AWS after 14 years in the power and utility industry, having worked at depth on security regulatory compliance and security operations for operational technology. At AWS, Maggy supports energy and utility customers as they navigate security and compliance challenges for critical infrastructure, and pursue cloud adoption to enhance reliability, security, and resilience.

Let’s start with a very basic – but very legitimate – question. Why is it safe for water utilities to trust their data to the cloud?

I think it’s human nature that when somebody’s approaching something new and they don’t completely understand how it works yet, there’s an inherent distrust. But when a water utility operator stops to think about it, they realize that by supporting their software on-premises – working with desktop software, backing up data locally or via on-premises datacenters, etc. – they are bearing certain risks.

The operational risks for water utilities are higher than for many other businesses because they are operating critical infrastructure. It is vital to the health of our nation. That operational risk demands high security measures. Because of that, trust is important. However, earning trust means learning some of the details about cloud technology and applying it to meet your security and business needs.

That said, I like to start by talking about three main benefits of the cloud that can help bolster utilities’ understanding and trust for cloud-based system and operational security. There are others, but these are my favorites.

First, is the ability to rely on global infrastructure. With an on-premises setup, you may have a primary data center and a back-up, so you have some resources if you have an outage with your primary or are performing updates and need to run on the back-up. Cloud allows you a much greater level of redundancy and resiliency, with the ability to host your data in multiple AWS cloud datacenters that are geographically spread. This reduces your risk compared to having your on-premises resources in the same footprint, say in the path of a natural disaster.

AWS data centers are organized into regions, with a region being a collection of multiple availability zones, and with availability zones being made up of multiple discrete datacenters. So, the opportunities for back up, redundancy, and failover recovery goes far beyond what a single utility could implement and maintain on its own using an on-premises approach.

That’s a good point. Some of our customers also need to follow regulations specific to their region, and Autodesk can offer them ways to store their cloud simulations safely in specific locations.

Yes, the customer controls where their data resides. It’s important for utilities to understand that cloud is a resource to augment their operations and meet their business needs.

The second security aspects I like to note is increased visibility. When using cloud applications or cloud solutions, every activity is an API call, which is subject to logging and monitoring. And all of those granular activities can be turned into useful alerts and automation. If you want to protect yourself from an adverse event or have a specific security concern that you want to solve for, since every activity is tracked, you can programmatically set up your system to watch for specific threats, and auto-remediate if that makes sense.

Automation, my third of three, can also simplify common tasks and reduce human error by creating scripts for repeated tasks like maintenance and deployments.

Both of those last two are also very important to Autodesk. In addition to logging potential cybersecurity threats, our software is designed so that engineers can monitor and control sensors, as well as crunch analytic data to create alerts about important real-world changes in very specific scenarios – to monitor specific percentages of chemicals in a solution so that it remains safe, for example. In other words, the more granular and extensible data we can provide to our water utility customers to give them more control over their operations, the better.

Absolutely. I mentioned security alerts, but that added visibility is so valuable to operations. I encourage utilities that are considering investing in a cloud-based solution to focus on that aspect of control. Some people have an assumption with cloud-based security that you just turn everything over to somebody else and it’s completely out of your control. That’s certainly not the case. You control where your data goes and who has access to it, although with cloud security you can actually do this on a much more granular level.

Finally, on the topic of trust, security is a top priority. Our infrastructure is built to satisfy the security requirements for military and global banks, among others that are also part of our critical infrastructure. But you don’t have to take our word for it. We’re also subject to a long list of international security assurance certifications and authorizations. AWS is regularly audited by cloud security experts, and subject to continuous monitoring. Information on AWS certifications is available to our customers so they can easily validate that our security controls are in place.

The EPA has called for water utilities to fold a water cybersecurity self-assessment into their regular sanitary reviews. The AWWA sought a judicial stay of that guidance because they don’t think smaller utilities will have the ability to effectively self-assess their cybersecurity practices. I see their point, but I also want more cybersecure water infrastructure. Is self-assessment the best way?

First of all, it’s never easy for any operator entity to adapt to new rules. There’s always cost associated – even just programmatic costs. Regulating security can sometimes feel awkward, but let’s not forget that governments are trying to incentivize the adoption of good, secure practices that are in everyone’s interest. We all want safe, secure drinking water. We all want the lights to stay on and the gas to flow. But it does take some effort to understand what the current state is and to implement measures and controls that can help address and mitigate some of those security risks.

The AWWA has put together summary information and guidance. CISA also has guidance, in addition to what the EPA is putting out. I think one good thing about the EPA guidance for water utilities is that it is very much a risk-based approach. Operators generally know what their risks are. They’re the ones best situated to assess the specific facts and circumstances that affect their operations.

Need help? We created a cybersecurity toolkit.

Read our cybersecurity toolkit for water utililities, which is packed full of information for assessing your risks. It includes both online and downloadable resources for water utilities like free cyberassessment programs and grants you can apply for to improve your security.

One of the reasons we think that a risk-based assessment approach is so important is because operations, technology, and security risks evolve. Regularly reassessing your risk is very important in order to keep up with the changing operational and threat landscape. Regardless of the status of the regulations, AWS supports water utilities in aligning their security with the guidance set by the AWWA, EPA, and CISA.

What is a basic example of how the cloud is better than on-premises software that anyone working at a utility would immediately understand?

Patch management is a good example. When you’re managing installed desktop software on-premises, you’re responsible for implementing software patches. It’s ever-present, something you must keep up with. It can take a lot of time to download patches and install them on individual systems. Using cloud patch management, patching can be set up in a much more streamlined, automated manner. It can become part of the automated workflow. This can save a lot of time and effort.

Some software providers who don’t have mechanisms to support customer patch updating struggle to keep patching timely. That’s just something you don’t have to worry about with the cloud.

That’s an excellent point. We’re always trying to find ways to encourage our customers, particularly those who have been using our legacy desktop software products for a decade or more, to update to the latest versions. But with our SaaS, web-based Info360 applications, which are hosted in the cloud, we simply don’t have to do that. Updates are automatic. Our desktop InfoWorks WS Pro and InfoWorks ICM users can also now run simulations in the cloud using a newer version of the app with cloud support. That’s yet another constituency of our users who won’t have to update their apps.

I think that’s a good example of how shared responsibility works. You’re not alone in that effort any longer. One of the great things about this is that what you hand to the cloud service provider tends to be more undifferentiated work – maintaining infrastructure, maintaining servers, things like that. By sharing that work with a cloud service provider, you can then focus on the work that makes a difference to your business and to your customers.

Our head of water products and engineering Rick Gruenhagen has said, “From our perspective, the security of cloud-based systems is something that’s a solved problem – solved, because we have so many other industries building services in the cloud.” Some industries face much stricter regulation than the water industry. Should water utilities take comfort in that already trodden path?

In the past two years, we have seen more industry leaders like Autodesk innovating using cloud technology to deliver Software-as-a-Service (SaaS) solutions. And I think this is something that water utilities have going in their favor. In some ways, the road has already been paved by other industries.

One that is top of my mind for me when it comes to dealing with a lot of data is Financial Industry Regulatory Authority weather (FINRA), who are responsible for monitoring all market trades in the US every day for fraud. They must process an average of 37 billion records in their day-to-day workings. It used to take them three to four weeks to bring on and harden a new server for their resources. When they moved to a cloud solution, that switched to about three to four minutes. They no longer need to build out a huge on-premises infrastructure to meet their peak needs. The value of that for them is that they’re able to be nimble, spinning up the resources they need and spinning them down when they’re done.

When thinking about utilities and operations, a gas provider in the UK, SGN, comes to mind. They are in a very heavily regulated environment. When they started to consider cloud migration, they saw an opportunity to build compliance reporting directly into their deployments.

So perhaps an added benefit for water utilities is that they can tackle not just cybersecurity with the right solution but also compliance?

Security and compliance go hand in hand. Security is implementing controls and compliance is demonstrating that they’re there. I know from my own experience working in the electrical sector that reporting, and producing compliance documentation can be manual and time consuming. It can be costly, so using cloud solutions to build in reporting mechanisms can make a big difference in streamlining how you’re demonstrating compliance. It’s obviously going to be specific to your own regulatory structure as a water provider, but because of the ability to log and monitor in an automated way, there is more opportunity to be able to streamline that reporting.

The AWWA and EPA guidance is closely aligned with the NIST Cyber Security Framework, which is a well-established framework and a good model to begin considering as a structure to security controls. AWS has a number of resources that map to NIST controls.

There are over 148,000 water utilities in the US, and many struggle to increase their funding to implement new technologies. Is adding cybersecurity to their list of responsibilities a burden that will cost them more money or an opportunity for them to get more value for their tech dollar by investing in software that alleviates cybersecurity concerns?

We talk a lot about this at Amazon. Innovation brings many entities to the cloud, but sometimes cost savings actually provide a greater appeal. In addition to unlocking historically siloed data, water utilities are realizing that the total cost of ownership for IT operations are reduced by working in cloud environments. Simply put, there is a lot of opportunity for cost savings in cloud deployments.

Taking advantage of that can be quite advantageous for your customers because AWS invests more in their security measures and policing and monitoring than almost any company could do on their own, so our customers – and by extension your customers – get the benefit of that built-in security and ongoing monitoring.

But I like to remind people that cloud adoption is a journey. It’s important to be thoughtful and understand what your business objectives are, what your security requirements are, and look into the information and resources available. Educational information and training about cloud technology is available for free. To help utilities understand that potential, we published a guide for water professionals with Bluefield Research specifically on Securing Water Utilities with AWS.

Lastly, an observation that keeps me up at night. I feel like smaller rural water utilities in the US are prime targets for hacking and ransomware style attacks. They struggle with limited resources and may rely on outdated or problematic workflows. I’m thinking of things like passing Excel spreadsheets among multiple third parties with those same documents making countless trips through multiple computer systems. To me, SaaS and the cloud helps solve that problem by both eliminating the need to share over unsecure networks and by providing a digital trail of evidence for what is shared.

I share that observation. The smaller utilities that I’ve worked with, whether it’s electric, water, or gas, have been doing things very well for a very long time – on tight budgets – and the growing recognition about cybersecurity risks are straining resources. Cybersecurity is a lot to wrap their arms around, but there are great resources out there that a utility provider can turn to. The water trade associations such as American Water Works Association have valuable resources on security. As well, the current software providers that utilities rely on for on-premises solutions are a resource.

It’s worth it for water utilities to ask those providers, “Do you offer secure, cloud-based solutions – or do you have a roadmap for that in the future?” If not, what can you do now to help me understand both my software-based vulnerabilities and my operational vulnerabilities?

Further reading: How other utilities are adopting the cloud for cybersecurity

Fill up on more of the One Water blog

Sign up for the One Water Blog newsletter, and we'll keep you updated about our top stories, along with the best content we find online. We only send out a newsletter when we have something interesting to share.