How Water Utilities Can Improve the Security of Remote-Access Tools

Image courtesy of James Keenan under Attribution-NonCommercial 2.0 Generic Deed, resized to 700 x 391 pixels.
The National Institute of Standards and Technology (NIST) recently released crucial cybersecurity guidance specifically tailored for water utilities that utilize remote-access tools. This guidance, which is incredibly important, aims to bolster the security posture of water utilities in the face of the worsening cyber-threat landscape.
Summarizing of NIST’s Cybersecurity Guidance for Remote-Access Tools
Remote-access tools offer operational efficiencies for water utilities, but they also introduce unique vulnerabilities. They enable personnel to manage, monitor and execute systems and processes remotely, but without proper security controls, they can become a primary target for utility cyberattacks. You can read a more in-depth article about this by clicking here; below is a summary of the key points.
NIST’s guidance emphasizes a multi-layered approach to securing remote access. Not surprisingly, a core recommendation is the implementation of strong authentication mechanisms, including multi-factor authentication (MFA), which requires users to provide two or more forms of verification before gaining access. This significantly reduces the risk of unauthorized access due to compromised credentials.
The guidance also advocates for robust access control policies. Water utilities (or any utility, for that matter) should adhere to the principle of least privilege, granting remote users only the minimum level of access necessary to perform their specific job functions. Regular review and revocation of access privileges are also highlighted as essential practices.
Network segmentation is another key recommendation. Isolating remote access systems and the networks they connect to from the broader utility network can limit the lateral movement of attackers should a breach occur. This containment strategy is vital for protecting critical operational technology (OT) systems that directly control water treatment and distribution.
NIST also stresses the importance of continuous monitoring and logging of remote access activities. Comprehensive logging enables utilities to detect suspicious behavior, investigate security incidents, and maintain an audit trail. Regular cybersecurity training for all employees, particularly those authorized for remote access, is also underscored as a critical human-centric defense measure.
There’s no doubt, the proliferation of remote-access tools is a blessing, but without proper security protocols in place, it can morph into a curse faster than you can say “ransomware.”
