Tennessee’s Utility District Association (TAUD) is helping its members comply with the state comptroller’s cybersecurity regulations and helping UD’s maintain efficient operations for its customers across the state. Last week, general managers, office managers, board members and commissioners joined together in Gatlinburg, TN to learn best practices to run a successful utility district today.

Of course, this included several topics on cybersecurity and protecting customer data from malicious cyber criminals. One of the sessions was led by Zelvin Security’s Managing Partner, Lisa Atkinson who spoke to the Friday morning audience in a friendly, conversational, and educational tone about the complex topic of cybersecurity. Atkinson’s session focused on low cost, key cyber initiatives the districts can do to reduce risk and maintain operations for its members. The audience included more than 150 utility district managers, commissioners, and leaders who are actively taking steps to reduce cyber-risks.

Here is a recap of the session: Utility districts and other critical infrastructure are under attack from cyber thieves. Malicious hackers know that water, gas, and wastewater utilities are essential to communities, families, and the state. They also know that these departments are often small organizations with a minimum IT budget which makes them “target rich and resource poor.” The educational program began by uncovering the definition of cybersecurity, citing this is often the cornerstone of confusion.

The dictionary defines ‘cybersecurity’ as a noun which implies it is a person, a place, or a thing. But it is not something you can talk to, go, or hold in your hand. It is not a destination, but rather a journey.
Next, the audience learned that there is no such thing as a cybersecurity solution or protection against all threats. The audience looked at some marketing to see that businesses advertise that they offer “affordable” cybersecurity solutions, which is impossible.

Not all threats are preventable, however, there are several steps a utility district can take to harden the environment to reduce cyber risks.  

Provide Security Awareness Training

All employees should participate in an effective security awareness training program on a regular basis. Implementing prevention training brings awareness and helps the employees understand the importance of their role in protecting the organization from cyber threats.   This training should include information on the types of common attacks, such as smishing, phishing, and how to spot malicious or suspicious activity. This includes the best practices for reporting potential malicious activity, and what to do in an emergency.      

Use Complex Passwords

Implementing strict password and account management policies and practices involves setting guidelines for creating and maintaining secure passwords, as well as controlling access to sensitive information and systems. This can include requiring employees to use complex passwords that are regularly changed, utilizing two-factor authentication, and monitoring for suspicious login activity.   The session provided an example of a strong 12 character password like the one below and noted that it is complex because it contains multiple Latin characters and it is also not a dictionary work.  

To test the complexity of your password, use the following entropy calculator to measure its strength. https://zelvin.com/password-calculator/

Perform Company-Wide Security Assessments

The threat landscape is constantly changing, and new vulnerabilities are discovered regularly, which makes it necessary to conduct regular security assessments to uncover security weaknesses before a malicious hacker can. A company-wide security assessment is not something that an IT vendor or an internal employee can do. It requires the specialized skills of an ethical hacker, because this professional uses the same tools and techniques as a malicious hacker. This test is often referred to as a penetration test. It should be noted that to maximize the effectiveness of company-wide security assessments, they should be performed annually or when significant changes occur – not as a one-time event.  

The benefits of a penetration test include:

• What could a hacker see, do, or steal if someone clicks on a phishing email?
• Could a hacker reach important files or client data?
• Could a hacker hold the organization for ransom?

Protecting the internal network is essential to reducing cyber-risks and it is no longer a checklist or a tool. It is an action that requires an ongoing effort, focus, and testing.   Asset Inventory An asset inventory is a detailed record of all the hardware, software, servers, and devices connected to an organization’s network. Here’s why it’s important. If the inventory doesn’t include all items, those forgotten items could be targets and access points for hackers.

During the conference, the audience learned that when an ancillary location, such as a water treatment facility, has digital assets that are not properly secured and routinely maintained for security, these devices could be an attack point and provide access to other areas of the network. The other areas could include the business office, the mechanical facilities, and systems that contain client records.   

Start Planning Today

By following these tips and performing regular penetration testing, organizations can reduce their risk of a cyber-attack. For more information on cybersecurity strategies to reduce risk, please schedule a no obligation call today!