[00:00:00] Speaker A: Two or three of the attacks that have taken place in Poland were exploiting vulnerabilities on the vendor side. So that just highlights the importance for vendors to also be up to date when it comes to cybersecurity standards.
[00:00:21] Speaker B: I am Reece Tisdall and this is the Future of Water, in which we talk about all the ways which companies, utilities and people are addressing the challenges and opportunities in water. This is episode 130.
That means there are 129 other ones you can listen to if you haven't done so already.
And I have a feeling, as always, this is going to be a great one, too. That's because today I'm joined by two Bluefield research colleagues, Maria Cardinal joining us from Spain, and Lee Ramsey from our Boston office.
Together, we're going to dive into one of the most urgent and sadly underappreciated threats facing the water cybersecurity.
In recent months, our team has seen a surge of cyber activity targeting water and wastewater treatment Systems. From the US Cybersecurity Infrastructure Security Agency's release of 32 new control system advisories in August just a couple months ago to Poland's launch of a national cybersecurity framework for water utilities.
So today, with Maria and Lee, we're going to try to unpack a couple things. What's really at stake when critical infrastructure is under attack?
But where and how are these threats emerging around the world?
And also how are utilities and technology vendors responding or in some cases, falling behind?
But before we get to Maria and Lee, you're have to bear with me just a little bit longer because something caught my eye this past week.
I want to thank all of my friends, family and others who shared a Wall Street Journal article with me this weekend. It's about Corpus Christi, Texas, which is on the brink of a water crisis that could seemingly ripple through fuel and chemical supply chains.
Prolonged drought and surge of water, hungry projects from companies like Exxon and Tesla and Flint Hills have drained local reservoirs to record lows. It's a combination of both. I get it. But it's leaving the city warning that it may run out of water in 18 months.
Another day zero coming our way. So what's that like? Well, look no further than Cape Town in Mexico City.
We might be adding Corpus Christi to the list. So a couple takeaways that came into mind as I was reading through this article.
With roughly half the city's water now consumed by, I think it was eight companies, production cuts and even plant shutdowns are possible in 2026.
This does threaten jobs and regional supply chains. So water's impact on the local economy is real. Hopefully, that's obvious, but this shouldn't be news to the city because a proposed $1.2 billion desalination plant was scrapped over sticker shock.
I get it. The price was raised from their original quotes that they received. But the alternative stalled growth, lost jobs, curtailed fuel production. Chemical production could prove far more expensive.
Guess what costs more?
No water.
So residents are already under watering restrictions since December, and they're lining up for reclaimed water. And in some cases.
This is one of the lines that really caught my eye this past week. Some people are hoping for a hurricane to refill reservoirs.
So one thing that I couldn't fathom is that. So talk about cutting off one's nose. Despite their face, this is insanity.
But it's also a revealing commentary on our priorities.
And we're all in this together. This is a collective problem.
The region has spent decades courting heavy industry with cheap land, labor, energy, yet recently balked at the price of drought proofing itself. Water supply.
Go figure. Sooner or later, I think we're all going to realize that climate is a shark, water is the teeth.
Comes in different forms and fashions, and this is one of them.
So with that being said, let's get to Maria Cardinal and Lee Ramsey and talk a little bit about cybersecurity.
70 million.
That is 70 million gallons. That's how much water Las Vegas recycles every single day. That's enough to supply more than 200,000 homes and cover nearly all of the city's indoor water use.
It travels what I think is a remarkable path from city drains to treatment plants, back to Lake Mead, and then once again back into the showers, into the fountains and even the casino floor air conditioners.
So in a place where it rains only 4 inches a year and where the city's survival depends almost entirely on Lake Mead, this cycle of reuse isn't a luxury. It's really what I would say is essential.
But every drop does carry a story of policy, technology, and necessity.
But resiliency isn't by luck.
It's by design.
So next time you're in Las Vegas, remember, what happens in Vegas stays in Vegas.
All right? So I'm joined here by Maria and Lee. Maria, how are things? And before I get into it, you got to tell me how the weather is in Barcelona.
[00:06:06] Speaker A: The weather is lovely. It's actually super sunny. Yesterday it was rainy, but today, sunshine. So very happy about that.
[00:06:14] Speaker B: And I think we've squeezed this in because didn't you just come back from Madrid yesterday?
[00:06:18] Speaker A: Yes, indeed. I was in Madrid at an event to talk about digitalization in the water sector and energy efficiency and weather was lovely weather as well. So, you know, happy all around.
[00:06:33] Speaker B: Well, I can't say the same thing for here, and I'm going to let Lee answer that question. So this is your first time on the podcast, so why don't you tell me where you are and why don't we talk about what you focus on first?
[00:06:44] Speaker C: Yeah, thanks for having me. So I'm also calling in from Boston, where we are sadly coming off a nor'. Easter, so the weather is not as sunny and lovely. It's a little more windy and still kind of wet, but yeah. So I just joined Bluefield in August, and I'm working on the digital water team with Maria, who is my counterpart. It's been great so far, and diving into looking at Australia right now.
[00:07:11] Speaker B: Nice. All right, so apropos digital, because that's something both of you guys work on.
In recent months, we've put out some research. I think both of you have focused on a surge of cybersecurity alerts in different parts of the world. And so I think independently, you guys sort of put some things out. Looking at, hey, what does this mean? What's happening?
Because these events, they basically underscore that water systems which were once considered too small or obscure to be hacked are now seemingly in the crosshairs of international hackers. Maybe we'll get into that in a minute. So why don't we talk a little bit about cybersecurity and maybe start with the basics and I'll throw it out there and one of you guys can jump in, maybe Maria.
But when we talk about cybersecurity in the water sector, really, what are we talking about? What are the risks and how would we define it? And what's actually at stake for utilities?
[00:08:12] Speaker A: Yes, well, that's a good question to start with.
We can go on and on about finding the different risks for utilities when it comes to cyber attacks. But to put it a little bit more in simple terms, I categorize risks in operational disruption, public health and safety, as well as the financial and reputational risks that come with a successful cyber attack. It does depend on the level of exposure.
So there are two, let's say two types of attacks. Depending on the target, we can have the more frequently heard attacks that are easier to implement, which are attacks on customer billing and data.
They might have high financial and reputational impacts, but they don't really endanger the core of the operations or the public health of the population. But then we have the less frequent that we know of and more complex, as you hinted earlier, attacks that are potentially way more impactful. And these are attacks on operational assets.
These cyber attacks impact service continuity, really endanger public safety and health and erode public trust the most around water utilities. So that's for the targets customer billing and then operational assets.
As for the types of attacks, how these are implemented, we have the typical phishing and spoofing and more than anything else, the exploitation of the human factor.
What I mean by this is the hacking of weak passwords or hacking of personal devices that then are very often connected quite offhandedly with our professional devices or online networks. And these attacks used as Trojan, they are like Trojan horses, they are often used for ransomware on the more sophisticated side of things.
And these are usually typically more on the operational assets.
We have attacks that include OT system manipulation and sabotage, distributed denial of service attacks, and then attacks that just are not as dangerous from the start, but they are more of an exercise in terms of reconnaissance and target probing attacks.
And these said earlier, they have a potentially very high impact in water utilities.
[00:10:41] Speaker B: Yeah, I mean, I think it's as I started with like no one, I don't want to say no one really thought about this, but now I think we have to. And so for Lee to bring you into the conversation. So let's talk a little bit about like the biggest vulnerabilities in the water in water systems, whether it be in the US or Europe or elsewhere. Any basic thoughts on that?
[00:11:03] Speaker C: Yeah, yeah, totally. So some of the biggest ones that we found as a part of the research that we did is unpatched HMIs and PLCs. So in the US we have the Cybersecurity and Infrastructure Security Agency, aka CISA. And they will publish different or they will highlight and publish different vulnerabilities from different control Systems in the US and in August this year, they found 32 different vulnerabilities for different PLCs. And so that's a really big one. And you know, we're able to identify that with the help of cisa. Additionally, a lot of these systems are what we would consider legacy Systems. So they're 15 or 20 years old and they just don't have the sophistication to implement the modern cybersecurity protocols or authentications to secure the systems.
Then also there's what, what's called it, OT segmentation. So it's where what Maria was referencing where the attackers move from things like on the IT side, like customer billing or email systems, into the operations in the water plant and into the water treatment plants. And so that's another really big concern.
But I think for, for me, one of the things that I really think is critical is the cyber hygiene across utilities, particularly smaller utilities that don't have as much support staff and are already stretched thin. Cybersecurity is really not something that they're focused on. And so this can lead to a lot of just really bad practices and not great cyber hygiene. So, you know, leaving default passwords the same from the manufacturer, not securing access and not paying attention to or focusing on those patchings, those patches that are recommended by cisa.
And so, you know, there's a lot of different vulnerabilities and utilities definitely have to start focusing on this from all different ends.
[00:13:12] Speaker B: Yeah, it makes me think what both of you guys have said. So one is, it's interesting about, you know, using, I think the last comment using things like USB sticks and things like that. The Weftech was last week. I don't know, 20, 30,000 people in Chicago all getting together. It used to be these conferences they would, every company was, they were handing out USB sticks. Now people, even when, I know when we visit clients and offices, they say, hey, can you put this present? I need your presentation. Could be a boardroom presentation. They're like, sorry, you're going to have to email it to me. You can't give it to me by USB stick. They won't even accept that. So I think that's super interesting. And then I think plc, just for definition, are we talking logic controllers, basically?
[00:13:59] Speaker C: Yeah, yeah, exactly.
[00:14:01] Speaker B: Yeah. So I think that's another aspect of it and I think the other is that the integration of digital technology, it could be cloud connected or it's all working its way into these utilities whether they want it or not. Right. So the OEM they're building, whether it be pumps or other systems that are connected and they are being connected purposefully or not once again, and therefore exposing some of these utilities to what I. What we would call back doors. So. Well, I think it's super interesting. And the scary part is it's making its way definitely into the news more than it did. So maybe, Lee, can you give us some real world examples of what we've seen or, you know, and maybe who's doing it along the way?
[00:14:53] Speaker C: Yeah, yeah, I can start out with some US examples. So I think taking a step back, it's important to Note that cisa, the organization I referenced earlier that identifies different patches, they also released a warning that they saw an uptick in Iranian based hackers and just kind of alerting diff like all the water utilities that there's been a rise in incident from state based hackers. So, so it's not just Iran, we're also seeing a lot of activity from state based actors in Russia as well. And so in Alquipa, Pennsylvania there were, there was an Iranian based group that claimed or that took credit for this hack where they exploited the default HMI credentials at a booster station. Nothing did happen. They switched off the automatic controls once they got the alert that there was someone that had entered the system. But I mean it just goes to show you cyber hygiene is so important. They had just left the default password from the manufacturer and that's how the Iranian based group was able to enter.
And then when you look at an example in Texas, there was three small towns that were hit by a Russia based group in also in 2024 and in one of the town's muleshu they had some water tanks overflow and, and there wasn't any attempts to tamper with the water quality but that was like a physical impact that happened there. While there was another, in one of the other towns in Hale center there was 37,000 logging attempts into their water utility system. And you know these are really small towns that are, that are dealing with this and you know it just, it's, it's coming from all sides and that's more on like the operational security. But Also in the US American water back in 2024 they had a breach into their customer billing system and so they actually had to disconnect their billing system and take it offline. And the as a part of the cyber incident reporting for critical infrastructure regulations, they had to report the incident to CISA within 72 hours. So on, on that side being a public utility or excuse me, a publicly traded utility, there is some credibility there to make sure that they're sharing what's happening and being honest about any sort of attacks that they might be experiencing.
[00:17:25] Speaker B: Yeah. And I think to that point, and so I was thinking about this a minute ago where you're talking about small utilities like you mentioned, the ones in Texas, small towns, it's an older report, older data but 85% of water utilities in the US alone serve or have less than three employees. That was some analysis that was put out a while back. But what about on the Europe side, Maria, Any attacks or hacks that you've seen.
[00:17:53] Speaker A: No, we're in peacetime.
What's that?
No, for sure. There's been an uptick in attacks, especially those linked with Russia or with pro Russian hacker groups.
For instance, back in 2024 in Norway, there was this cyber attack on a dam hydroelectric power plant, although it's not always used for that, but it released over 500 liters of water per second for four hours straight before the incident was detected and stopped.
And so, thankfully, like, nothing major happened and everything else was okay and they managed to, you know, cut it short. But the how they got to that was basically through a weak password. Once again, that's the cyber hygiene that Lee was talking about earlier. They exploited a weak password to have access to the valves, and they were able to manipulate the valves in the dam.
And then moving on to Poland. Poland has had many, many attacks lately. I think overall, not just for water, but overall.
The Ministry of Defense said that they received over 300 cyber attacks per day in Poland.
Most of them are directed at hospitals and are more on the customer billing and data side of things. But we know of 10 important, relevant cyber attacks to water infrastructure, water and wastewater infrastructure in Poland. The last one took place this past August. It was in one of the top 10 major cities in Poland. They haven't disclosed which one.
But what is scary is that again, they use either weak passwords or they infiltrate the Otis system, but they also infiltrate the systems, let's say, before they're even assembled at the plant. There are also supply chain attacks where they target the smaller and less secure technology partners for water utilities.
And then when that technology is implemented in the plant, they can access the rest of the plant. And what is scary as well is that these Russian or pro Russian hackers, they even recorded part of the control systems and posted it online so that people could see what they could do. So it really is a tactic of intimidation and putting fear and mistrust into what the local or the national authority and the water utility can or cannot do.
But yes, the attacks are really getting more and more serious. So of course Poland is paying a lot of attention to cybersecurity.
[00:21:04] Speaker B: Yeah, no, I mean, they are at front lines in some respects, or at least right behind the front lines because its proximity to.
To Ukraine. So let's stay in Poland for a second. So how is Poland? How are they responding? Is there anything that they're doing to either mitigate the risk or threats? What's changing? At least as far as what they're acknowledging?
[00:21:32] Speaker A: Sure.
So in response to the Threat of Russia. Basically there are different initiatives that Poland is implementing.
I think we will talk a little bit later perhaps about regulations, but focusing more on the programs and the funding that is needed to upgrade all of our online or digital systems.
Poland has established a joint civil and military cybersecurity operations center to coordinate defense efforts for critical infrastructure, which of course includes water and wastewater infrastructure.
And it is in the middle of a major overhaul of digitalizing all of its public administration.
So it's in the.
There is this program called the Digital Decade. So they are pushing for all the local, regional and national level administrations to become more utilized. And on top of that there are specific cybersecurity funding programs for those different levels of government.
And even more, I think unique to Poland compared to the rest of Europe, there is a specific program that calls it Cybersecurity Waterworks that as the name suggests, is really just focusing on implementing and high cybersecurity standards to the water and wastewater sector.
And they are offering over US$83 million for funding by the EU institutions and also by the Ministry of Defense. I think it is from Poland and digital issues and they are going to benefit over 500 entities across Poland in the water and wastewater sector.
And just to put a higher figure in your minds, Poland for this year, for 2025 overall, not just across the water sector, is planning to invest US$1.1 billion, which is already a big increase from 2024, which had already reached historic highs.
And then as a last point, moving away a little bit from funding, but more of initiative at the utility level. This is a utility led initiative called the. I'm going to pronounce this wrong probably, but the Isaac Watkan Project, which is a platform for just information and knowledge sharing across utilities to strengthen the cybersecurity of Polish water systems.
[00:24:22] Speaker B: I think, you know, I'm just wondering, is 1.1 billion even enough for Poland? Right. You know, it seems like, you know, you could take that and it doesn't seem like enough, but, but I don't know the full context.
You know, I think we're as we dig through it. So I mean, let's turn it to the US lead just a little bit and talk a little bit. I mean, is there any funding that you've seen in the US and then we can talk a little bit about maybe what does this mean for those utilities that don't have anything, have any the financial resources, the small and the rural. So what do you think?
[00:25:03] Speaker C: Yeah, totally. I mean, if 1.1 billion isn't enough for the, for Poland. I'm worried that the US is really far behind.
So just this year The EPA announced 9 million in funding for medium and large water utilities to help enhance cyber security measures.
So definitely quite the contrast in magnitude to Poland.
And again it's only for, for medium and large water utilities. So those utilities typically have more resources, more staff on hand and you know, they can help build out those robust systems. But again those smaller and rural systems don't have that. Like you mentioned, most utilities have less than three employees.
And so there are a few programs that have come up across the US outside of government funding. So the first is at defcon they actually partner, they, the, they establish a partnership where volunteer hackers are helping utilities in the National Rural Water Association. And so that's kind of one way that with smaller utilities are getting some support. And additionally there is a Dragos community defense program. So Dragos is a big cybersecurity player and they offer no cost software, cybersecurity software for water and electric utilities that have less than $100 million in revenue. And that specifically focus on the OT environment. Not, not it. But beyond that I think that there's kind of a gap in funding across all water utilities and I mean kind of jumping ahead a little bit. But the, I think we're going to see more state based initiatives and funding. New York is kind of leading the way. They announced 2.5 million in funding plus some proposed state level regulations. And so I kind of anticipate that amidst all of the uncertainty in funding that states are really going to have to step in and help their utilities.
[00:27:09] Speaker B: Yeah, it just makes me think that, and I hadn't thought about this tonight, but I mean that is potentially another reason or justification for consolidation of utilities. I'm thinking about the U.S. i don't, it's a good question. I don't know how many utilities there are, let's say in Poland, but yeah, across Europe as a whole the idea is the larger the utility, the greater resources ideally. But then the scale to manage these, maybe the threats, I don't necessarily, I don't know if they grow exponentially with scale, but it is something to think about right. When you're, when you're dealing with such highly fragmented markets, then when more than 25,000 utilities in the US serve less than 3,300 people each. So how can they even manage this? And it's not just 3,300. There may be also industrial customers as well. So it's interesting. So, but what are, so what's the role of vendors. Right? I mean, so let me, before I finish that thought, one aspect, what you guys have told me thus far, there's some policies happening, like, and then there's some.
I don't know, maybe this is harsh charitable support being provided by, like, Dragos and others, and that doesn't seem sustainable for one.
So does that put the pressure onto the vendors? And so what are the vendors doing, the OEMs and other equipment providers? Do you guys, either one of you, have thoughts on that?
[00:28:44] Speaker C: Yeah, absolutely. Happy to jump in there. I do think vendors are also, as much as we're talking about the utilities themselves, vendors also really have to step up. And so, firstly, almost all vendors, if they have any PLCs or HMIs, they are going to be in alignment with IEC6. 2.
And this is really the cyber security standard for industrial control systems. You'll see this probably almost on every single product.
But just to kind of highlight a few other examples, there's a lot of different partnerships that these vendors are pursuing with different cybersecurity companies. So, for example, um, there's Rockwell, who has partnered with Dragos to focus on their operational and operational visibility and instant detection.
And then if you look at Schneider, they have a SCADA pack that actually embeds threat sensors into their devices. And this is in partnership with Nozomi, which is another cybersecurity firm as well. And so they're, in addition to just kind of being on a standardized level of security, they're really taking the next step in looking at integrating cybersecurity into all aspects of what they're. Of what they're selling.
[00:30:09] Speaker B: And what about Maria? Are you seeing anything on the vendor side jumps out at you?
[00:30:14] Speaker A: Yeah, I think I agree with what Lee says.
It's also there's an increased pressure on vendors.
One of the. Well, actually two or three of the attacks that have taken place in Poland were exploiting vulnerabilities on the vendor side. So that just highlights the importance for vendors to also be up to date when it comes to cybersecurity standards.
For instance.
Well, I would like to give a shout out, let's say, to lacroix. They've really made cybersecurity their priority.
They integrate cybersecurity in their RTU since 2018, I think it is. And the new data logger also includes cybersecurity.
And they've developed the LexConnect IoT platform where they're shifting more towards providing secure solutions.
And this is all in preparation for NIST 2, which is the new cybersecurity regulation at the EU level that now countries are implementing because they know that there's going to be this push not just to replace RTUs and data loggers, because they already see in some countries that replacement is due for these items, but also because now utilities will have to upgrade many of these devices anyway because of the cybersecurity regulations. So they are already a step ahead, let's say, in that regard. In addition to that, I think that Siemens offers also plant and network security as well as system integrity when it comes to automation systems and control components, which are those systems that we have discussed earlier that are targeted by cyber attackers.
And then other vendors that typically didn't offer so many, let's say, monitoring services or ongoing support to utilities have, have also broadened their scope of services to include, for instance, ABB now includes cybersecurity services which focus on security maintenance, event monitoring and incident response when it comes to their sensors and their IoT devices.
[00:32:35] Speaker B: Well, you said, you mentioned was it nice too? So that's policy, right? So let me sort of focus on that for a second. Maria, how's regulation evolving? Is that a key piece of the puzzle? And I guess maybe. Are utilities getting the support they need? Part of us already said no. Financially at least. My take.
So how is policy changing or evolving?
[00:32:59] Speaker A: You're right. Without regulation, I don't think that there would be such a push for cybersecurity when it comes to water and wastewater utilities.
I do think that the perception is different for the energy sector, for instance, in comparison to the water and wastewater sector, which it always surprises me.
But at the EU level, we have member states that are currently transposing NIST 2, which is, broadly speaking, cybersecurity piece of legislation that every member state needs to implement by the end of the year, hence the urgency and hence why some vendors like lacroix have already jumped ahead and implemented this new directive into their own products because it lays without going too much into detail, but it basically requires utilities and any technology vendors to also comply to certain, some minimum standards of security, especially when it comes to critical infrastructure.
So we do see a bit of a delay. I mean, I just said that end of the year is in theory the deadline for national transposition of this EU law. And only about 15 out of the 27 EU member states have done so so far.
And there are still missing quite a few countries that are, you know, quite important, like Spain, France and Germany are still in the drafting phase. Poland as well is in the drafting phase. For the, for them it's about updating KSC2, which is an amendment to the already pre existent law at the national level.
And this law will expand the regulated entities from 400 to over 10,000. This is not just water, but there is an explicit mention of including municipal water utilities and wastewater treatment plans which before wasn't as clear.
It also introduces stricter requirements when it comes to monitoring, reporting and setting some minimum standards and training practices and non compliance may lead to fines to up to US$11.7 million or, or 2% of the utilities turnover.
So this basically highlights the importance of having systems that not only, or a framework that not only provides that guidance to utilities and vendors but also that implements some sort of mandatory requirements and let's say carrot and stick methods to make sure that the entities involved are respecting these minimum standards.
[00:36:04] Speaker B: And so that's a lot of detail, but it seems very top down in many respects. So Lee, it doesn't feel the same way in the U.S. am I wrong in saying that?
[00:36:18] Speaker C: I think in the US we're a couple of steps behind certainly in the, compared to the EU. And so you know, I mentioned that Cybersecurity Incident reporting act from 2022. So utilities have to report cyber incidents to CISA within 72 hours and that provides some level of transparency and accountability for utilities, to be honest with what's happening. But from, you know, from top down there really hasn't been much more. There was some, some attempt to have more regulations around cybersecurity but there was some state level resistance there. And I mean currently there are three proposals in Congress regarding cybersecurity for water utilities and these, it's not necessarily regulations, it's providing more funding and assistance and committees to monitor water cybersecurity.
And so yeah, the US is definitely, I think a couple of steps behind on that. And you know, just kind of going back to that point, I think that this, the funding and regulation gap remains and I really do think that those states are really going to be stepping in in the future to kind of tighten that up and as they're closer to the utilities on a state basis, state by state basis.
[00:37:40] Speaker B: Yeah, there's not a lot of money coming out of Washington, but there's also, I think you already mentioned two and a half million in New York State. I don't know. Maria, were you going to say something?
[00:37:50] Speaker A: Yeah, I don't know if we're like in Europe two steps ahead, I think that's very optimistic.
But because yeah, we do have a model to Follow it doesn't mean that it's being followed at the pace that it's needed or that it's receiving, as Rhys pointed out, not the support that it needs because other than Poland, that is receiving arguably not enough, but more than, you know, more than others, support for cybersecurity upgrades elsewhere in Europe, we don't really see that happening. It's really more up to the utility or the vendor and just setting the requirements when it comes to the procurement processes and just having good internal processes.
[00:38:39] Speaker B: Yeah, and I know it just in the notes preparing for this conversation, I mean our last forecast last year, digital forecast for the US specifically, we were just projecting 376 million annually for cybersecurity for the water sector. Right. So while it's going to reach that by 2033, that's kind of, that's the scary part. Right. So we're not even at 376.
So that's like best case scenario in terms of what is projected to be. But we probably need. It sounds like multiples of that. So what does Maria, what does the next phase of, if you want to call it digital resilience look like?
What do we see?
[00:39:27] Speaker A: So I think there will be more monitoring on a continuous basis, not just ad hoc audits here and there to comply with some yearly annual goal of checking the lists. I think that it will be more of a continuous exercise.
I think as well that automation, when it comes to detecting anomalies outside operational anomalies, detecting more than that and analyzing and trying to identify what is an operational anomaly and what might be coming from a cyber attack, I think that will be more, I don't know if frequent, but at least more accessible to utilities. As the technology progresses and develops, there are more software providers offering solutions, cyber defense solutions to utilities.
There is actually an interesting case, we haven't discussed this before, but the Ministry of Defence in the UK is going to or has already tendered the management of their water and wastewater systems across the UK to a single utility. And that will of course come very much hand in hand with cybersecurity because we're talking about Ministry of Defense infrastructure and bases. And I think that will, at least in the uk, I think it will really bring to the attention of the utilities the importance on cybersecurity. And the utility that wins that contract will implement those learnings in their own infrastructure, in their own systems and assets and hopefully that will have a spillover effect.
As also then other countries like Poland have these utility led knowledge sharing platforms and that will hopefully encourage more collaboration among the good guys, let's say, to build cybersecurity and cyber defenses.
But at the same time, a lot of it from my point of view, has to do as well with the workforce. I mean, we say that we've said it many times today and in different conversations with different vendors and utilities. When it comes to cybersecurity is not only or not even so much the system security itself, but the people.
So I think as workforce shifts from one generation to a younger generation that is more technologically savvy and hopefully more cybersecurity aware, this will become easier to implement. As in, I don't think that there will be as many passwords left from the default passwords from vendors. I do think that people and also systems do remind constantly like we have to change our passwords every so often. So I think that will happen more and more periodically and that the younger generation will help improve cybersecurity. From the human factor for utilities, you're.
[00:42:52] Speaker B: More optimistic than I am. I mean, I have children who are 14 and 16 and seeing what they do online, I'm not sure they're definitely not concerned about security or cybersecurity for that matter.
But they are more technologically savvy, no doubt. And I agree with you. Just secondary verification and things like that.
They're kind of baked into systems, at least at this point. I think your other point about the uk, I thought that was interesting. The Department of Defense sort of outsourcing those systems to a utility or private operator.
That happens in the US as well, but at a much smaller scale. Right. So I don't have the number in front of me.
[00:43:34] Speaker A: Well, the UK is also a smaller country than the US no, no.
[00:43:37] Speaker B: And we've got military bases everywhere. But it is, I mean, but there are a couple companies, American Water, American States, Cal Water, these are all investor in utilities. They do have long term, I'd say 50 year contracts to manage military bases around the country. I don't think around the world specifically.
But that being said, I don't know if they are being held to different standards or having to do more because there are military bases than they would otherwise and say Aliquippa or somewhere like that that have had attack.
[00:44:12] Speaker A: I'm sure they do, yeah.
[00:44:14] Speaker B: And the US has military bases all over the world. So who's managing those? That's actually a good question, maybe a good research question for the rest of the team. So. Well, Lee, if you had to say how quickly practices will change, what do you think?
[00:44:30] Speaker C: Yeah, I mean, I think cybersecurity is similar to the water sector as a whole, where adoption rates and innovation can just take a little bit more time to adopt for a variety of reasons, you know, some being uncertainty or lack of knowledge of the technology and some of it being more so on the funding side and the availability of resources.
So I think I am optimistically saying that I think there is a heightened sense of security and urgent excuse, higher sense of urgency, just given the whole macro global situation and the trends that we have been seeing. So I think adoption will still be slow, but I hope that it does ramp up in reaction to everything that is going on.
I think the water space, typically you talk about being reactive or proactive. I think we're kind of in this reactive moment where utilities are just kind of doing what they can in response to what they've experienced. And so hopefully we'll move into higher rates of adoption and utilities being more proactive about cybersecurity.
[00:45:45] Speaker B: Maria, what do you think?
[00:45:47] Speaker A: Well, you've tagged me already as the optimistic here, so I'm going to end on an optimistic note there, I think. I mean, I do agree things are moving more slowly than we hoped for and that it will take time and there will be many, many incidents still to come before, you know, something happens.
But with new technologies for cybersecurity and other like operational assets, I do think that there's also this hope that training and learning is changing as well and there are more ways to engage in a more meaningful manner.
Staff or like onboarding trainings can be more interactive. And when it comes to cyber security, like about a year ago I had the opportunity to test some, like, smart goggles, like something that definitely.
[00:46:53] Speaker B: Something that.
[00:46:54] Speaker A: Really I found tricky because I haven't really played a lot of video games ever. But I really liked it. It was very simple to follow. It was an immersive experience where you would be placed in the position of an operator in a controlled room in any treatment plant.
And you had to make sure that you followed, you had good cyber hygiene and you followed all the security rules that any person with access to the control room should follow. That's from not leaving passwords written down and posted somewhere to not leaving your keys or always having your badge with you, stuff like that. And it's definitely different when you read a PDF about that and you're just skimming through it quite bored because you want to get to your job, or when you're just watching a slideshow from your manager telling you, oh, these are the security protocols that's something that really puts you in situation and if we change also how we approach these new processes I think it will make it easier as well to implement them and make them really part of our day to day.
And that goes for the water sector and utilities as well as ourselves or any other player that is linked with critical infrastructure.
[00:48:19] Speaker B: Yeah, I agree with you and I think the, I think just no one likes the friction of the change right. When you've got to go through different steps to get through the door.
I mean we deal with that internally, right. It's like oh sorry, our passwords need to be changed every however period we're going to shorten that window and it's like oh no, I'm going to have to you know, punch in the code to get back into my email or my, into the server. It happens, right. I think it's human and, but there's a price to be paid if you don't do it potentially so. And I think you guys have laid some of that out whether it be in the US or Poland or elsewhere.
So. All right guys, well one last question for both of you.
I'll start with you Maria. What's what are you working on next or now and what can listeners expect to see research wise from you and maybe our next conversation?
[00:49:18] Speaker A: Sure.
So I am working, I'm finishing the energy report so I'm working on energy optimization in water and wastewater systems focusing on the movement of water.
So we have identified what are the key energy, let's say hungry processes in the water system and how can we, how can a utility diminish their energy costs as they are a big part of OPECs are one of the top three operational expenditures when it comes to managing the water cycle.
I think that's going to be a very interesting report. I've definitely learned a lot throughout the process and Lee has also helped me out there with some cases studies and identifying some companies so and also sanity checking some of the, of the content that we've discussed. So it's been also very good to work as a team on that and I'm really looking forward to putting that out there. I think that's a, that's going to be a very good report.
[00:50:28] Speaker B: Yeah, I think it's super interesting. I think the, we've been talking about this for a while particularly given, I mean what I don't think at least from the US perspective also is what just even energy costs are in Europe versus the U.S. i know I was reading a Washington Post article this morning where People in the US are complaining about their electricity prices and what, why, when and how. Whether it's data centers, whether it's renewables, whether it's the grid, all of the above.
But then when you go to Europe and you just look at baseline gas prices, it's double or triple what we pay in the us.
So I think it's super interesting. And then, you know, they're already high and then exacerbated by the Russia, Ukraine conflict. So. Interesting. I like that. Look forward to that. Lee, what about you?
[00:51:22] Speaker C: Yeah, so I am working on the Australia digital water forecast, and so that's something that we're doing for the first time, like, really looking at the drivers and trends that are going on in Australia. And it's definitely such an interesting country and continent, quite frankly, to look at. It's absolutely massive. So you have these huge utilities in urban areas and then, you know, these regional utilities that face two totally different sets of challenges.
And then, you know, it's an incredibly dry continent and they suffer a lot of droughts, and so they're really.
They're really thinking about water scarcity and security. And so it's been really great to kind of look at that from a digital lens. And so. So I'm also very excited to put that out into the world and for everyone to take a look at.
[00:52:14] Speaker B: Yeah, we've done deep dives all over the world, particularly in digital, and a couple places do stand out, the US because of scale, interest, et cetera.
The UK has always been one.
It's been partly because of the way they're set up for the AMP cycle and looking for efficiencies. And then Europe, Southern Europe, Spain, Maine, Maria, where you are. But then Australia is sort of unique in some respects, so I look forward to that. So.
All right, guys. Well, thanks, man, for jumping on. And I know we. We squeeze this in between everybody's travel, so we don't usually record them this early in the week. So thanks for making it happen and look forward to those reports. So we will catch up again soon.
[00:53:06] Speaker C: Thanks, Rhys.
[00:53:07] Speaker A: Thank you.
[00:53:10] Speaker B: All right, so I want to thank Maria and Lee for jumping on this. It's a kind of a complicated topic. I mean, you can even tell by number of the different acronyms that they use. And I think also one of the challenges is that when it comes to cybersecurity, it comes from all different directions and different types of hacks or threats.
And I think, as I think through what we just talked about, one of the challenges, and there are a couple of These I mentioned along the way, and that is there's just one, not enough funding. Where's the money going to come from? Is it going to be left up to the feds? Probably not the states. Do they have the funds or the wherewithal to help these individual utilities or is that up to utilities? Well, if that's the case in the US and in Europe as well, there needs to be more consolidation, regionalization or roll up of all these systems. You've heard me say this number of times before in the US for drinking water systems alone, they're 49,000 plus.
So we're doing a lot of work on the side on this. And that number should and could come down for a number of different reasons.
I think there's also risk aversion. I think when you just talk to Lee and Maria about this, I mean, as I said, it gets really complicated. And so if you're a small utility in remote or rural Texas or pick your state, it's tough when you only have several employees and you're responsible for everything, including cybersecurity, which is beyond their individuals pay grade. And then I think the other thing is it's just priorities, right? I think as I started in the opening of this podcast, we were talking a little bit about Corpus Christi. But that is, you know, if there are more dollars at risk, we would do something about it. So look at the financial sector, financial services, they're all over it. They're spending millions of billions of dollars on cybersecurity.
The energy sector, same thing. If you're in the Middle east, you're getting hit with hacks all the time. So wherever there's dollars at stake or at risk, should I say, then it's going to happen. Well, no one looks at water that way and no one realizes that when there is no water, the economy shuts down. So pick your locale and realize that that's the real risk. No one's just putting a dollar attached to the water.
And then lastly, I would say just general friction. We need to get over the friction when it comes to basic passwords or changing our own practices. And I'm not saying, I think everybody goes through that personally and professionally. So that's just life and that's the way it goes. So those are just some general thoughts. So that being said, thanks to those guys again. But before we sign off, I want to recognize the team that makes these conversations possible. Mike Gaylor, Ryan Sullivan, Billy Talbot, Steph Aldock. Without them, this podcast wouldn't make it past my own desk. As I've said before, you'd just be listening. I'd just be listening to myself.
If you're in Boston, Barcelona, New York, Chicago, San Francisco, or Paris. All good spots as far as I'm concerned. But guess what?
That's where Bluefield Research is. We have people in all of those places and they'd be more than happy to talk to you in person if you're there.
If you have any ideas, topics you'd like us to tackle, send us a Note@werder expertsluefieldresearch.com Lots of mouthfuls here.
This podcast is for you and your input helps shape it. If you've enjoyed today's episode, the best way to support us is simple. Share with a friend, a colleague, or someone who cares about the water sector.
And also, you can give us five stars in the rankings. Just scroll down and just press the button.
This podcast and these water industry insights have been brought to you by the one and only Bluefield Research. To learn more about us, Visit
[email protected] until we talk again.
Be well, be safe, and take care.
Sam.
