It is already a daily reality that companies operating IT and industrial systems face sophisticated attackers in the uphill battle of cybersecurity. These incidents have great potential to diminish credibility, cause enormous damage and destroy the reputation of companies built up over years. Those who realise the risks early and invest in countermeasures have the advantage.
Companies regulated in the cybersecurity field by law are also a step ahead of hackers. Among them is Liptovská vodárenská společnost, a.s., which, under the tact of an external cybersecurity manager, has achieved an above-average level in the sector.
Welcome to the online world
We already know that the business sector is an attractive target for attackers, all the more so in the area of basic services such as drinking water and energy supply. The Liptovská vodárenská společnost is also aware that it cannot do without cybersecurity management nowadays. Moreover, in 2020, the whole world will be affected by the COVID-19 pandemic, when information and communication technologies have become an even greater part of everyday life. “Electronic communication has been used more, business meetings have moved from the real world to the online world. The need for electronic communication brought an increased risk of security incidents. That is why Liptovská vodárenská společnost, a.s., places great emphasis not only on raising the level of its information systems, but also on ensuring cyber security,” explains Juraj Ivan, head of the company’s information technology department. Liptovská vodárenská společnost has never been one of the companies that are unaware of cyber threats. That is why they accepted inclusion through the National Security Authority under Act 69/2018 Coll. on Cyber Security as a natural part of their development. “Globally, we have registered cyber attacks on water companies that posed a direct threat to the security of production and supply of drinking water. As in other industries, we are increasingly using intelligent controls that can be the target of cyber-attacks. A successfully executed attack can result in a change in water quality or can cause an interruption in the supply of drinking water,” says Matej Géci, CEO of Liptovská vodárenská společnost, a.s.
External experts
The company worked with external experts at every stage of the implementation of the cybersecurity management system. The reason is that in order to implement this system effectively, it is essential to have expertise and, in particular, experience with its implementation. Only experts with education and experience in information security management according to ISO 27000 can successfully implement the system. As such experts are scarce and relatively expensive in Slovakia, it is up to each company to decide whether to employ such an expert permanently or to cooperate with them in other ways.
“Cybersecurity has brought us, figuratively speaking, a restful sleep in terms of the operation of information infrastructure and the technology of drinking water production itself. Our customers, in turn, have the assurance that the water from the public taps will be safe for their health.”
Matej Géci, General Director, Liptovská vodárenská společnost a.s.
“Our company relied on external cooperation because it does not have a qualified employee with sufficient experience for the position of cybersecurity manager. We proceeded to a tender for the provision of the services of a manager who, depending on the legislative requirements, directs the activities of the company’s employee designated for information security, ensures compliance for our company with the relevant laws on cybersecurity, provides advice and consultation on the law and relevant decrees,” justifies the decision of CEO Matej Géci.
About the company
Liptovská vodárenská společnost, a. s., Liptovský Mikuláš, was established on 7 September 2006 as a successor organisation of the disappearing Severoslovenská společnost vodárenská společnost, a. s., Žilina, when it was divided on the basis of the regional principle. The priority of the Liptovská vodárenská společnost is to provide the inhabitants of the Liptov region with reliable services related to the supply of quality drinking water and wastewater disposal and treatment to its customers at the level required by Slovak and European legislation.
Big changes
Between April and June 2020, significant changes were implemented in the company’s cybersecurity, when complete security documentation including policies and directives were created, a contract for the services of an external security manager was concluded and an internal cybersecurity team was created. From the beginning, this team worked in regular operational meetings with well-defined roles and responsibilities for each task. At the outset, a thorough understanding of the company’s processes was required. In practice, this meant hours of studying relevant guidelines as well as hours of conversations about the procedures in place.
Unique know-how
The company behind the significant changes is GAMO, which as part of its services to the customer also carried out an infrastructure analysis using a solution from the Israeli company Claroty. “We have very good experience with it and also unique know-how in deploying it in a hybrid IT/OT environment. Such a technical analysis is usually the argument that breaks the clients’ perspective, so to speak, on the need for a cybersecurity solution. If, until the technical analysis, clients thought the environment was not in an ideal state, after such an analysis we usually talk about disaster. In the world of cybersecurity, sometimes unexpected things happen, and it just so happens that we did not see a disaster at Liptovská vodárenská společnost. We saw that we still have reserves, but we did not find any fatal failures,” analyses the cybersecurity manager Ľubomír Kopáček. The Liptovská vodárenská společnost still has a number of tasks ahead of it and several major technical changes. After their implementation, it will become a model company in its segment and will pass the external cybersecurity audit that awaits it this year without any reservations.
“It can be stated that the level of cybersecurity in the company is already at an above-average level compared to the usual standards in the sector. However, I must stress that none of what we have mentioned could have been implemented if the company as such had not been set from the beginning to move forward in this area with sincere interest,” adds cybersecurity expert Ľubomír Kopáček.
