Fighting to keep our water safe


Through its comprehensive approach to cybersecurity, Brazos River Authority assesses vulnerabilities, develops robust security protocols, and offers employee training to foster a cybersecurity-conscious work environment.

Leading that charge is Luke Collins, the BRA's chief technical officer.

"When you have the faith in the institution you work for, you can have the confidence to be vigilant, not to be overconfident, but to have the skills and the knowledge to be looking out for suspicious activity," Collins said. "We don't want people to walk around paranoid that something's going to happen. That's not what we're looking for."

Cybersecurity is the practice of people, policies, processes, and technologies to protect organizations, their critical systems, and sensitive information from digital attacks. In a nutshell, cybersecurity is the practice of protecting everything digital from the outside.

The BRA has very sophisticated cybersecurity technological tools, Collins said. There are at least 10 different cybersecurity tools installed throughout the networks and systems, along with artificial intelligence and machine-learning systems that automatically prevent and alert us to any kind of suspicious activity, he said.

Traditionally, the water sector was not a target for cybercriminals, and instead flew under the radar, Collins said. Then, about six years ago, that started to change. Suddenly, the water sector became a target.

Cybercriminals used to be a few people in a basement trying to hack into someone's system, Collins said. Now, there are sophisticated companies on the dark web that one could hire to perform an attack, he said.


As cyberattacks become more sophisticated, the BRA's team must stay ahead of the game.

"Because not only do we have to think about chlorine levels and water, but we also have reservoirs that have dams where we release water and we have to think about all of those operational risks that can come to take our systems down, that can affect our communication, that can affect how those dams and facilities operate," he said.

"Faith in institutions is important because you want to trust that when I go to a store and I buy the milk, the milk is not going to poison me, right? We want to have trust in the institution that we are doing our job. We're required to notify the public of any type of cybersecurity attack in the event data has been compromised. And so, when we relay that information to the public, that degrades our reputation and our trust. And we value that very much because we have a great institution here, a great group of people that protect our water."

The number one cause of a successful cyberattack is phishing and social engineering, Collins said. Social engineering is the practice of pretending to be somebody to get information from somebody that can then be used to exploit the system.

"Social engineering could be anything like phishing emails," he said. "It can be things where people pick up a phone or they call you, and they pretend to be something else. Social engineering is just a brand-new word that we use in cybersecurity for being con artists. That is kind of who figured out social engineering from the beginning, and they kind of took that concept and they applied it to a modernized it and adapted to our changing technological world."

The way it works is the attacker will go after someone within or associated with a company, review emails, find a way to insert themselves into a legitimate conversation and attach either a malicious URL or attachment that once clicked or downloaded, attaches a virus to the system, he said.

Click to view larger image

Once successful, ransomware enters the picture.

"What ransomware does is it takes your files, your data, your information, and it holds it hostage, and then it charges you a ransom to let that be released," Collins said. "What we're seeing is kind of unprecedented over the last decade as far as the success rates and the amount of business dollars that are being affected in these ransomware attacks."

Even after a ransom is paid, often the company will only recover 64% of their data, he said.

In fact, in 2021, 11% of businesses that had a ransomware paid $1 million, and that's a number that is significantly growing.

So why do people do it?

Sometimes it's for financial gain, while other times it's a matter of trying to steal a company's secrets, and there's even "hactivism," which can be for various reasons, Collins said. There also is a growing threat in the cyber security landscape of employees selling confidential information to others outside the company.

"That's something that you always must be on the lookout for because it's kind of like the movie 'Scream,' at the very beginning, 'I'm calling from inside your house.' It's very, very scary. Right? And so that's something that you least expect from people that you feel like are part of your team."


How do you prevent cybersecurity attacks?

Education and training are key.

"Those are things that we want to educate our members so that we can be very vigilant in stopping these things because it starts with us," Collins said. "Everyone in this room, everyone at this organization, is the gatekeeper from cybercriminals. We hold the keys to letting people in. And so, we have to be educated and trained on how to detect abnormal activity."

Another successful measure is buy-in from company leadership. Collins said he's worked places before that would not dedicate resources, personnel and funding to prevention. That's often the reason why cyberattacks are successful, he said.

"That is not the case here," he said. "We have incredible executive buy-in, buy-in from the top down. Our board members, our CEO, and our executive management team all have a sense of urgency when it comes to protecting our systems. We know how much of a risk it is, and it's only growing. So, we have dedicated financial resources, human resources, technical knowledge and experience to hit this head-on because we know we must get ahead of the game. The second we fall back, the second we're doing less than other people out there, that's when they're going to put their sights on us."

The BRA provides its employees regular exercises, policies, procedures and training.

"Water is life, and so we have to protect our resources," Collins said. "I am blown away at the expertise and the vigilance and the dedication that we have here at the Brazos River Authority. I've never met such amazing people that are dedicated to providing the best possible product."