As the demand for security, transparency, and accountability rises, water and wastewater sector organizations are noticing the need to turn to managed service providers (MSPs) for their IT infrastructure management and data security needs. While less resourced utilities often consider utilizing MSPs, there are several nuances to consider that each organization may wish to consider regardless of scope or size. That said, WaterISAC is sharing information regarding MSP, the different types, and what to consider when choosing one.

For a general outline, MSPs can be categorized into four types, each addressing distinct challenges:

1. MSPs: Generalists handling comprehensive IT functions including infrastructure, application support, and network management. Handles a basic level of security, not as comprehensive as an MSSP.
2. Managed Security Service Providers (MSSPs): Specialists focused on outsourced security device monitoring and management, providing comprehensive security services like 24/7 network monitoring.
3. Co-Managed IT Service Providers (Co-MITs): These integrate internal IT teams with external MSPs, allowing organizations to leverage both internal expertise and external support for enhanced service delivery. This type of MSP could be a worthwhile consideration for utilities of varying sizes, it all depends on how much in-house support is desired or practical.
4. Managed Detection & Response (MDR): Proactively identifies and alerts organizations to current and incoming threats using advanced monitoring techniques.

When selecting an MSP, utilities should evaluate service quality, security practices, scalability, cost-effectiveness, regulatory compliance, and cultural fit to ensure a successful partnership that supports both immediate needs and long-term operational goals. Whether a utility decides to utilize one of the MSP types described above, or to solely control it in-house, it’s important they at least do something about how their data and operations are secured. For more information about MSPs, visit Tripwire.

Analyst comment (Jennifer Lyn Walker): It’s important for (smaller) utilities that outsource technology services and support to “MSPs” understand whether “cybersecurity” is part of the contract and to what degree, if any. Please do not assume that just because the MSP is patching your devices and updating “antivirus” that they are providing proactive cybersecurity services such as what an MSSP and MDR provide. A general good rule of thumb is if “cybersecurity services” are not written in the contract or statement/scope of work, then the service provider will not be watching your back for threats and vulnerabilities. It is quite possible that utilities may need to contract with an MSP for technology support and MSSP or MDR for cybersecurity services. The same is true for OT/SCADA integrators – unless “cybersecurity” is written into the support contract, it’s not likely cyber threats, incidents, and vulnerabilities impacting OT will be actively addressed, monitored, or detected – until it’s too late.