While we have touched on the subject of water cybersecurity before, current circumstances continue to remind us that the protection of such critical infrastructure systems is absolutely necessary. Although there have not been any direct threats made on this sector in relation to the unfolding situation between Russia and Ukraine, the cybersecurity risks that lie within it demonstrate that geopolitical conflicts can influence the types of potential cyberattacks that lurk. And with its history of activity, we know that the possibility of Russia looking to take advantage of a weakened security system does exist. Unfortunately, as we have pointed out, the water and wastewater industry is one that still embodies some of those vulnerabilities, and if taken advantage of by an opponent like Russia, could have quite damaging consequences. Needless to say, now more than ever seems like the time to ramp up infrastructure security with water being a major element within that network. As Michael Arceneaux wrote for Security Magazine, “…when water supply and wastewater treatment are interrupted, not only does it cause inconvenience, it can impact public health and the environment, undermine the economy, and put our national security at risk.” Therefore, we are using this post to re-examine the state of water and wastewater cybersecurity.
Attacks on Water and Wastewater Facilities
One of the more recent events that collectively opened our eyes to the cybersecurity problem facing the water and wastewater sector was the incident in Oldsmar, Florida. In summary, a hacker “attempted to change the sodium hydroxide in the water supply from about 100 parts per million to more than 11,100 parts per million,” according to StateTech. Fortunately, a remote supervisor happened to notice the change occurring and was able to prevent it from going through. However, that case was certainly not the only one. The Cybersecurity and Infrastructure Security Agency (CISA) previously listed five other instances of cyber threats hitting these types of facilities between 2019 and 2021, including ones in California, Kansas, Maine, Nevada and New Jersey. As WWD Magazine reported, there was also a ransomware attack that was carried out on a water treatment plant in Maryland. Even though, once again, the water was saved from being tampered with, the breach did open access to the operation’s internal data.
Additional Threats to Water and Wastewater Facilities
Actual attacks are not the only issues to weigh on water and wastewater operatives. The shifts in technology and work settings have played a role in exposing the sector as well. The article from Security Magazine that was quoted earlier pointed out that the onslaught of work-from-home brought about by the pandemic has added to the threat landscape due to the reliance on personal devices that came with it. On top of that, the use of newer tech to enhance tasks like meter reading has also created other opportunities for bad actors to take advantage of. On the other hand, a lack of updating is simultaneously plaguing facilities. When the Albuquerque Bernalillo County Water Utility Authority decided to evaluate its conditions, Kristen Sanders, CISO for the water district, told StateTech that the network’s equipment was on “life support.”
Additionally, the water and wastewater industry faces gaps in understanding and cybersecurity prioritization. Not only can the intricacies of the systems and their impacts be difficult to comprehend, but when those networks are affected, awareness is still limited. WWD Magazine highlighted a survey that found 45% of its respondents had never even heard of the Oldsmar attack. The low level of awareness between cybersecurity and this infrastructure sector even includes those working in it. A report by the Water Sector Coordinating Council concluded that 40% of utility managers do not include cybersecurity when reviewing risk management.
Creating Solutions to Strengthen Water and Wastewater Cybersecurity
Presenting another challenge to emphasizing cybersecurity in the water and wastewater sector is the fact that it is so fragmented. WWD Magazine estimated that there are more than 50,000 water facilities in the U.S., all with different approaches to operations. Those approaches can be influenced by factors such as location, mainly whether serving a large city or small rural area, and amount of cybersecurity professionals that are actually included in the staff. But what they all have in common is that there is no overarching guide for them to follow, which would help to create some unity. This is one of the concerns that Kristen Sanders brought up when speaking to the process that Albuquerque Bernalillo County Water Utility Authority went through to enhance its cybersecurity measures. Alongside having to address aspects like visibility into network activity, Sanders realized that having a set of requirements to follow would have also been beneficial. She pointed to examples such as North American Electric Reliability Corporation Critical Infrastructure Protection developed for the energy industry and the American Public Power Association’s Public Power Cybersecurity Roadmap.
While water management doesn’t necessarily have such a guide yet, there has been some progress forward on that front. In January the Biden administration announced that the Industrial Control Systems (ICS) Cybersecurity Initiative would be expanded to include the water sector, which followed an advisory that was put out by the CISA, EPA, Federal Bureau of Investigation and National Security Agency warning of persisting threats to the security of the country’s water and wastewater systems. The addition, which is referred to as the Water Sector Action Plan, dictates that the government build a coalition with owners and operators in order to implement an organized slate of tools and actions meant to strengthen cybersecurity. The White House’s fact sheet explained that “The plan will also allow for rapidly sharing relevant cybersecurity information with the government and other stakeholders, which will improve the sector’s ability to detect malicious activity,” as reported by Compliance Week.
Of course, ensuring that facilities are equipped with the proper tools is also important. Those tools can range from response plans to multi-factor authentication for all remote access. We also recommend looking through Veracity’s services such as zero-trust network management.
- “Combatting security threats to our nation’s critical water infrastructure” – Michael Arceneaux, Security Magazine
- “Biden plan to expand cybersecurity collaboration with water sector” – Jaclyn Jaeger, Compliance Week
- “3 REASONS WATER TREATMENT FACILITIES NEED CYBERSECURITY & 3 STRATEGIES TO USE” – Emily Newton, WWD Magazine
- “Municipal Utilities Bolster Their Cyber Defenses” – David Raths, StateTech