As an essential resource to life, the security of water has often been discussed. But, what about the cybersecurity of water? As we analyze topics such as how to ensure global access to clean water, it is also becoming increasingly apparent that we must pay attention to the protective measures we take to support the systems that control this access.
That’s why in October a coalition of federal agencies, including the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA) and the National Security Agency (NSA), gathered to issue a joint advisory regarding water and wastewater treatment facilities. Much like other critical infrastructure sectors, these facilities have landed a role as key cyberattack targets with malicious actors looking to take advantage of IT and OT systems. This became evident earlier in the year when a hacker attempted to breach the water supply servicing the town of Oldsmar, Fla, but was even further emphasized in the advisory’s detailing of previously unreported incidents impacting water plants in Maine, Nevada and California. As the advisory stated, “This activity — which includes attempts to compromise system integrity via unauthorized access — threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities.”
Water treatment plants used to protect their networks by physically separating them from the rest of the internet. This worked until upgraded systems required access to other systems such as databases, servers, and even the cloud. Now equipment that was put in place long before the proliferation of cyber threats and not designed for today’s reality are vulnerable to attack. Hackers scan the internet for these legacy devices which are easy to gain access to and change. This is how the Oldsmar attack occurred. Net-Optix created a zero-trust network environment controlling access to even the oldest of control equipment prevent the possibility of an attack similar to what happened at Oldsmar.
Of particular concern in this realm has been the growth in ransomware threats. The Maine, Nevada and California cases all involved ransomware activity reflecting a big picture cybersecurity problem. According to a stat from security startup Deep Instinct, ransomware attacks went up by 435% last year. In order to prevent critical infrastructure operators like water facilities from falling victim to this danger, the federal agencies stressed the importance of remaining vigilant for suspicious emails and, like we examined in our agriculture post, highlighted the vulnerabilities associated with a reliance on outdated systems that are often used by organizations running such plants.
- “Agencies warn of cyber threats to water, wastewater systems” – Maggie Miller, The Hill
- “Ransomware gangs targeted 3 different US water treatment plants this year in previously unreported attacks, according to federal agencies” – Aaron Holmes, Insider