In developed countries, we give little daily thought to where our drinking water comes from or what happens to water after we flush it down the toilet. Nor do we fully appreciate how other modern necessities — from electricity to food supply to refined gasoline — depend on a reliable supply of water delivered by our local utility. But when water supply and wastewater treatment are interrupted, not only does it cause inconvenience, it can impact public health and the environment, undermine the economy, and put our national security at risk.

For decades, utilities have implemented best practices to contend with forces of nature that imperil water systems — from droughts to floods to hurricanes. But as they digitally transform by integrating information technology (IT) and operational technology (OT) into their management and operations, cybersecurity risks take on greater importance.

Increased automation and the adoption of new technologies to assist with meter reading, leak detection and other operational goals open up a host of new attack surfaces for malicious actors to prey upon. And the COVID-19 pandemic added further risks to the equation as more employees began working remotely and using personal devices for official business.

Attacks on Water and Wastewater Utilities Are on the Rise

Recent industrial control system (ICS) events have reinforced these concerns. Control systems, which are part of a utility’s OT environment, manage chemical feeds, pumps and other aspects of water treatment and movement. In February of this year, Oldsmar, Fla., made national headlines when a hacker leveraged a city TeamViewer account to access and change caustic soda levels at the water treatment plant. Around the same time, another hacker used TeamViewer to access the control system and delete files at a large California water facility. And in 2019, a former Post Rock Rural Water District employee who had retained login credentials after leaving the utility’s employment allegedly shut down the treatment process.

In all three cases, the utilities prevented public health impacts through a combination of awareness and technology. But will the next victim of an attack be so prepared — or so fortunate? Such incidents can lead to deaths and illnesses, not to mention reputational damage, lawsuits, employee downtime and the cost of recovery.

The cybersecurity firm Dragos reports hundreds of ICS incidents over the last decade across multiple sectors. While ICS incidents in the water and wastewater sector are relatively rare — or at least rarely reported — ransomware events and other compromises that affect IT occur more frequently. These types of attacks are common, highly disruptive, and can be expensive to recover from. They also offer hackers the opportunity to move laterally from the enterprise network to the operational network.

To the victim, it matters little whether the attacker is a coder living in his parent’s basement, a disgruntled former employee, or a nation-state using cyber hacks as an act of war. But from the standpoint of implementing security measures to prevent future attacks, realizing that bad actors are more sophisticated than ever is key to ensuring effective and secure operations.

Protecting Water Systems Means Investing in Cybersecurity Infrastructure

The recent ICS incidents in the water and wastewater sector likely could have been prevented by limiting access to sensitive systems, not sharing passwords, and removing access for former employees. Similarly, other recent ransomware incidents could have been avoided if employees had spotted malicious emails or had been more suspicious of website links.

Besides implementing best practices published by sector organizations and federal agencies, water utilities must invest in cybersecurity and build a culture of cybersecurity awareness. This requires updated equipment, modern business applications, the hiring of cybersecurity professionals, and regular staff training on best practices.

Many utilities, however, are behind the curve when it comes to making these necessary investments. According to a June survey report by the Water Sector Coordinating Council, 40% of utility managers do not address cybersecurity in their risk management plans. Similar numbers of respondents have not conducted IT or OT asset inventories, which are foundational to improving cybersecurity.

In 2018, recognizing the importance of assessing risk and developing risk-informed response plans, Congress enacted America’s Water Infrastructure Act, requiring risk and resilience assessments and emergency plans every five years. The act applies to nearly 10,000 drinking water systems and is intended to help those organizations better understand, manage and reduce security gaps. However, the sector still lacks adequate technical assistance programs as well as grants and loans for cybersecurity improvements.

The sector and its government partners clearly have more work to do, particularly in helping small and medium-sized utilities who lack some of the resources larger systems enjoy. A number of tools by the sector and federal agencies already exist (see SIDEBAR), but the challenge will be to reach the thousands of utilities that need special assistance and may not be plugged into networks or industry associations, or do not have access to funding or cybersecurity professionals.

A System for Sharing Threat and Incident Information Is Critical

If your car has never been stolen, you might think car theft is not a risk and therefore leave your doors unlocked. But if your neighbors are reporting break-ins, then you are likely to take steps to ensure the same thing won’t happen to you.

The same lesson can be applied to adopting measures to prevent utility cyberattacks. WaterISAC, for example, disseminates threat advisories informed by Cybersecurity and Infrastructure Security Agency, FBI, EPA and fusion centers, as well as private sector sources, such as cybersecurity firms. More importantly, the center solicits incident reports from water and wastewater utilities and, with the originator’s permission, anonymizes the reports and shares them with member utilities.

This model, fundamental to information sharing and analysis centers (ISACs) across multiple sectors, increases awareness of sector threats. At its heart is the willingness of victims to share their experiences. Water utilities that report incidents are good Samaritans providing a service to the community, but reporting incidents also benefit the victims, who can request recovery support and guidance.

The city of Oldsmar set an example by reporting its attack at a news conference hosted by the local sheriff. Other utilities may prefer to report incidents confidentially. Last year, WaterISAC reported a ransomware attack at a large public water utility that approached the center to share their experience. The center’s analysts gathered information from the attack and shared it with the community without divulging the victim’s identity. The victim received recovery assistance, and the sector at large was put on alert to take action to better protect their networks.

Think Like Your Adversaries

Consequence-driven Cyber-informed Engineering (CCE) is a new, four-step methodology for preventing sabotage. Not a replacement for the best practices already mentioned, CCE begins with the assumption that if a critical infrastructure — a water system or power plant, for instance —  is being targeted by highly skilled adversaries, then the target will be sabotaged.

Created by Idaho National Laboratory (INL), the methodology first examines where failures could occur and then looks at adversaries’ capabilities. This is followed by a discussion of how an attack might take place. The final phase has the target evaluating changes to mitigate at the time of the attack. The methodology was published earlier this year in the book “Countering Cyber Sabotage” by INL’s Andy Bochman and Sarah Freeman.

Safeguard Water Systems From ll Threats

Risks to today’s water and wastewater systems are increasing — due to more effective threat actors, expansion of remote working, and increased automation and smart water technology. Hurricanes, flooding and wildfires are challenging to predict and can wreak havoc on water and wastewater infrastructure and operations. And given that many utilities are government entities, anti-government extremists, al-Qaeda and the Islamic State who call for U.S. domestic extremists to attack targets at home, are cause for concern.  

Given this ever-evolving and multi-faceted threat picture, sharing and collaboration are essential to water and wastewater security and resilience. The value of participating in information-sharing networks and industry groups, as well as law enforcement and homeland security agency-sponsored groups, cannot be understated.

Attending and contributing to events and offering practical knowledge can strengthen individual utilities and the sector as a whole.

WaterISAC hosts numerous webinars featuring subject matter experts throughout the year. In addition, the center will be a co-host of the Water Utility Resilience Forum in Miami in December 2021. Addressing resilience at large, the forum will have panels on cybersecurity, climate adaptation, financial and workforce resilience, and emergency planning. The American Water Works Association’s (AAWA’s) Water Infrastructure Conference, InfraGard events and many state and regional association forums hosted every year also offer other opportunities to learn about threats in this sector and focus on building resiliency.

We believe that participation engenders awareness, and being aware of threats and implementing best practices produces long-term resilience. With public health and the environment at stake — not to mention utility finances, the integrity of customer data, and reputation — remaining unaware of threats and best practices is no longer an option.

Recognizing 2021’s National Critical Infrastructure Security and Resilience Month, Security magazine had the honor of working with security leaders within the public and private sectors to bring you October’s Special Report — comprised of five different features to be used as best practices and resources to assist critical infrastructure organizations in bolstering their security postures to prevent and reduce the risks of disruptions.

WaterISAC's 15 Cybersecurity Fundamentals for Water and Wastewater Utilities

Utilities can undertake these 15 courses of action to reduce cyber risks to both information and operational technology:

  1. Perform Asset Inventories
  2. Assess Risks
  3. Minimize Control System Exposure
  4. Enforce User Access Controls
  5. Safeguard from Unauthorized Physical Access
  6. Install Independent Cyber-Physical Safety Systems
  7. Embrace Vulnerability Management
  8. Create a Cybersecurity Culture
  9. Develop and Enforce Cybersecurity Policies and Procedures
  10. Implement Threat Detection and Monitoring
  11. Plan for Incidents, Emergencies and Disasters
  12. Tackle Insider Threats
  13. Secure the Supply Chain
  14. Address all Smart Devices
  15. Participate in Information Sharing and Collaboration Communities

To help water and wastewater utilities bolster their cybersecurity and resilience, the sector and the federal government have developed other free resources

  • The American Water Works Association’s Cybersecurity Guidance and Tool is the water sector’s version of the NIST Cybersecurity Framework, and offers a tool for evaluating risks and developing plans to address them.
  • The Cybersecurity and Infrastructure Security Agency has many free tools and services that water systems have taken advantage of.
  • The U.S. Environmental Protection Agency’s Water Security Division has produced a checklist for water and wastewater utilities and is offering free assessments.
  • The Center for Internet Security’s CIS Controls offers a prioritized set of actions to improve cybersecurity.

Recognizing 2021’s National Critical Infrastructure Security and Resilience Month, Security magazine had the honor of working with security leaders within the public and private sectors to bring you October’s Special Report — comprised of five different features to be used as best practices and resources to assist critical infrastructure organizations in bolstering their security postures to prevent and reduce the risks of disruptions.