Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementPhysicalSecurity Enterprise ServicesSecurity Leadership and ManagementSecurity & Business ResilienceFire & Life SafetyPhysical Security

Special Report – Critical Infrastructure

Combatting security threats to our nation’s critical water infrastructure

Given the ever-evolving and multi-faceted threat landscape, sharing and collaboration are essential to water and wastewater security and resilience.

By Michael Arceneaux
SEC1021-SR-Water-Feat-slide1_900px.jpg
SEC1021-SR-Water-sidebar-slide3_900px.jpg
SEC1021-SR-Water-Feat-slide1_900px.jpg
SEC1021-SR-Water-sidebar-slide3_900px.jpg
October 8, 2021

In developed countries, we give little daily thought to where our drinking water comes from or what happens to water after we flush it down the toilet. Nor do we fully appreciate how other modern necessities — from electricity to food supply to refined gasoline — depend on a reliable supply of water delivered by our local utility. But when water supply and wastewater treatment are interrupted, not only does it cause inconvenience, it can impact public health and the environment, undermine the economy, and put our national security at risk.

For decades, utilities have implemented best practices to contend with forces of nature that imperil water systems — from droughts to floods to hurricanes. But as they digitally transform by integrating information technology (IT) and operational technology (OT) into their management and operations, cybersecurity risks take on greater importance.

Increased automation and the adoption of new technologies to assist with meter reading, leak detection and other operational goals open up a host of new attack surfaces for malicious actors to prey upon. And the COVID-19 pandemic added further risks to the equation as more employees began working remotely and using personal devices for official business.


Attacks on Water and Wastewater Utilities Are on the Rise

Recent industrial control system (ICS) events have reinforced these concerns. Control systems, which are part of a utility’s OT environment, manage chemical feeds, pumps and other aspects of water treatment and movement. In February of this year, Oldsmar, Fla., made national headlines when a hacker leveraged a city TeamViewer account to access and change caustic soda levels at the water treatment plant. Around the same time, another hacker used TeamViewer to access the control system and delete files at a large California water facility. And in 2019, a former Post Rock Rural Water District employee who had retained login credentials after leaving the utility’s employment allegedly shut down the treatment process.

In all three cases, the utilities prevented public health impacts through a combination of awareness and technology. But will the next victim of an attack be so prepared — or so fortunate? Such incidents can lead to deaths and illnesses, not to mention reputational damage, lawsuits, employee downtime and the cost of recovery.

The cybersecurity firm Dragos reports hundreds of ICS incidents over the last decade across multiple sectors. While ICS incidents in the water and wastewater sector are relatively rare — or at least rarely reported — ransomware events and other compromises that affect IT occur more frequently. These types of attacks are common, highly disruptive, and can be expensive to recover from. They also offer hackers the opportunity to move laterally from the enterprise network to the operational network.

To the victim, it matters little whether the attacker is a coder living in his parent’s basement, a disgruntled former employee, or a nation-state using cyber hacks as an act of war. But from the standpoint of implementing security measures to prevent future attacks, realizing that bad actors are more sophisticated than ever is key to ensuring effective and secure operations.


Protecting Water Systems Means Investing in Cybersecurity Infrastructure

The recent ICS incidents in the water and wastewater sector likely could have been prevented by limiting access to sensitive systems, not sharing passwords, and removing access for former employees. Similarly, other recent ransomware incidents could have been avoided if employees had spotted malicious emails or had been more suspicious of website links.

Besides implementing best practices published by sector organizations and federal agencies, water utilities must invest in cybersecurity and build a culture of cybersecurity awareness. This requires updated equipment, modern business applications, the hiring of cybersecurity professionals, and regular staff training on best practices.

Many utilities, however, are behind the curve when it comes to making these necessary investments. According to a June survey report by the Water Sector Coordinating Council, 40% of utility managers do not address cybersecurity in their risk management plans. Similar numbers of respondents have not conducted IT or OT asset inventories, which are foundational to improving cybersecurity.

In 2018, recognizing the importance of assessing risk and developing risk-informed response plans, Congress enacted America’s Water Infrastructure Act, requiring risk and resilience assessments and emergency plans every five years. The act applies to nearly 10,000 drinking water systems and is intended to help those organizations better understand, manage and reduce security gaps. However, the sector still lacks adequate technical assistance programs as well as grants and loans for cybersecurity improvements.

The sector and its government partners clearly have more work to do, particularly in helping small and medium-sized utilities who lack some of the resources larger systems enjoy. A number of tools by the sector and federal agencies already exist (see SIDEBAR), but the challenge will be to reach the thousands of utilities that need special assistance and may not be plugged into networks or industry associations, or do not have access to funding or cybersecurity professionals.


A System for Sharing Threat and Incident Information Is Critical

If your car has never been stolen, you might think car theft is not a risk and therefore leave your doors unlocked. But if your neighbors are reporting break-ins, then you are likely to take steps to ensure the same thing won’t happen to you.

The same lesson can be applied to adopting measures to prevent utility cyberattacks. WaterISAC, for example, disseminates threat advisories informed by Cybersecurity and Infrastructure Security Agency, FBI, EPA and fusion centers, as well as private sector sources, such as cybersecurity firms. More importantly, the center solicits incident reports from water and wastewater utilities and, with the originator’s permission, anonymizes the reports and shares them with member utilities.

This model, fundamental to information sharing and analysis centers (ISACs) across multiple sectors, increases awareness of sector threats. At its heart is the willingness of victims to share their experiences. Water utilities that report incidents are good Samaritans providing a service to the community, but reporting incidents also benefit the victims, who can request recovery support and guidance.

The city of Oldsmar set an example by reporting its attack at a news conference hosted by the local sheriff. Other utilities may prefer to report incidents confidentially. Last year, WaterISAC reported a ransomware attack at a large public water utility that approached the center to share their experience. The center’s analysts gathered information from the attack and shared it with the community without divulging the victim’s identity. The victim received recovery assistance, and the sector at large was put on alert to take action to better protect their networks.


Think Like Your Adversaries

Consequence-driven Cyber-informed Engineering (CCE) is a new, four-step methodology for preventing sabotage. Not a replacement for the best practices already mentioned, CCE begins with the assumption that if a critical infrastructure — a water system or power plant, for instance —  is being targeted by highly skilled adversaries, then the target will be sabotaged.

Created by Idaho National Laboratory (INL), the methodology first examines where failures could occur and then looks at adversaries’ capabilities. This is followed by a discussion of how an attack might take place. The final phase has the target evaluating changes to mitigate at the time of the attack. The methodology was published earlier this year in the book “Countering Cyber Sabotage” by INL’s Andy Bochman and Sarah Freeman.


Safeguard Water Systems From ll Threats

Risks to today’s water and wastewater systems are increasing — due to more effective threat actors, expansion of remote working, and increased automation and smart water technology. Hurricanes, flooding and wildfires are challenging to predict and can wreak havoc on water and wastewater infrastructure and operations. And given that many utilities are government entities, anti-government extremists, al-Qaeda and the Islamic State who call for U.S. domestic extremists to attack targets at home, are cause for concern.  

Given this ever-evolving and multi-faceted threat picture, sharing and collaboration are essential to water and wastewater security and resilience. The value of participating in information-sharing networks and industry groups, as well as law enforcement and homeland security agency-sponsored groups, cannot be understated.

Attending and contributing to events and offering practical knowledge can strengthen individual utilities and the sector as a whole.

WaterISAC hosts numerous webinars featuring subject matter experts throughout the year. In addition, the center will be a co-host of the Water Utility Resilience Forum in Miami in December 2021. Addressing resilience at large, the forum will have panels on cybersecurity, climate adaptation, financial and workforce resilience, and emergency planning. The American Water Works Association’s (AAWA’s) Water Infrastructure Conference, InfraGard events and many state and regional association forums hosted every year also offer other opportunities to learn about threats in this sector and focus on building resiliency.

We believe that participation engenders awareness, and being aware of threats and implementing best practices produces long-term resilience. With public health and the environment at stake — not to mention utility finances, the integrity of customer data, and reputation — remaining unaware of threats and best practices is no longer an option.


Recognizing 2021’s National Critical Infrastructure Security and Resilience Month, Security magazine had the honor of working with security leaders within the public and private sectors to bring you October’s Special Report — comprised of five different features to be used as best practices and resources to assist critical infrastructure organizations in bolstering their security postures to prevent and reduce the risks of disruptions.

  • A resilience framework for the future
  • Protecting the energy grid is a team sport
  • Cyber-physical security in an interconnected world


WaterISAC's 15 Cybersecurity Fundamentals for Water and Wastewater Utilities

Utilities can undertake these 15 courses of action to reduce cyber risks to both information and operational technology:


  1. Perform Asset Inventories
  2. Assess Risks
  3. Minimize Control System Exposure
  4. Enforce User Access Controls
  5. Safeguard from Unauthorized Physical Access
  6. Install Independent Cyber-Physical Safety Systems
  7. Embrace Vulnerability Management
  8. Create a Cybersecurity Culture
  9. Develop and Enforce Cybersecurity Policies and Procedures
  10. Implement Threat Detection and Monitoring
  11. Plan for Incidents, Emergencies and Disasters
  12. Tackle Insider Threats
  13. Secure the Supply Chain
  14. Address all Smart Devices
  15. Participate in Information Sharing and Collaboration Communities

To help water and wastewater utilities bolster their cybersecurity and resilience, the sector and the federal government have developed other free resources

  • The American Water Works Association’s Cybersecurity Guidance and Tool is the water sector’s version of the NIST Cybersecurity Framework, and offers a tool for evaluating risks and developing plans to address them.
  • The Cybersecurity and Infrastructure Security Agency has many free tools and services that water systems have taken advantage of.
  • The U.S. Environmental Protection Agency’s Water Security Division has produced a checklist for water and wastewater utilities and is offering free assessments.
  • The Center for Internet Security’s CIS Controls offers a prioritized set of actions to improve cybersecurity.




Recognizing 2021’s National Critical Infrastructure Security and Resilience Month, Security magazine had the honor of working with security leaders within the public and private sectors to bring you October’s Special Report — comprised of five different features to be used as best practices and resources to assist critical infrastructure organizations in bolstering their security postures to prevent and reduce the risks of disruptions.

  • A resilience framework for the future
  • Protecting the energy grid is a team sport
  • Cyber-physical security in an interconnected world
KEYWORDS: business continuity critical infrastructure cyber security enterprise security public safety risk management security management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

1
Michael Arceneaux is the Managing Director of WaterISAC, a nonprofit membership-based organization providing physical and cyber threat information and best practices to the water and wastewater sector in the United States, Canada, Australia and elsewhere since 2002.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • 5 mins with Hamilton

    5 minutes with Mike Hamilton – The biggest threats to the critical infrastructure

    See More
  • cybersecurity breach

    The election’s over, but threats to government and critical infrastructure don’t stop

    See More
  • critical-infrastructure-freepik

    Shoring up cybersecurity in critical infrastructure and the nation's defense supply chain

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • The-Complete-Guide-to-Physi.gif

    The Complete Guide to Physical Security

See More Products

Events

View AllSubmit An Event
  • September 19, 2012

    Oil & Gas Critical Infrastructure & Asset Security Forum 2012

    The Forum will cover security issues related to both offshore and onshore oil and gas arising out of civil unrest, terrorist activities, and a competitive global market.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing