The water industry is one of 16 Critical National Infrastructure (CNI) sectors, which means it’s on the front lines of nation-state cyberattacks when they come (and we’ve been warned). But is it ready? Survey says – not enough. About this time last year, the Water Sector Coordinating Council – made up of WaterISAC, national water and wastewater associations, and the sector’s research foundation – conducted a survey of the US water and wastewater sector to assess cyber readiness. The results? Not exceptional. The problem? Today’s threats are.

Why cybersecurity is an urgent concern for water

Why is now a good time for the water industry to perform a cyber health check? Because it’s under attack. In a joint security alert issued just weeks ago by CISA, the NSA, the FBI and the Department of Energy warned that “certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control systems (ICS)/supervisory control and data acquisition (SCADA) devices.” In other words, there is evidence that bad actors are already able to breach US critical infrastructure systems, and that’s on the heels of other joint advisories, government warnings, and the Biden Administration’s 2022 100-day sprint to shore up cyber defenses for the water industry. It’s urgent, and the information provided in this survey can serve as a baseline for future water sector cybersecurity improvements.

The report states that there are “approximately 52,000 community water systems and approximately 16,000 wastewater systems in the United States.” That’s an incredibly large surface area, which leaves it little room for error. Unfortunately, errors, weaknesses, and vulnerabilities abound.

“Like all sectors, water and wastewater systems are targets, directly or indirectly, of cyber attackers,” continues the report, “but complicating any set of solutions is the demographics of the sector.” What demographics? It goes on to state that “many [US water systems] are subject to economic disadvantages typical of rural and urban communities. Others do not have access to a cybersecurity workforce. Operating in the background is that these utilities are struggling to maintain and replace infrastructure, maintain revenues while addressing issues of affordability, and comply with safe and clean water regulations.” To sum up, the water industry is:

  1. On the front lines of attacks, as a key sector of CNI.
  2. Understaffed, under-regulated, and underfunded, making it unprepared to deal with the incoming and precipitant threats.
  3. Already vulnerable to nation-state Advanced Persistent Threats (APTs) which have been shown to lurk within its systems already.

You see the dire need then for the water industry to take stock of itself and find out where it stands in terms of cyber readiness – assessing strengths, weaknesses, and how it can improve. That’s what this survey aims to do.

A “first-of-its-kind” snapshot

The Water Sector Coordinating Council is “a policy, strategy and coordination mechanism for the Water and Wastewater Sector in interactions with the government and other sectors on critical infrastructure security and resilience issues.” It is one of a number of sector coordinating councils for critical infrastructure.

The State of the Sector 2021 survey it put out in April of last year was significant because it had never been done before. Cited as a “first-of-its-kind snapshot of the Water and Wastewater Systems Sector cybersecurity posture,” it canvassed 606 responses from the water and wastewater industry and was crafted to “develop a picture of current cybersecurity practices in the sector” for the purpose of guiding policy, informing dialogue and improving security policy. Let’s see how it did.

Survey results

We can break the results down into a few key areas:

  • Cybersecurity needs of the water sector
  • Risk management challenges
  • Difficulties of implementing a cybersecurity program
  • Mixing IT and OT assets
  • Cybersecurity as a priority

Cybersecurity needs of the water sector. Here’s what survey respondents from the water sector said they need:

  • 51% – Cybersecurity training specific to the water sector
  • 47% – technical assistance, advice, and support
  • 41% – Funding for cybersecurity resources
  • 41% – Cyber threat information
  • 30% – Money to hire cybersecurity talent

With roughly a third marked IT/OT supply chain safety as a need. The patterns center around a lack of cybersecurity expertise, industry and threat training, and funding.

Risk management challenges. While over 57% of respondents claimed to have a risk management strategy that addressed cybersecurity, the issue was not without its challenges. The top three per service were listed as:

Combined drinking water and wastewater

  1. Minimizing control system exposure
  2. Risk assessment
  3. Finding vulnerabilities or the remediation software that can stop them

Drinking water

  1. Risk assessment
  2. Finding cybersecurity threats and best practices
  3. Incident and emergency planning

Wastewater

  1. Minimizing control system exposure
  2. Securing remote access to Operational Technology (OT)
  3. Risk assessment

However, the number one most prevalent challenge for large-scale systems serving 100,000 or more is creating a culture of cybersecurity within the organization.

Difficulties of implementing a cybersecurity program. The survey wanted to gauge to what extent each of the following cybersecurity issues was a challenge for water utilities to address. The results showed:

  • Business continuity presented the greatest challenge
  • Website security presented the least
  • Risk management was the second most difficult to address

With areas such as physical security, incident response, and cloud security falling somewhere in between.

Mixing IT and OT assets. As networks increase in complexity, it’s easy to lose track of assets and identities. As Information Technology (IT) and Operational Technology (OT) integrate on the same network for increased efficiency, the problem can become even more complicated. Largely, OT assets are typically older, legacy applications with a lot of inherent bugs that can present vulnerabilities for hackers to penetrate and pivot from, affecting the newer IT assets as a result.

To prevent this, all IT/OT assets must be secured, and to achieve this – they first must be visible.

  • Nearly 40% have identified all IT assets (21.7% are working to do so)
  • Only 30% have identified all OT assets (22.5% are working to do so)

And, for those with IT/OT assets identified,

  • 22% had cyber defense measures implemented and monitored
  • 37% reported being in progress
  • 15% claimed they were planning to do so

While over 50% of respondents reported no IT or OT attacks within the past year, attacks are steadily increasing across the industry (look at Oldsmar, Israel, LA). Waiting to shore up cyber defenses until you’re attacked may be waiting too late.

Cybersecurity as a priority. Finally, how important was cybersecurity to the water and wastewater sector? Well, for the over 600 respondents, the results varied by how big a population the utility served.

For water systems serving less than 500 people, roughly 5% said cybersecurity was a top priority and over 30% said it was not a priority. For those serving over 250,000 people, nearly one in three claimed cybersecurity was the top priority, with less than one percent stating it was not a priority at all.

Resources needed to up the cyber game for the water industry

Given that water faces the challenges of legacy infrastructure, lack of cyber expertise, shared priorities with regulation compliance, and perennial lack of funding, this puts them in a state of urgent need.

We look back at the top three needs listed above (besides that) and they are cybersecurity training, technical assistance, and threat information. While you could make a case that MITRE ATT&CT could plug the third hole, the first two definitely need money. And, how good is the MITRE ATT&CT framework without the cyber talent needed to implement it?

What the State of the Sector 2021 revealed was a (still shocking) lack of cybersecurity readiness in the water sector – from training to technology to talent – and the bottom line is those improvements are next to impossible to implement without the resources to do it.

Which is maybe why CISA is asking for an additional $80 million in FEMA grants to go towards “target-rich, resource-poor critical infrastructure providers,” drawing lawmakers’ attention “in particular to water.” Says CISA director Jen Easterly, “Water entities…are very target-rich—as we saw with Oldsmar in February of 2021—but resource-poor, and so being able to provide grant money to help them raise their cybersecurity baseline, I think, is really important.” It seems the Water Sector Coordinating Council survey results would agree.

If you’re in the water industry and you’re looking for someone to help you with assessing your cybersecurity posture, Itegriti has a dedicated team of experts who can help you tread these treacherous waters.