Summary: Water infrastructure is critical to national security, economic stability, and public health and safety. Following the trend across the United States, the number and severity of cyberattacks against the water sector are increasing. However, the sector faces serious budgetary issues which gravely impact its ability to evaluate and respond to cyber threats. Despite these problems, water and wastewater utilities can implement some basic cyber hygiene controls that will enhance their cybersecurity posture.

Critical infrastructure in the United States is only as strong as its weakest link, and water infrastructure may present the greatest danger. Significant cybersecurity deficiencies have been identified in the drinking water and wastewater sectors, in part due to structural obstacles. The majority of 52,000 drinking water systems and 16,000 wastewater systems in the United States serve small to medium-sized cities with less than 50,000 persons. These systems operate with limited funds, staff, and experience in cybersecurity. It is fundamentally difficult to conduct efficient government oversight and provide adequate federal assistance to such a dispersed network of utilities.

Increasing attacks threaten hygiene and reliability of the water sector

Nationwide, the number and severity of cyberattacks are growing, and the water industry is not immune. In February 2021, the Florida city of Oldsmar was the target of an attack that posed a severe threat to public health. A hacker infiltrated the network of the city’s drinking water treatment facility and altered the chemical concentrations used to purify the water. Poor cybersecurity, such as weak passwords and obsolete operating systems, contributed to the hacker’s success, according to the FBI.

In March of 2019, a similar attack was successful in shutting down the treatment and disinfection processes at an Ellsworth, Kansas drinking water plant. Despite having departed from the organization two months prior, the former employee tampered with the system using his still-active remote-access credentials.

State-backed hackers also pose a threat to the water industry. CISA, the EPA, the FBI, and the NSA published combined advice and infographic in October 2021 to warn of continued threats to water and wastewater infrastructure. The report warned that water systems are vulnerable because utilities rely on “unsupported or outdated operating systems and software” and “outdated control system devices or firmware versions” with known exploitable flaws.

The advice detailed three cases in which ransomware was successfully distributed within the Supervisory Control and Data Acquisition (SCADA) system of a water utility, causing the facilities to convert to manual operation. Ransomware is typically targeted against IT and business operations systems, but it can also “infect connected OT systems, especially if IT and OT systems are not adequately segmented,” CISA said in an infographic that accompanied the advisory.

Lack of budget impacts cybersecurity posture

A portion of the issue arises from the water industry’s general budgetary difficulties. Due to miles of pipelines, uncontrollable variables such as droughts and severe weather, and the variation in topography and production capacity within each state, the water sector is unable to determine annual water and wastewater price increases in the same standardized manner as the U.S. Department of Energy (DOE) does for the electricity sector.

The Water Sector Coordinating Council (WSCC) observed that it is difficult for utilities to invest in cybersecurity when they are “struggling to maintain and replace infrastructure, maintain revenues while addressing issues of affordability, and comply with safe and clean water regulations.”

The WSCC and the Water Information Sharing and Analysis Center (WaterISAC) surveyed more than 600 drinking water and wastewater enterprises in 2021 to examine the cybersecurity posture of the sector. Sixty percent of surveyed organizations spent less than 5 percent of their budgets on IT security in 2021, while nearly two-thirds spent less than 5 percent on OT security. A majority invested less than 1 percent in IT and OT security.

Smaller resources also result in fewer IT and OT security-focused personnel. Without trained people, it is difficult for a utility to act on government-supplied intelligence regarding active risks. With limited personnel and funds, a utility’s capacity to respond to and recover from an attack is similarly constrained. Small budgets also mean that water utilities undertake risk assessments infrequently, test their cybersecurity incident response plans infrequently, and provide insufficient cybersecurity training to their employees.

This is a concern from a legal standpoint. The 2018 America’s Water Infrastructure Act (AWIA) mandates that community water systems serving more than 3,300 people perform and update risk and resilience assessments (RRAs) and emergency response plans on a recurring basis (ERPs). The RRAs must include an evaluation of “the risk to the system from malevolent acts and natural hazards,” as well as “the resilience of… the electronic, computer, or other automated systems (including the security of such systems) used by the system.” These RRAs and ERPs are only successful if the utilities have cybersecurity staff who are aware of the RRAs and ERPs and who can conduct the evaluation and take measures to mitigate the risks.

Lack of standardization is a further cause for concern. Until now, the EPA has not given water utilities specific standards, techniques, or instruments for conducting RRAs or preparing ERPs. The American Water Works Association (AWWA) has created recommendations based on the NIST Cybersecurity Framework, but these are not mandatory. This means that many water utilities may be unaware of their cybersecurity deficiencies, and their emergency response plans may not minimize cyber risks.

How water utilities can advance their cybersecurity

Within today’s security climate, the water sector has a big journey ahead of them to meet the challenges arising across the country. “The lack of resources, expertise, and nationwide cohesion means utilities must take matters into their own hands,” says Michael Sanchez, CEO at ITEGRITI.

Some reasonable best practices that water and wastewater facilities need to embrace are:

  • Network segmentation
  • System patches
  • Strong authentication with MFA
  • Clear visibility across the organization
  • Raise security awareness

Nominating a person or small team to take ownership of security strategy is crucial for utilities no matter the size. For many, the knowledge gap is great and a lack of experienced personnel causes security measures to fall through the cracks. Thankfully, utility companies can bridge this gap with an outside team of experts.

That’s why ITEGRITI is here to help. We understand that most water facilities are understaffed, overworked, and lacking the funding to hire the cybersecurity experts needed to run CNI-level defense right. Find out how ITEGRITI can help you strengthen your organization’s cybersecurity posture with simple and proven steps.