Protecting our nation’s water supply is vital. It falls under the category of Critical National Infrastructure (CNI), and represents a resource so necessary to the United States “that [its] incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” However, at this point, there are not strong Federal guidelines surrounding cybersecurity for the water industry.
In comes WaterISAC, a nonprofit dedicated to keeping the nation’s water and wastewater plants cyber secure. WaterISAC, is a “comprehensive and targeted single point source for data, facts, case studies, and analysis on water security and threats from intentional contamination, terrorism, and cybercrime.” In the words of the ISAO Standards Organization, “WaterISAC helps members strengthen their physical and cyber security, recover from natural and man-made disasters and improve overall preparedness and resilience.” In 2019 they released their 15 Cybersecurity Fundamentals for Water and Wastewater Facilities, a set of benchmarks designed to “be helpful to utilities preparing risk and resilience assessments required by America’s Water Infrastructure Act, or AWIA.” More on the act, later.
To understand the context of these frameworks, it’s necessary to understand the state of the industry, the threats being faced and how policy can help.
Threats to US Water Supply
In October, the FBI, Environmental Protection Agency, National Security Agency and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning that U.S. water and wastewater systems are being targeted by “known and unknown” malicious actors. And, we see it happening.
“It’s the kind of breach that has been warned about for years but is rarely seen,” reads the headline. In February of last year, bad actors compromised a TeamViewer account, infiltrating the water supply in Oldsmar, Florida and nearly succeeding at raising the chemical levels to toxic amounts.
In May of last year, two Pennsylvania water plants were victims of attempted hacking. The attacks were thwarted, but the superintendent of the Municipal Authority over the water supply revealed ” it is alarming and it is a very vulnerable business.”
And the Metropolitan Water District experienced its own water scare, showing us that those looking to undermine the sector are not only going for small municipal facilities, but big game. The Pulse Secure hack compromised a device meant to boost internet security and was thought to be a nation-state attack. According to experts, “[S]ophisticated hackers exploited never-before-seen vulnerabilities to break in and were hyper-diligent in trying to cover their tracks once inside.”
Cybersecurity in the Water Sector
Among the nations over 54,000 water facilities, there is little in the way of mandated cybersecurity policy. A mere 444 systems serve over half the population, while 85% are municipally owned, with 90% of wastewater plants under local jurisdiction as well. Noted Suzanne Spaulding, chief cybersecurity official at the Department of Homeland Security under the Obama administration, “When I first came into DHS and started getting the sector-specific briefings, my team said, ‘Here’s what you’ve got to know about water facilities: When you’ve seen one water facility, you’ve seen one water facility.'”
According to the WaterISAC survey “Water and Wastewater Systems Cybersecurity State of the Sector 2021”, “60% of water utilities say they have not fully identified IT-networked assets in their networks, and only a little more than 21% of those utilities said they are working to do so.” Add to that the fact that “roughly 70% said they have not fully identified all operational technology networked assets” and the case can seem pretty dismal. Meanwhile, other CNI sectors like electricity continue to expand and improve unifying cybersecurity standards.
However, good moves are being made. According to a 2018 survey of these independent water facilities, 91 percent have active cybersecurity programs. That’s a great start. The White House hosted a Cyber Security Summit back in August, and earlier this year, the Biden administration announced plans to address the cybersecurity of water and wastewater systems.
Already in place is America’s Water Infrastructure Act, or AWIA. Passed in 2018, it “deepens infrastructure investments” and provides “the most far-reaching changes to the Safe Drinking Water Act since the 1996 Amendments.” It claims over 30 mandated programs, and underpins cybersecurity frameworks established for the water industry, such as the one developed by WaterISAC.
Essential Frameworks for Water Cybersecurity
In an effort to strengthen the security posture of our nation’s water utilities, and compliant with the standards in the AWIA, WaterISAC released their 15 Cybersecurity Fundamentals for Water and Wastewater Facilities. These practices secure the information technology (IT) and operational technology (OT) systems that support national water and wastewater management. A summary can be found here, and recommendations include:
- Perform Asset Inventories
- Assess Risks
- Minimize Control System Exposure
- Enforce User Access Controls
- Safeguard from Unauthorized Physical Access
- Install Independent Cyber-Physical Safety Systems
- Embrace Vulnerability Management
- Create a Cybersecurity Culture
- Develop and Enforce Cybersecurity Policies and Procedures (Governance)
- Implement Threat Detection and Monitoring
- Plan for Incidents, Emergencies, and Disasters
- Tackle Insider Threats
- Secure the Supply Chain
- Address all Smart Devices (IoT, IIoT, Mobile, etc.)
- Participate in Information Sharing and Collaboration Communities
“WaterISAC… provides analysis and resources to support response, mitigation, and resilience initiatives,” and this 15-step framework is designed to prepare utilities for the risk and resilience assessments required by America’s Water Infrastructure Act, or AWIA. The more the water sector adheres to essential cybersecurity frameworks, the better it will be able to defend against the advanced and persistent threats it has already begun to face.
The water industry is in a unique position as a part of CNI because there is very little mandated security. If you are looking for help with securing such business, ITEGRITI has a team of dedicated professionals who can help navigate you through various applicable frameworks.