Cybersecurity Threats to the US Water Industry
In an increasingly digital world, cybersecurity is a significant – and relevant – threat to individuals and companies alike. Cybercriminals are constantly devising new ways to steal information for personal gain through exploitation or ransom demands.
It’s become unfortunately commonplace to hear tales of drained checking accounts, leaked photos, and private documents being published to the masses. In this post-pandemic era, the move to hybrid and remote work dynamics has tempted nefarious actors even more. In 2021, the average instance of data breaches and cyberattacks rose more than 15% year over year.
While virtually every aspect of modern life is at risk for cybercrime, one surprising target is the utility industry. The water and power grid appeal to criminals looking to wreak havoc and can potentially risk the health and livelihoods of millions of people.
The Structure of Water Utilities
Across the nation, there are as many as 70,000 separate water utilities in the United States, encompassing both potable and wastewater systems. Many of these systems are small, serving low-density communities and functioning on limited budgets. The fragmented nature of water utility coverage coupled with low budgets and limited technologic expertise means many systems are outdated and under-protected.
Vulnerability and Attacks Targeting the Water System
It’s not uncommon to receive emails or notifications from banking institutions alerting customers of new security threats, particularly phishing tactics. What is unique is hearing from some of the most prominent government institutions – including the FBI, the NSA (National Security Agency), the EPA (Environmental Protection Agency), and the CISA (Cybersecurity and Infrastructure Security Agency) – with a very specific warning: the water and wastewater systems across the US are the target of criminals.
The catalyst for this was a 2021 incident you may not have even heard of. A water treatment plant in Oldsmar, Florida, had its systems breached, and hackers attempted to poison the water supply in this 15,000-person town. The hacker tried to make changes to the levels of sodium hydroxide (also known as lye or caustic soda), increasing the concentration to highly toxic levels.
Users access operational systems in the Oldsmar facility online through a software platform. While the platform should have been segregated from the internet-connected IT network, criminals were able to gain access and control an administrator’s mouse remotely to make changes to the settings. Thankfully, a user spotted the mouse movement and alerted authorities, saving the health and livelihood of those depending on the Oldsmar system’s water.
This is only one example of the vulnerability of the water system. Other incidents (both domestic and off-shore) have seen bad actors breaching security to adjust chemical levels or to purge raw sewage into public spaces and waterways.
Unique Security Challenges
While cybersecurity challenges are present throughout the utility sector, the water industry is particularly vulnerable. Having long ago identified the need for a unified approach to security, FERC and NERC have developed a standardized set of rules for securing the electric grid. After the Colonial Pipeline attack last year, the oil and gas industry has also taken note, tightening security. A new set of regulations are rumored to be announced this year.
That leaves the water industry particularly vulnerable. The same level of regulation and unified authority doesn’t apply to water utilities, and the disparate nature of system implementation leaves many potential security gaps. Cybersecurity practices are antiquated in many parts of the country, with weaker identity monitoring and access management tools.
A 2019 report issued by the AWWA (American Water Works Association) dubbed cyberrisk a paramount risk facing critical infrastructure. They identified insufficient human, technological, and financial resources as top barriers to comprehensive security measures and robust defenses.
Given the potential impact on the population, hackers have the upper hand when breaching frontline security. As such, ransomware is a go-to tactic, exploiting these vulnerabilities in exchange for sizeable payments. Reports indicate that ransomware attacks on the water utility industry are increasing, putting individuals across the country at risk.
Protecting the Water Sector
Within today’s security climate, the water sector has a big journey ahead of them to meet the challenges arising across the country. The lack of resources, expertise, and nationwide cohesion means utilities must take matters into their own hands.
Thankfully, there is some support. In early 2022, the EPA petitioned for a $4bln budget to support upgrades to water infrastructure, including potable and wastewater systems. Taking a hint from NERC and the TSA Pipeline Security Directive, the EPA is also developing directives for cybersecurity continuity to apply to the entire sector. At the time of writing, the directives do not mandate protection but do require entities to report incident data including severity and consequences. While some may argue that this is insufficient, it is a first step in introducing collaboration and communication to the industry.
What’s Next?
Fundamental to any security strategy is understanding the existing risks. With the current gaps in regulations and lack of a broadly-defined approach to cybersecurity within the water sector, individual entities would be wise to take matters into their own hands.
Nominating a person or small team to take ownership of security strategy is crucial for utilities no matter the size. For many, the knowledge gap is great and a lack of experienced personnel causes security measures to fall through the cracks. Thankfully, utility companies can bridge this gap with an outside team of experts.
About the Author: Michael Sanchez, CEO (CISA), has more than 34 years of experience in information technology, cybersecurity, physical security, compliance, and audit. Michael has held senior leadership positions in the energy; oil and gas; healthcare; and transportation industries. He is a former VP and general manager for ICF International, a large global management consulting firm, where he served as head of commercial cybersecurity and compliance. In other past roles, he managed IT and OT for a $12-billion energy corporation, assisted in the IT rebuild and redesign for a large power generation company, and served for 12 years as a board member for FBI InfraGard Houston, helping to facilitate the sharing of information related to domestic physical and cyber threats.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Gloss