Cyber risk is the top concern for water and wastewater systems. With government intelligence confirming cyber attacks staged by Russia and Iran, utilities need strong risk management to protect public health, sensitive personal information, and national security.
The EPA, FBI, and Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) work together to assess breach consequences, identify malicious entities, and provide solutions for cybersecurity attacks in the sector. In 2019, a district water supply in Kansas was breached by a former employee in which the potable water cleaning and disinfecting procedures were tampered with.
A joint investigation by the FBI and EPA led to an indictment of the hacker but the successful prosecution has not stopped cyberattacks from occurring. Earlier this year, a cybercriminal exploited a water utility system in Oldsmar, Florida and caused dangerous levels of chemicals to build up in the water supply. There are a host of vulnerabilities that need to be addressed to secure the industry against bad actors. Between outdated industrial control systems and poor remote access security, hackers have continued to exploit the weaknesses of water utilities.
Unlike other critical infrastructure sectors, the water and wastewater sector is largely a public domain. About 80% of US residents receive potable water from the public systems and three-fourths utilize the public wastewater system. Other critical infrastructure sectors also rely on water utilities like the emergency services sector, the energy sector, and the food and agriculture sector.
A distributed denial of service (DDoS) attack on the system can leave regions and sectors unable to function. The release of toxic gases or chemicals is a great consequence of cyber attacks in the sector. As the sector digitizes and incorporates modern computer technology and cloud services into its systems, the water and wastewater industries need to manage cybersecurity risk proactively.
Current Regulations for the Sector
The EPA is the main regulatory body for the sector and has provided water systems with cybersecurity best practice guides and self-assessment tools. Water systems also have access to CISA’s incident reporting and tool guide through the EPA. The governing agency has also published a brief that outlines how to implement a cybersecurity program but the provisions are limited. The information provided is focused on incident response but what about proactively managing risk?
In addition to the information provided by the EPA, water and wastewater systems can refer to the Water Information Sharing and Analysis Center (WaterISAC), similar to the energy sector’s E-ISAC, for enterprise trends, threat actors, and prevention tactics. The American Water Works Association (AWWA), an international non-profit organization, provides manuals of practice, webinars, and community outreach programs. The AWWA also mandates over 180 standards of practices but is a voluntary organization.
Yes, water systems are informed on why they should implement a cybersecurity enterprise risk management program, and some even know how to but the cost can be too great for most of the water systems. In order to fully update water systems, IT teams would need to increase their yearly budget by $500,000 to a million dollars.
American Water has been touted as the best-equipped company to stave off cybersecurity threats with a fully-equipped security team that’s dedicated to monitoring cybersecurity. But, most water systems are small and outdated, using decade-old operational technology (OT) and informational technology (IT). Employees stuck with dated technology are also unable to learn about developing threats, phishing tactics, and cyber-awareness. This is the greatest difference between public and privately run systems. Public water systems rarely get the funding and federal grants they need to update their technology and staff a security team.
The water industry is vast, fragmented, and underfunded and these inconsistencies continue to make the sector vulnerable to cyber breaches.
A Lucrative Target for Cyberattacks
Water utilities have to act fast as cyberattacks grow more frequent, more dangerous, and can be backed by other nation-states. In February, a cybercriminal hacked a water system in Oldsmar, Florida through a software application called TechViewer. The water system stated that they no longer used the remote IT system but had left it installed and it was the entry point for the hacker to access the OT controls. The hacker was able to make changes on the control panel and add sodium hydroxide, or lye, into the water supply.
A system operator on-site spotted the changes made and was able to undo the changes before the damage had been done. Although this attack is suspected to be planned by a sole actor, this is not the first attack of its kind and it has occurred before in the US and internationally.
In 2016, a “hacktivist” group based in Syria targeted a water system under the pseudonym Kemuri Water Company (KWC) and accessed its IT and OT systems twice to manipulate the water flow and chemicals used to treat the water. The KWC was able to reverse the changes made and minimize the impact on customers but the attack exposed numerous vulnerabilities in the system’s servers, weak cybersecurity practices, and security gaps.
Three years back, in 2018, the Department of Homeland Security and the FBI warned that the Russian government was planning a “multi-stage intrusion campaign” against smaller critical infrastructure systems. There is too much on the line for water systems. System operators cannot wait around to update their cybersecurity practices. Not when almost 300 million people get their potable water from these systems.
The cyberattacks on Oldsmar and the Colonial Pipeline ransomware attack have been the impetus for President Biden’s executive order requiring an improved cybersecurity posture for the federal government. The mandate includes collaboration between private and public sector companies and operators to minimize incidents overall. The order includes heightened supply chain security, improved federal cybersecurity standards, and a cyber safety review board.
Changes Need to Be Made
The water and wastewater sector need sector-wide improvements. The first major change that needs to be made is the funding and federal aid granted to water systems. Without it, it’s near impossible for current water systems to withstand cyber threats with their current cybersecurity tools, and dated IT and OT technology. According to a survey conducted by the WaterISAC and the Water Sector Coordinating Council (WSCC), one of the main ways that the federal government needs to support water systems is through federal loans and grants. With extra resources, systems will not only be able to update the technology and security software used but can also adequately staff their security teams to effectively manage risk and contain threats.
In addition, the survey also noted that water utilities needed help with technical assistance, cyber threat information, and updated training and education.
Like the financial services sector or the transportation sector, the water and wastewater industry needs to be regulated with mandated cybersecurity standards. Mandated standards, like the set of standards created by the National Institute of Standards and Technology (NIST) for other critical infrastructure sectors, will better guide and incentivize companies to comply with standards.
With something akin to the NIST Cybersecurity Framework (CSF), water systems will not only know how to implement a stronger cybersecurity program but also have security controls and compliance programs to adhere to.
Over time, this will bring all systems within the sector to a uniform level of security, effectively manage risk, and monitor threat development. The Water and Wastewater Systems Sector-Specific Plan - 2015 only outlined objectives that were to be achieved within two years of its publication. The plan is outdated for modern threats and neglects to inform systems on integrated risk management strategies, supply chain security, and vendor risk.
With the right resources and regulations, water and wastewater systems can move forward with a security-first approach. Supplemented with frequent employee training on security risk, workable compliance frameworks like the NIST CSF, and regular risk assessments, the sector stands a stronger chance against cybersecurity threats and attacks.
A Strong Water and Wastewater Sector
Millions of people rely on the water and wastewater systems every day. This widespread reach that the water sector has makes it one of the most lucrative targets for ransomware and nation-state attacks. Sector leaders and regulating bodies need to contend with industry-wide changes, in order to ensure the safety of all that depend on it. Cyberthreats and attacks may never be fully mitigated but with a security-first approach to managing risk and updated technology, the water sector will be able to proactively secure its systems.
To learn about the impact cyberattacks like Oldsmar and Colonial have on federal cybersecurity regulations, check out our webinar How Colonial and JBS will Impact the CMMC Rollout. To see how CyberSaint can be a compliance management tool for you, contact us.