Protecting Our Nation’s Critical Water Infrastructure from Cyber Threats

Water is one of our most essential resources, critical for human health, agriculture, industry, and daily life. Yet the infrastructure that delivers clean water to our homes and businesses and treats our wastewater is increasingly vulnerable to cyberattacks. As water utilities embrace digital technologies to improve efficiency and service, they also expand their attack surface for malicious actors seeking to disrupt or contaminate water supplies. Recent incidents have demonstrated that the threat is real and growing. Protecting our water infrastructure from cyber threats must be a top national priority.

The Evolving Cyber Threat Landscape

The cyber threat to critical infrastructure has grown dramatically over the past decade. What was once the domain of individual hackers is now the playground of sophisticated criminal groups and nation-state actors. The tools and techniques for launching cyberattacks have become more advanced and more widely available. At the same time, our critical infrastructure has become more connected and digitized, creating new vulnerabilities.

Some key trends shaping the current threat landscape include:

• A 600% increase in IoT attacks from 2016 to 2021, as more internet-connected devices are deployed in industrial environments
• The rise of ransomware attacks targeting critical infrastructure, as seen in the Colonial Pipeline incident
• Nation-state actors increasingly probing and infiltrating critical infrastructure as part of larger geopolitical strategies
• The blurring of lines between IT and OT (operational technology) networks, expanding attack surfaces
• Supply chain attacks that compromise software or hardware used in critical systems

For the water sector specifically, we’ve seen several concerning incidents in recent years:

• In 2021, a hacker attempted to poison the water supply in Oldsmar, Florida by increasing the level of sodium hydroxide in the treatment system
• A ransomware attack on a water utility in North Carolina in 2019 took billing and phone systems offline
• Multiple water utilities have reported attempted intrusions by nation-state actors probing for vulnerabilities

These incidents make it clear that water infrastructure is squarely in the crosshairs of cyber threat actors. The potential consequences of a successful attack could be devastating – from service disruptions to public health crises. Water utilities of all sizes need to take urgent action to improve their cybersecurity posture.

Key Vulnerabilities in Water Infrastructure

Water and wastewater utilities face some unique cybersecurity challenges compared to other critical infrastructure sectors:

Expansive, Distributed Infrastructure: Water systems typically cover large geographic areas with many remote facilities and sensors. This distributed architecture can be difficult to fully secure and monitor.

Legacy Systems: Many utilities are still running decades-old SCADA and control systems that were not designed with cybersecurity in mind. Upgrading these systems can be costly and complex.

Resource Constraints: Especially for smaller utilities, limited budgets and cybersecurity expertise can make it challenging to implement robust security measures.

IT/OT Convergence: As utilities adopt more smart technologies and internet-connected devices, once-isolated operational systems are now connected to IT networks and the internet.

Complex Ecosystem: Water utilities often work with many third-party vendors and contractors, expanding potential vulnerabilities.

Regulatory Requirements: While new cybersecurity mandates are emerging, historically there has been limited regulation or standardization of cybersecurity practices in the water sector.

Public Accessibility: Unlike some critical infrastructure, water utilities must maintain public-facing services and access points that can potentially be exploited.

24/7 Operations: The need for continuous operations makes it difficult to take systems offline for updates and security measures.

These factors combine to create an environment where many attack vectors exist for malicious actors to potentially compromise water infrastructure systems. Common types of attacks targeting water utilities include:

• Insider threats from disgruntled employees or contractors with system access
• Ransomware that encrypts critical systems and data
• Phishing and social engineering to gain login credentials
• Exploitation of unpatched vulnerabilities in control systems
• Man-in-the-middle attacks to intercept and alter communications
• Supply chain attacks that compromise vendor software or equipment
• Direct hacking of exposed internet-connected devices and interfaces

Attacks can target IT systems like billing and customer service, or operational technology that directly controls water treatment and distribution. In the worst case scenarios, attackers could potentially alter chemical dosing, shut down pumps, or otherwise disrupt safe water delivery.

The Imperative for Action

The growing cyber threat to water infrastructure has not gone unnoticed by government leaders and regulators. Recent actions underscore the urgency of addressing this critical issue:

In 2021, the Biden administration issued an Executive Order on Improving the Nation’s Cybersecurity that called for enhancing the security of critical infrastructure control systems. The order stated that “incremental improvements will not give us the security we need” and called for bold changes and significant investments.

The Environmental Protection Agency (EPA) has issued guidance emphasizing that implementing cybersecurity best practices is critical for water and wastewater utilities. The EPA views cyber-attacks as a significant and growing threat to the sector.

In early 2023, the EPA issued a new memorandum requiring public water systems to meet basic cybersecurity requirements and undergo regular cybersecurity audits as part of safety inspections. This marks a major step toward standardizing cybersecurity practices across the industry.

Congress has also taken notice, with multiple bills introduced to provide funding and resources to improve water sector cybersecurity. America’s Water Infrastructure Act of 2018 included new requirements for water systems to conduct cybersecurity risk assessments.

These policy actions reflect a growing recognition that our water infrastructure is vulnerable and that urgent steps are needed to enhance its cyber resilience. Water utilities of all sizes need to make cybersecurity a top priority and take concrete actions to reduce their risk.

Key Elements of an Effective Water Sector Cybersecurity Program

While the specific security needs of each utility will vary, there are some core elements that should be part of any comprehensive water sector cybersecurity program:

Asset Inventory and Management: Maintaining an accurate inventory of all IT and OT assets is critical for identifying vulnerabilities and ensuring proper security controls are in place. This includes remote sensors and devices that may be geographically dispersed.

Network Segmentation: Separating IT and OT networks and implementing security zones can limit lateral movement by attackers and contain potential breaches.

Access Controls: Implementing strong authentication, least privilege access, and regular access reviews is essential for limiting unauthorized system access.

Continuous Monitoring: Deploying technologies to monitor networks for anomalies and potential intrusions allows for rapid detection and response to threats.

Incident Response Planning: Having documented incident response procedures and regularly testing them ensures the organization can react quickly to contain and mitigate cyber incidents.

Supply Chain Security: Vetting vendors and securing the software/hardware supply chain helps prevent backdoors and compromised components from being introduced.

Encryption: Encrypting sensitive data in transit and at rest protects it from unauthorized access or tampering.

Patch Management: Regularly updating and patching systems closes known vulnerabilities that could be exploited by attackers.

Backup and Recovery: Maintaining secure, isolated backups of critical systems and data enables rapid recovery from ransomware and other attacks.

Employee Training: Ongoing cybersecurity awareness training for all employees is crucial, as human error remains a top attack vector.

Physical Security: Securing facilities and access to critical systems adds an important layer of defense against insider threats and physical attacks.

Third-Party Risk Management: Assessing and monitoring the security practices of vendors and partners who have access to systems or data.

Importantly, cybersecurity needs to be viewed as an ongoing process, not a one-time project. Threats and vulnerabilities are constantly evolving, requiring continuous improvement and adaptation of security measures.

Emerging Technologies and Best Practices

As the threat landscape evolves, new technologies and approaches are emerging to help water utilities enhance their cybersecurity posture:

Artificial Intelligence and Machine Learning: AI-powered tools can analyze vast amounts of data to detect anomalies and potential threats faster than human analysts.

Zero Trust Architecture: This security model assumes no user or device should be inherently trusted and requires continuous verification.

Cloud Security: As more utilities adopt cloud services, specialized tools and practices for securing cloud environments are crucial.

Operational Technology Security: Purpose-built security solutions for industrial control systems and SCADA environments are maturing.

Security Orchestration and Automated Response (SOAR): These platforms automate and streamline security operations and incident response.

Deception Technology: Deploying decoys and traps throughout the network can detect and divert attackers.

Secure Remote Access: With more remote work and third-party access, ensuring secure connectivity is critical.

DevSecOps: Integrating security throughout the software development lifecycle helps build more secure applications and systems.

Blockchain: Distributed ledger technology shows promise for securing supply chains and verifying the integrity of data and transactions.

Quantum-Safe Cryptography: As quantum computing advances, new encryption methods are needed to maintain long-term data security.

Water utilities should stay informed about these emerging technologies and evaluate which ones may be appropriate for enhancing their specific security programs. Engaging with industry associations, government agencies, and cybersecurity vendors can help utilities stay up-to-date on best practices and solutions.

Overcoming Implementation Challenges

While the imperative for enhancing cybersecurity is clear, many water utilities face significant challenges in implementing robust security programs. Some common obstacles include:

Budget Constraints: Especially for smaller utilities, limited financial resources can make it difficult to invest in new security technologies and personnel.

Lack of Expertise: There is a shortage of cybersecurity professionals with specific knowledge of water sector operational technology.

Legacy Systems: Older control systems that cannot easily be updated or replaced pose ongoing security risks.

Organizational Silos: Lack of coordination between IT and OT teams can leave gaps in security coverage.

Regulatory Uncertainty: Evolving and sometimes conflicting regulations can make compliance challenging.

24/7 Operations: The need for continuous uptime makes it difficult to take systems offline for updates and security measures.

Third-Party Dependencies: Reliance on vendors and contractors introduces risks that can be hard to fully control.

Overcoming these challenges requires a multi-faceted approach:

Leadership Commitment: Cybersecurity needs to be a top priority driven from the highest levels of the organization.

Risk-Based Approach: Focus resources on protecting the most critical assets and processes first.

Partnerships: Collaborate with other utilities, government agencies, and cybersecurity firms to share knowledge and resources.

Phased Implementation: Break down security initiatives into manageable phases rather than trying to do everything at once.

Training and Education: Invest in developing internal cybersecurity skills and awareness across the organization.

Leverage Existing Frameworks: Adopt established frameworks like the NIST Cybersecurity Framework to guide program development.

Secure Funding: Explore government grants, rate adjustments, or other creative funding mechanisms for security investments.

With a strategic approach and sustained commitment, water utilities can make significant progress in enhancing their cybersecurity posture despite resource constraints.

Conclusion

The cyber threat to our nation’s water infrastructure is real and growing. Recent incidents have demonstrated the potential for malicious actors to disrupt water service or even endanger public health through cyber attacks. As water utilities continue to digitize their operations, the attack surface will only expand.

Protecting our water systems from cyber threats must be a national priority. It requires coordinated action from utilities, government agencies, technology providers, and cybersecurity experts. While challenges exist, proven technologies and best practices are available to dramatically improve the cyber resilience of water infrastructure.

Every water utility, regardless of size, needs to take concrete steps to assess their cybersecurity risks and implement appropriate safeguards. This is not just an IT issue, but a critical business and public safety imperative. With sustained focus and investment in cybersecurity, we can ensure that our water infrastructure remains safe and reliable in the face of evolving threats.

The security of our most vital resource – water – depends on it. The time for action is now.