Water Systems | Cybersecurity Vulnerabilities

“No technology that’s connect to the Internet is unhackable.”

Abhijit Naskar

The COVID-19 pandemic forced the business world to shift, facilitating the growth of remote work. As a result, companies are now heavily dependent on technology, and hackers are taking note. Over the last year, cyberattacks have increased exponentially. For instance, Check Point Research reported a 29% increase in cyberattacks worldwide in the first half of 2021, along with a 93% increase in ransomware attacks. In recent months, authorities have raised concerns over the cyber vulnerabilities in US water systems.

Cybersecurity Threats in Water Systems

As a result, expert testimony given by members of the Senate Environment and Public Works Committee revealed the inefficiency of federal programs on July 13. Among the experts was Maine Senator Angus King, co-chair of the Cyberspace Solarium Commission (CSC). King testified, “I believe that the next Pearl Harbor, the next 9/11, will be cyber, and we are facing a vulnerability in all of our systems, but water is one of the most critical, and I think one of the most vulnerable.” 

In rural areas, water facilities are highly vulnerable to cyberattacks due to a lack of resources and training. Therefore, keeping up with cybersecurity best practices is vital to the water and wastewater industry. 

According to the EPA, business or process control systems at water or wastewater utilities are vulnerable to cyber-attacks, including: 

Upsetting treatment and Conveyance processes

  • Opening and closing valves
  • Overriding alarms
  • Disabling pumps or other equipment

Website or Email Systems

  • Deface the utility’s website
  • Compromise the email system

Customer Data Collection

  • Personal data
  • Credit card information

Installation of Malicious Programs

  • Ransomware (used to disable control operations and business processes)

Recent Cyber-Attacks on US Water Systems

  • The Boston Water and Sewer Commission was the victim of a ransomware attack last year. 
  • January – NBC News reported a hack of a water treatment plant in San Francisco, California.
  • February – Oldsmar, Florida, experienced an unsuccessful hack attempt that compromised city systems to control chemical balances earlier this year. 
  • March – The Justice Department indicted one individual for hacking into and tampering with a water system in a rural Kansas county. 

Challenges for Utilities

In essence, there is a shortage of information technology (IT) specialists and cybersecurity specialists to help water and wastewater utilities regulate cyberspace. Further complicating matters, water companies are not governed by clear guidelines. However, regardless of being subject to EPA regulation, water companies must deal with state and environmental agencies and state public utility commissions. 

Although basic cybersecurity best practices do not require specialized training, user-friendly resources are available for utility personnel. Recently, WaterISAC published a newly updated resource in response to continually evolving threats: 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. So, let’s take a look.

      15 Cybersecurity Fundamentals for Water and Wastewater Utilities

  1. Perform Asset Inventories
  2. Assess Risks
  3. Minimize Control System Exposure
  4. Enforce User Access Controls
  5. Safeguard from Unauthorized Physical Access
  6. Install Independent Cyber-Physical Safety Systems
  7. Embrace Vulnerability Management
  8. Create a Cybersecurity Culture
  1. Procedures
  2. Implement Threat Detection and Monitoring
  3. Plan for Incidents, Emergencies, and Disasters
  4. Tackle Insider Threats
  5. Secure the Supply Chain
  6. Address All Smart Devices (IoT, IIoT, Mobile, etc.)
  7. Participate in Information Sharing and Collaboration Communities

Additional Resources include:

The EPA’s Cybersecurity Incident Action Checklist (pdf)

AWWA Resources on Cybersecurity 

Water System Safety

Among the consequences of these attacks on water and wastewater utilities are the potential compromise of customer confidence, financial and legal liability, and consumer harm. A growing number of cyber-attacks are targeting critical infrastructures, further disrupting essential operations. Among the top-profile cases this year, for example, was the DarkSide group’s Colonial Pipeline ransomware attack. It was the largest cyberattack in US history to target an oil infrastructure.

Furthermore, DarkSide used a single compromised password from a no longer active VPN account as their attack vector. Because Colonial Pipeline transports nearly half of the East Coast’s fuel, this incident was eye-opening. But how? In short, even the thought that people could not trust their drinking water would be enough to cause panic, as the fuel shortages caused.

Leonardo da Vinci said, ” Water is the driving force of all nature.” When our water systems are at risk, it’s not a problem that can be ignored. Above all, the safety and security of the American people need to be addressed.

Is Your Business Safe?

Cyber-attacks continue to rise with the integration of new technology, and we need to be ready for them. Meanwhile, the most valuable tool is to become informed. Read up on the latest exploits, tools, and techniques for keeping your network safe. There are hundreds of ways to reduce the risk and severity of intrusions.

Contact Applied Power Technologies and let us discuss how we can help you lock down your systems. In addition, APT offers cybersecurity training to help you keep your network secure. These cyber-threats are real. Don’t face them on your own.

Lindsey Harding, Director of Marketing and Business Development

Contact Us
Subscribe Now >>