Cyberattacks have been increasing in frequency across the nation. For the water sector, compromised assets can result in peril for citizens and environments on a large scale.
These attacks have become more prevalent partially because the utility sector is continuing to enhance their services with digital tools. The COVID-19 pandemic only exacerbated the issue as utilities quickly adopted remote work, employing new digital technologies in the process, or speeding up adoption.
Rising Risks
While technological growth offers plenty of benefits, it also comes with great risk.
According to a study by Chain Analysis, ransomware victims paid at least $350 million in 2020 — three times as much as they did in 2019. Developed nations like Russia and China are putting significant resources toward cyberattacks against U.S. infrastructure; with occasional success.
The National Security Agency (NSA) and U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released multiple alerts in each passing year, urging infrastructure providers to strengthen their cybersecurity.
CISA recently published a cybersecurity advisory urging critical infrastructure facilities to take immediate action to secure their operations from attacks. In mid-October, the nation’s top federal security agencies published a joint statement to highlight the prominence and danger of cyberattacks for the nation’s water and wastewater facilities.
“As we’ve said many times,” Bryan Ware, assistant director for cybersecurity at CISA said, “our adversaries are capable, imaginative and aim to disrupt essential services, so it is important that we make sure we are staying ahead of them.”
According to Black & Veatch, more than two-thirds of utilities credited COVID-19 for their organization’s increased consideration of digital technology, pointing to the pandemic-forced remote working practices of their employees. With such a quick, unexpected and recent growth in digital technology for the industry, utilities’ risk of cyberattacks has also increased.
In January, a hacker tried to poison a water treatment plant in the San Francisco Bay area. The hacker had stolen a former employee’s credentials and deleted several water treatment programs from the plant’s computers. These actions weren’t discovered until the following day — when the plant immediately changed all its passwords and reinstalled any deleted programs.
Only one month later, an individual was able to gain access to a water treatment plant located in Oldsmar, Fla. Working remotely, the hacker was able to increase the facility’s sodium hydroxide dosing to dangerous levels before a supervisor noticed. Notably, the treatment levels were brought back to normal by employees via remote access.
Sadly, these are not the only examples of utilities that found out their systems needed better security this year. In April, the Pennsylvania Water Action Response Network, a group of municipal water agencies in the state, announced in an email that two of its systems were “victims of recent cyber intrusions” and that the FBI was investigating the matter.
At the same time, a ransomware attack on a wastewater treatment plant in Mount Desert, Me., placed all of the facility’s computers out of operation for three days, though the operation of the plant itself was reportedly not affected.
The nearby town of Limestone, Me., was also the victim of a ransomware attack in early July, most likely the result of running an outdated computer operating program. The Limestone facility recovered with no serious consequences.
Risk for Small Operators
“From our perspective, the water/wastewater sector utilities are likely to be targeted regardless of size,” said Fabion Husson, insights branch chief at CISA.
Large utilities, such as those serving cities with more than 50,000 customers, may be more prone to sophisticated attacks, continued Husson. Small to medium-sized utilities, meanwhile, have a higher likelihood of both sophisticated and unsophisticated attacks because they provide a less risky testing environment for attackers.
But with cybersecurity efforts being funded primarily by the utility service providers, the smallest water utilities may be the least prepared for attacks. Without dedicating sufficient resources toward security posture, even very basic attacks can have major consequences for these organizations.
In August, the cybersecurity firm ThreatLocker found that 38 percent of water companies spent less than one percent of their budget on IT security, and that 44.8 percent spent less than one percent on OT security. Many facilities also continue to use software and operating systems beyond their end-of-life status. These outdated systems mean additional vulnerabilities for attackers.
“The small to medium utilities in the water/wastewater sector are fighting more of an uphill battle than a medium or large one,” said Chris Grove, technology evangelist for cybersecurity firm Nozomi Networks, “typically because they have a lot fewer resources to work with than a big city water facility that has millions of dollars.”
“When you’re talking about some of these really small operators, sometimes the IT department is one-tenth of one person’s job while 90 percent of that person’s job is real physical engineering work,” continued Grove, “Tasking someone responsible for keeping our water pure [along] with [the added job of] cybersecurity is almost like an unfair ask.”
He recommends that smaller utilities focus on tasks that simplify operations and allow them to do more with less. Software-as-a-Service (SaaS), for example, provides operators with pre-established security technology so that resources won’t need to be dedicated toward establishing separate protocols.
“They should also focus on having a good backup strategy,” continued Grove. “If you can’t build a good defense, and you know you’re not going to be able to defeat the attackers when they get there, then accept that.”
It may not feel likely that a small operator could build enough defenses against a sophisticated attack. Instead, a facility can focus on a post-breach mentality: reducing the impacts of, and recovering from, a successful attack. However, building a strong defense is now much easier than it may seem.
Improving Federal Standards
In the United States, both federal and state governments are still trying to catch up with the rapid growth of digitalization within critical infrastructure. While there’s not yet a robust standard for cybersecurity, significant strides have been made in the last year.
In May, the White House signed executive order 14028. The order modernizes cybersecurity within federal agencies, establishes a Cybersecurity Safety Review Board (based off the National Transportation Safety board), requires IT service providers to share certain breach information and creates a standardized playbook for responding to cyber incidents.
That same month, the Department of Homeland Security (DHS) issued a directive that requires pipeline operators to report cybersecurity incidents to CISA and to designate a Cybersecurity Coordinator. An upcoming draft bill plans to establish this reporting requirement for all critical infrastructure sectors.
The White House has also continuously met with leaders in several critical infrastructure sectors to discuss safeguarding the nation from cyber threats.
Resources Available
Utilities are not alone in their work toward acheiving digital resilience. Federal agencies now provide countless cybersecurity resources and services that can be completely free.
“It’s not always about how much money you spend. It’s how well you spend it,” said Grove. “Putting money in the right places and having the right mentality and the right culture can go a long way.”
Many of the water sector’s cybersecurity resources come from CISA and the Environmental Protection Agency (EPA). CISA directs its activity toward helping U.S. organizations prevent, detect, respond to and recover from attacks; EPA, as the explicit authority for community water systems’ security, operates a wealth of initiatives and services for cyber resilience.
“CISA offers a range of cybersecurity assessments that evaluate operational resilience, cybersecurity practices, organizational management or external dependencies, or other key stakeholder elements of a robust cybersecurity framework,” said Husson. “A lot of these services are free to the entities and they are offered solely on a voluntary basis, available upon request.”
Some of CISA’s services include cyber-hygiene vulnerability scanning services (which includes phishing campaign assessments and remote penetration testing), risk and vulnerability assessments, simulated cyberattacks, digital architecture reviews, and evaluations for out-of-the-box products/solutions. CISA also provides an interactive services catalog to help facilities choose the best-fitting services.
“We currently have an effort underway to increase participation across all sectors, so that we get a statistically significant sampling of participants and have a better sense of what is really happening within each of those sectors,” continued Husson. “From a water sector perspective, it would benefit U.S. greatly if we had more water sector entities sign up for those CISA services.”
Meanwhile, EPA has established both the Water Information Sharing and Analysis Center and the Water Security Initiative to provide security resources to water facilities. The EPA’s established Water Laboratory Alliance provides resources on contamination preparedness. EPA also offers a wealth of standalone resources including workshops, assessment tools and scenario exercises.
After the pandemic, many facilities may feel like new participants in the growing digital world. Thankfully, these resources and practices can help these facilities take a proactive approach to enhancing their post-pandemic security posture. WW
About the Author: Jeremy Wolfe is Assistant Editor for WaterWorld magazine. Email him at [email protected].Published in WaterWorld magazine, November 2021.