Water System Managers: Implement Security Measures for Cyberattacks

In September 2020, staff at a New Jersey-based wastewater system (WWS) facility discovered that hackers had used Makop ransomware to compromise files within their operating system. In March 2021, cyber attackers introduced a previously unknown ransomware variant into the system of a Nevada wastewater plant. In July 2021, criminal hackers used remote access to slip ZuCaNo ransomware into a wastewater facility’s SCADA computer in Maine.

Which Prompts the Question: Water Facilities? Really?

This is where ransomware gangs in Bulgaria believe their next score will come from. It doesn’t make sense unless you think in terms of a perceived “soft target” — meaning a facility that is part of the nation’s critical infrastructure but may not have the latest operating software or trained InfoSec staff assigned to protect network environments. Not because of poor planning, but due to shrinking budgets and skeleton staff.

Granted, these are not the kind of high-profile cyberattacks that make headlines on major news networks and publications. They’re more likely to show up on specialized tech and cybersecurity sites frequented only by professionals in the field and their government agency counterparts. So, stories tend to fly under the radar, because the security of water and wastewater systems is something most of us have long taken for granted.

Not Anymore.

In October 2021, the Critical Infrastructure and Security Agency (CISA) released a special advisory highlighting cyber threats directed at U.S. water and wastewater systems. The advisory was released in conjunction with the EPA, FBI and NSA. The alert described ongoing, malicious cyber activity targeting the information technology (IT) and operational technology (OT) networks, systems and devices of U.S. water and wastewater facilities.

To remind both system administrators and cyber professionals that water systems are not immune from attacks by cybercriminals, even though they tend to go unnoticed most of the time. And to alert the general public that these vital systems we all rely on for clean water and sewage disposal are an important component in the nation’s critical infrastructure environment.

CISA defines certain critical infrastructure sectors that are “so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on security, the nation’s economy and/or national public health and safety.” That means the most important parts of the country’s security, economic, health and safety infrastructure. Think of all the structural parts that allow the country to function and provide services to citizens.

Theresa Bellish, Senior Director of Commercial Water at NSF, suggests that water system administrators start with an evaluation of their processes. “The first step to protecting a water utility from a security breach is evaluating where the current cybersecurity processes stand,” she says. “The Environmental Protection Agency (EPA) provides a useful checklist. A risk assessment will help a utility understand how to improve its processes and protect its systems.”

Tony Giles, Director of Information Security at NSF-ISR, recommends this approach for water system managers. “We need to remember that no industry is immune to cyberattacks and stay educated on the risks we take on in a digital environment. Businesses can do this by making sure proper systems are in place to reduce the risk associated with online tools and keep cybersecurity defenses up. So we have clean drinking water for all our communities.”