Water Utilities Are Becoming a Vital Target for Cyberattacks
Imagine you’re an administrator at a water utility in the Midwest. You serve a city with a population of a quarter million people. In any given week, your biggest worry might be that your IT department is a few days behind in installing the new remote operations software you ordered recently. Or that your water chemicals supplier called to tell you that your next shipment will be a couple of weeks late because of some supply chain glitch.
That was before. Now your days are less calm and more vigilant. Because criminal hackers have added water treatment plants to their growing list of so-called “soft targets” where administrators may not have the best InfoSec measures in place, the latest operating software or well-trained information security professionals on staff. Indeed, reduced tax bases in many cities have shrunk budgets substantially over the last ten years.
"Start small and implement the basics, like password parameters and multifactor authentication. Train your team to know the signs of a phishing attack and the consequences."
— Haley Glass, Digital Account Executive at NSF-ISR
Here are a few examples of recent cyberattacks:
In January 2021, a hacker tried to poison a water treatment plant that serves parts of the San Francisco Bay Area. NBC News reported that “the hacker used the username and password of a former team member’s TeamViewer account, a program that allows users to control their computers remotely.” After logging in, the hacker reportedly deleted programs that the water plant used to treat drinking water.
In February 2021, unidentified hackers forced entry into the operations technology system of a water treatment plant in Oldsmar, Florida. If the attack had succeeded, it would have poisoned the water supply by boosting the levels of sodium hydroxide, known as lye, in the water from 100 parts per million to 11,100 parts per million. Luckily, a water plant operator prevented the attack by reversing the change before the toxic levels of lye reached the water supply.
Haley Glass, Digital Account Executive at NSF-ISR, works with an experienced InfoSec team advising clients in both the public and the private sectors on the best ways to protect their networks and cloud platforms from cyberattacks. She offers these simple words of advice to water utility managers. “Start small and implement the basics, like password parameters and multifactor authentication. Train your team to know the signs of a phishing attack and the consequences.”
The Critical Infrastructure and Security Agency (CISA) issued a special advisory on cyber threats to U.S. water and wastewater systems in October 2021. The advisory was released in conjunction with partnering agencies the FBI, the EPA and the NSA. It described ongoing malicious cyber activity targeting the information technology (IT) and operational technology (OT) networks, systems and devices of U.S. Water and Wastewater Systems Sector facilities.
A recent survey by CISA found that out of the small number of water supply facilities across the country that choose to receive cybersecurity assistance, one out of 10 had a critical vulnerability. And more than 80% of the vulnerabilities were related to previous software flaws that emerged before 2017. This meant that too many water system operators had not taken the critical steps to keep remote access software patched and updated.
Cybersecurity experts at CISA and in public and private sectors point to smaller water treatment facilities in more rural areas as likely to be more vulnerable to cyberattacks simply because they may not have the budget to prevent them. These funds are essential to support full-time information security professionals on staff or outside security advisors to monitor and protect against cyber hacks and ransomware attacks.
Glass’ colleague, Theresa Bellish, Senior Director of Commercial Water at NSF, offers a big-picture perspective. “Effective cybersecurity plans at water utilities are critical in reducing and preventing cyberattacks on the vital systems that control water quality. Water is our most precious resource. Everyone uses it every single day. So, protecting drinking water from hackers is essential to protecting human health.”