Even the Smallest Water Utilities Are Vulnerable to Ransomware Attacks

Last year was especially busy for the Critical Infrastructure and Security Agency (CISA), one of the federal agencies that protect 16 vital infrastructure sectors in the United States. The agency was engaged in tracking a rising tide of cyberattacks and ransomware demands and working with private-sector and government agency partners to respond to the threats — most of which originated with cybercriminals operating out of Eastern Europe, Russia and Asia.

Amid all this activity, the agency issued an advisory highlighting a critical infrastructure sector that usually operates quietly and away from public view: water and wastewater (WWS) systems. The alert reflected work CISA had done with a cybersecurity company and agency partners the FBI, the NSA and the EPA to identify cyber threats targeting the data and operations technology that supports the networks of WWS facilities across the nation.

The CISA alert described several attacks. One deployed Ghost variant ransomware against a California WWS facility in August 2021. The ransomware variant lay quiet within the system for about a month and was discovered only when control and data servers displayed a ransomware message. In a July 2021 attack, hackers used remote access to insert ransomware into a wastewater facility’s computers. And there were previous attacks in Nevada and New Jersey.

These attacks revealed vulnerabilities experts were not aware of. One out of 10 WWS facilities that opted to receive cybersecurity assistance had a critical vulnerability, and more than 80% of these were linked to software flaws identified before 2017. They had pinpointed a specific vulnerability: Many utility IT managers were not doing timely software patches.

Other vulnerabilities have shown up in smaller rural WWS facilities according to cyber experts at CISA and in the private sector. Having full-time information security professionals on staff or outside advisors to monitor and protect against ransomware attacks requires substantial budgets, which very few rural utilities have. However, what they do have is access to top-notch guidance on cyber best practices.

The EPA estimates that there are over 148,000 public water systems in the U.S. A substantial number are members of the American Water Works Association (AWWA). The association reminds system operators that there is now a federal law requiring systems serving 3,300 or more persons to factor cybersecurity threats into risk and resilience assessments and emergency response plans. The law is America’s Water Infrastructure Act of 2018 (AWIA).

AWWA promotes water sector cybersecurity risk management guidance for water utilities of all sizes. For small rural utilities serving less than 10,000 people, it recommends a getting-started guide along with an assessment tool to improve cybersecurity practices. Utilities can use the tool to assess the implementation status of critical controls designed to fix cybersecurity vulnerabilities. CISA and the EPA also offer cybersecurity best practice procedures for water utilities.

Haley Glass, Digital Account Executive with NSF-ISR, advises public- and private-sector clients on the best ways to protect networks and cloud platforms from cyberattacks. She recommends that water utility managers take a proactive, start-small approach. “Start small and implement the basics, like password parameters and multifactor authentication. Train your team to know the signs of a phishing attack and the consequences." That’s a plan even small water utilities with just one IT person can initiate immediately.

Sources:

www.nsf.org/knowledge-library/nsa-expanded-cyber-outreach

www.nsf.org/knowledge-library/greyter-water-systems-relationship

www.nsf.org/knowledge-library/busy-company-chief-information-security-officer