Public water systems have quickly grown into one of the United States' most critical infrastructures. They are responsible for gathering, treating, and distributing water to 90 percent of Americans. With that critical role in our society comes its own vulnerabilities, and public water systems are no exception to the growing concern in cybersecurity.
The United States Federal Bureau of Investigation now ranks cybercrime as one of its most important law enforcement activities. In a statement from the United States Department of Energy, "In addition to the general problems associated with cybercrime, critical infrastructure related to energy production, manufacturing, water supply and other systems have come under attack."
According to a CBS news report just this past week, the U.S. Government issued an urgent warning about the dangerous new malware that could devastate critical infrastructure.
"It comes on the heels of Ukraine withstanding an attempt by Russian hackers to knock out power to 2 million people in that war-torn country. The Biden administration has been releasing sensitive intelligence and dire warnings that the Kremlin is preparing to launch a new generation of cyberattacks on American soil," the article claims.
Threat trends reported by the FBI and news reports illustrates an increasing threat posted by cyberattacks on local governments. According to a report by KTVZ, attacks on government facilities nearly doubled from 2021 to 2022. The report focused on City of Dallas computer servers that were infected by malware in May 2023.
So How are Water Utilities Affected?
More and more public water systems are incorporating technology into their systems. Nowadays, SCADA (supervisory control and data acquisition) systems are essential for efficient operations in most water systems across the country. That computer technology in itself can make systems susceptible to cyberthreats. As more infrastructure becomes capable of communication, control, and data acquisition, cybersecurity must become of utmost importance.
The Environmental Protection Agency (with assistance from the United States Department of Homeland Security) is in charge of detection research and response among public water systems. According to the EPA, under a cyber attack, "water system operators can lose their ability to track the true status of the water system. Thus, water system managers need to improve their ability to know:
- when their treatment systems, pumps, valves, tanks, etc. are being compromised.
- how to quickly stop an attack,
- how to recover so that safe and full service can be returned to the community."
Examples of Compromised Water Treatment Plants
In Oct. 2021, the FBI, CISA, and EPA issued a joint warning that revealed several industrial control systems at water facilities had been impacted by ransomware attacks in the last two years. Many of the wastewater facilities were targeted because of their outdated software and attacked via phishing campaigns. Because public water systems are considered U.S. critical infrastructure, cybercrime attacks can cause economic repercussions and can jeopardize public health and safety.
Many of the compromised systems had to be run manually until the SCADA systems and computers were restored.
On Feb. 5, 2021, cyber criminals gained access to a SCADA system at a United States water treatment facility. The bad actors used the software to increase the amount of sodium hydroxide in the treatment process. Luckily, personnel noticed the dosage change before there were any serious consequences. The water treatment process was unaffected and continued to operate as normal. According to the Cybersecurity and Infrastructure Security Agency, "the cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system."
As SCADA systems and infrastructure become more integrated, the more necessary it is to make sure they are secured. According to the Department of Energy, the water sector is generally believed to be lagging behind most critical infrastructures in securing its control systems. In those vulnerabilities, the top five common security gaps among water utilities are:
- Network configurations
- Media protection
- Remote access
- Documented policies and procedures
- Trained staff
Consequences of Cyber Attacks
There may be several motives behind a cyberattack. Some objectives can include:
- Upsetting treatment processes by opening and closing valves, disabling pumps and alarms, and overflowing tanks
- Extracting data to sell for financial gain
- Discharging contaminated water causing ecological and societal consequences
- Denying access to drinking water
- Further developing attacks by installing malicious software
In general, cyber attacks on public water systems can disrupt the distribution of clean drinking water and the treatment of wastewater, erode customer confidence, and cause serious financial and legal ramifications.
Protecting Drinking Water Systems
The good news is, simple cybersecurity practices can be very effective in eliminating vulnerabilities. And while most water managers are unfamiliar with information technology and maybe even SCADA technology (especially smaller public water systems), there are simple ways to promote a cybersecurity culture. Here are a few tips recommended by the EPA:
- Cybersecurity training for core SCADA-using staff members
- Updating to the latest version of the operating system
- Multi-factor authorization
- Strong passwords to protect remote access
- Ensure anti-virus and firewalls are up-to-date
- Audit network configurations
- Ensure you choose a SCADA system that logs all activity and changes to the system
- Train users to identify and report attempts at social engineering or phishing
- Identify and suspend access of users exhibiting unusual activity
The EPA even recommends freshwater and wastewater systems install physical security measures to protect their systems. These are systems that can prevent physical damage from occurring if the system is compromised. (this includes pressure switches, tank levels, size of chemical reservoirs, valve gears, etc.)
Cybersecurity Research
The EPA is leading a committee of water industry experts to develop the capability to test public water systems' equipment to determine the security of the structure and SCADA software. Most of its research is conducted at the Water Security Test Bed, a replica of a typical municipal drinking water piping system.
According to the EPA, "the researchers will investigate the ability of hackers to take over the control and operation of pumps, valves, and hydrants, or to provide incorrect operational and water quality information to the water system operators, thus compromising pipe integrity water quality and fire protection."
The WSTB is built to simulate a municipal water system that uses SCADA software. The primary goal of the project is to provide information to help public water systems become more resilient to the increasing threat of cyber attacks.
In Conclusion
In this digitized world, it's essential to be vigilant against the threat of hackers, especially when it comes to critical infrastructure that can directly affect the public's health. It's imperative that public water systems and water utility organizations adopt measures to prevent cyber attacks, including hardware and SCADA systems that are designed to improve cybersecurity. For more information about how SitePro can help keep your water system and community safe from the threat of hackers, click the button below.
Resources: