In the past few years, there have been several high-profile threats to water systems that could have seriously endangered the public health and the environment. In an October 25, 2021 alert from the US government’s Cybersecurity and Infrastructure Security Agency (CISA), several recent water and wastewater systems (WWS) facilities cyber intrusions were highlighted, including:
With these incidents in mind, Fortinet sponsored a WaterWorld Magazine report titled Cybersecurity in Water Management Facilities.
A news and technology resource, WaterWorld Magazine provides up-to-date information on technology, products, and trends to professionals in the municipal water and wastewater industry.
Published in early 2022, the Cybersecurity in Water Management Facilities report discusses how cyberattacks are a growing threat to water utility companies and it also “highlights [the industry’s] major gaps in cybersecurity education, training, and the creation of a cybersecurity culture.”
According to the WaterWorld report, WWS facilities are considered “volatile critical infrastructure” and noted that the industry was highlighted in Section 3 (a) of the White House’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. This survey was done to get an accurate picture on the WWS industry’s status and future needs for improving its cybersecurity.
With the increase connectivity, water utilities are more vulnerable than ever to cyberattacks. Unfortunately, less than half (49%) of respondents felt confident in their cybersecurity solutions. Consequently, investment in cybersecurity will be their highest priority in the future.
When given multiple choices for responding to the question “Who is responsible for managing your cybersecurity?” 29% of the WWS respondents said the “Head of IT” while 30% chose “Other.” The write-in responses for “Other” included many in roles that require zero cybersecurity experience, including city manager, operator, governing board and secretary, mayor, town council member, human resources director, and finance director!
Of the WWS leaders who were surveyed, almost 80% indicated that their organizations had no cyber incidents within the last 12 months. Because of the ever-growing number of cybercriminal activity, we believe that many survey participants may be unaware of the malicious activity surrounding their operational technology (OT) systems. Without intrusion detection, incidents and security breaches may occur, and hackers may be exploiting vulnerabilities and gaining access to WWS systems without being noticed. View the latest cybersecurity stats.
A significant number of survey respondents indicated that they have a poor understanding of what needs to change to improve their organization’s cybersecurity. These and other responses indicate the need for much more training to create a cybersecurity culture throughout the organization.
In the past, OT for water and wastewater systems was isolated from IT, however, as technologies advanced, more systems transitioned to a digitally connected model where OT and IT integration is common. This opened the floodgates to cyberattacks on WWS facilities.
With to the rapid growth in the use of smart meters, sensors and automation, predictive analytics, digital twins, and the Industrial Internet of Things (IIoT), WWS attack surfaces have become very inviting to cybercriminals.
Successful cyberattacks can have extremely severe consequences and WWS utilities are subject to regulatory penalties for breaches. Without sophisticated detection methods, cyber intrusions can be “invisible” until it’s too late.
Obviously, water utility leaders know how critical their WWS systems are, but some may not appreciate the real risks of having inadequate cybersecurity. If funding is an issue, it only takes one breach to bust a budget. Board of directors must understand the importance of cybersecurity and budget accordingly.
Perhaps one of the most important comments in the WaterWorld report is the concluding sentence: “Placing a higher priority on cybersecurity to include a long-term strategy and adequate funding is critical to the protection of our water systems.”