Cybersecurity Threats to Water Utilities Are Rising

In the past few years, there have been several high-profile threats to water systems that could have seriously endangered the public health and the environment. In an October 25, 2021 alert from the US government’s Cybersecurity and Infrastructure Security Agency (CISA), several recent water and wastewater systems (WWS) facilities cyber intrusions were highlighted, including:

• In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
  
• In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.
  
• In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).
  

With these incidents in mind, Fortinet sponsored a WaterWorld Magazine report titled Cybersecurity in Water Management Facilities.

WaterWorld Report

A news and technology resource, WaterWorld Magazine provides up-to-date information on technology, products, and trends to professionals in the municipal water and wastewater industry.

Published in early 2022, the Cybersecurity in Water Management Facilities report discusses how cyberattacks are a growing threat to water utility companies and it also “highlights [the industry’s] major gaps in cybersecurity education, training, and the creation of a cybersecurity culture.”

Volatile Critical Infrastructure

According to the WaterWorld report, WWS facilities are considered “volatile critical infrastructure” and noted that the industry was highlighted in Section 3 (a) of the White House’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. This survey was done to get an accurate picture on the WWS industry’s status and future needs for improving its cybersecurity.

Key Survey Findings

1. Only a Minority are Confident in Their Cybersecurity

With the increase connectivity, water utilities are more vulnerable than ever to cyberattacks. Unfortunately, less than half (49%) of respondents felt confident in their cybersecurity solutions. Consequently, investment in cybersecurity will be their highest priority in the future.

2. Many with Responsibility Lack Cybersecurity Experience

When given multiple choices for responding to the question “Who is responsible for managing your cybersecurity?” 29% of the WWS respondents said the “Head of IT” while 30% chose “Other.” The write-in responses for “Other” included many in roles that require zero cybersecurity experience, including city manager, operator, governing board and secretary, mayor, town council member, human resources director, and finance director!

3. Many Respondents May Have a False Sense of Cybersecurity

Of the WWS leaders who were surveyed, almost 80% indicated that their organizations had no cyber incidents within the last 12 months. Because of the ever-growing number of cybercriminal activity, we believe that many survey participants may be unaware of the malicious activity surrounding their operational technology (OT) systems. Without intrusion detection, incidents and security breaches may occur, and hackers may be exploiting vulnerabilities and gaining access to WWS systems without being noticed. View the latest cybersecurity stats.

4. More Cybersecurity Training Needed

A significant number of survey respondents indicated that they have a poor understanding of what needs to change to improve their organization’s cybersecurity. These and other responses indicate the need for much more training to create a cybersecurity culture throughout the organization.

Penalties for Breaches

In the past, OT for water and wastewater systems was isolated from IT, however, as technologies advanced, more systems transitioned to a digitally connected model where OT and IT integration is common. This opened the floodgates to cyberattacks on WWS facilities.

With to the rapid growth in the use of smart meters, sensors and automation, predictive analytics, digital twins, and the Industrial Internet of Things (IIoT), WWS attack surfaces have become very inviting to cybercriminals.

Successful cyberattacks can have extremely severe consequences and WWS utilities are subject to regulatory penalties for breaches. Without sophisticated detection methods, cyber intrusions can be “invisible” until it’s too late.

A Higher Priority on Cybersecurity

Obviously, water utility leaders know how critical their WWS systems are, but some may not appreciate the real risks of having inadequate cybersecurity. If funding is an issue, it only takes one breach to bust a budget. Board of directors must understand the importance of cybersecurity and budget accordingly.

Perhaps one of the most important comments in the WaterWorld report is the concluding sentence: “Placing a higher priority on cybersecurity to include a long-term strategy and adequate funding is critical to the protection of our water systems.”