It’s not yet known who is behind the February attack on a water treatment plant in Oldsmar, Fla., but there’s no question that it was intended to cause harm, taking over a control system and releasing unsafe levels of sodium hydroxide into the water supply.
An operator noticed what was happening and corrected the problem. It’s likely that system sensors and redundancies would have prevented a disaster without human intervention, but the event was the stuff of nightmares.
In April, the National Security Council announced the start of a 100-day plan to improve the cybersecurity of America’s electrical infrastructure. Following the Colonial Pipeline incident, the president gave remarks that his public-private initiative would also include water systems.
About 200 utility companies provide electricity to the majority of Americans. All together, there are an estimated 3,000 electric utilities in the country. When it comes to the nation’s water sector, the picture is much more complicated.
More than 52,000 community drinking water systems in the U.S. provide tap water to nearly 300 million Americans. Ninety-three percent provide water to fewer than 10,000 people, and 67 percent to fewer than 500. There are also more than 100,000 non-community drinking water systems at campgrounds, schools, hospitals, office buildings, factories and other locations. Wastewater infrastructure includes 16,000 treatment systems that serve 250 million citizens.
Numerous and varied, the nation’s water utilities share similar vulnerabilities and can benefit from similar protective strategies. Many effective countermeasures can be implemented without great expense, but that doesn’t mean they are always in place.
Unseen, Not Nonexistent
Managers at utilities of all sizes are seeing a constant barrage of attacks of varying degrees of sophistication, says Kevin M. Morley, Ph.D., manager of federal relations for the American Water Works Association (AWWA). “If you’re not monitoring, you may have a false sense of security,” he says. “If you don’t look, it doesn’t mean it’s not happening.”
Cyber vulnerability is an abstract concept to most people, including leadership, unless they are directly involved in preventing attacks, says Morley. To some extent, this can be attributed to the way devices and connectivity are marketed.
“People may have computers and phones, but we don’t train consumers on the security of the things we’ve been shoving into their homes for the past 20 to 30 years,” he says. “It’s not part of the dialogue to talk about how to set up your Wi-Fi system or your home network that’s now connected to the refrigerator and the hairdryer and the light bulbs.” Moreover, consumers are conditioned to give their data away, not to protect it.
In most cases, water service is part of municipal government. To achieve efficiency, one IT department often manages all departments in a city or county. It’s not unusual for city leaders to focus on the basics — computers, email, payroll — rather than the details of network security.
In addition to the information technology system (ITS) necessary for the business functions of government, water utilities use industrial control systems (ICS) to manage the pumps, motors and other equipment that make their plants run. If a network is not configured properly, and the ICS is not segmented, separated from the ITS, an attack could affect both systems.
“You’re only as strong as the network itself,” says Morley. “If the network is serving multiple systems, all those points on the compass need to be secured.”
Small Mistakes, Big Consequences
While a cybercriminal or foreign actor might be able to engineer an attack that could breach even a well-protected network, most of the events included in a review of water cybersecurity incidents over the last 20 years could have been prevented with routine precautions.
Perhaps the most notorious occurred in Australia in 2000, when nearly a million liters of raw sewage were released into a river, park and residential grounds by an angry former employee. The ICS was not protected by any procedures, defenses or policies, including the fact that the worker’s access to it had not been revoked.
A 2007 attack against the Tehama-Colusa Canal Authority in California was also the work of a former employee, as was a 2012 event at the Florida Key Largo Waste Treatment District. In 2014, a fired employee of a company that manufactured smart water meters used his access to interfere with the meters of five water utilities across three states. A former employee of the Post Rock Rural Water District in Ellsworth, Kan., has been indicted for logging into its system in 2019 and interfering with cleaning and disinfecting systems.
The pandemic made remote access to IT and operational technology (OT) a necessity, but also brought a new risk: equipment used on a “plug and play” basis, without adequate attention to security. The Oldsmar attack that sent shockwaves through the sector was possible because the attacker connected to the OT through an insecure laptop belonging to a remote worker.
It’s difficult to make the threat of cyberattacks real to all stakeholders, says Morley. “In the past it was, ‘Who’d want to come to my town? I’m just this small little community,’” he says. “But on the Internet, it’s ones and zeros, it’s open doors — and for the criminal actor, it’s a game of statistics.”
Mandiant, a firm that provides security for OT systems, has observed increasing numbers of incidents in which Internet-connected systems have been compromised, but notes that “the activity is typically not sophisticated and is normally not targeted against specific organizations.”
Aspiring hackers don’t need to understand programming. Software that can power attacks can be purchased through darknet marketplaces for as little as $50, including tech support. There’s little effort involved in sending a phishing email to tens of thousands of people or entities.
It only takes one click for a payload to be delivered. If a water supplier isn’t updating software, educating staff and maintaining hardware and security controls, the system can be exploited.
Shared Systems, Shared Vulnerability
Water systems in many jurisdictions do have good security controls when they have enough budget to support technology purchases and an appropriately sized and skilled staff. Wrangling security in rural communities, where 25 percent of the population is served by 85 percent of the nation’s community water systems, is another matter.
“As far as cities having an IT person, I just don’t know of any our size,” the president of the Kansas Rural Water Association told theKansas City Star in the aftermath of the Post Rock incident. “And if we did have an IT person, they better know how to repair pot holes, fix water leaks, pick up snow and everything else that we do.”
Ari Neumann is the director of community and environmental services for the Rural Community Assistance Corp (RCAC), a nonprofit organization that is part of the Environmental Protection Agency’s Environmental Finance Center Network. His team serves 13 western states, including Alaska and Hawaii, with a primary focus on water and sewer systems.
“One of the things that we see fairly often in rural areas is one shared operator operating multiple systems,” Neumann says. “If those remote systems don’t have good cybersecurity in place, an issue could affect more than one community at the same time.”
The income from the small population of rate payers served by rural systems may not be enough to cover even the cost of providing water, he says, much less allow them to invest in robust cybersecurity. Moreover, new risks have entered the picture for those that have recently increased remote operations.
“One of the big risks is not keeping up; there’s always technological change, and hackers are getting more and more sophisticated,” says Neumann. “It’s not going to be very feasible for a system that has very limited resources to keep up with all those changes.”
RCAC serves a lot of utilities that have one employee who operates the system, does maintenance work, samples water and may even collect payments from customers.
The picture is further complicated by the lack of broadband service. In Neuman’s experience, Internet providers don’t generally consider government clients or water utilities when they build out networks in rural areas. “Water utilities can be partners with the local broadband utility,” he says. “We’ve seen some collaborative efforts, but I’d like to see more.”
RCAC encourages partnerships and information sharing between districts and provides technical support. It recently helped districts in the west conduct cybersecurity assessments, helping them find the time and space to look at their vulnerabilities and work out what they can do about them.
Larger utilities, with adequate cybersecurity resources, should also reach out to neighboring water and wastewater systems to mentor and tutor them, says Jennifer Lyn Walker, lead cyber threat analyst for Water Information Sharing and Analysis Center (WaterISAC). “They may not have the resources to help them overhaul their systems, but they can at least take them under their wing and have a conversation, for the safety of society.”
Validated tools exist that enable water agencies of any size to assess the state of their cybersecurity, and to generate plans to address weaknesses.
Guidance for Critical Infrastructure
A 2003 Presidential Directive identified seven critical infrastructure sectors that were priorities for protection against terrorist attacks, and designated the U.S. EPA is the agency responsible for drinking water and water treatment systems. A 2013 Directive expanded the list of critical infrastructures from seven to 21, renaming the water sector, “Water and Wastewater Systems.”
In the same year, Executive Order 13636 called for the National Institute of Standards and Technology (NIST) to create a Cybersecurity Framework based on consensus standards and industry best practices. AWWA’s Morley had developed a resilience index for his doctoral thesis — a set of indicators that a water utility could use to evaluate its resilience efforts and make plans to improve them.
He had begun a project to create something similar for cybersecurity when EO 13636 was issued, and AWWA worked with EPA, NIST and the Department of Homeland Security to develop guidance for the water sector that was complimentary to the NIST framework.
The document that came from this work has been updated since it’s first publication to align with America’s Water Infrastructure Act. This 2018 law requires water systems serving more than 3,300 people to update, or develop, risk assessments and emergency response plans that take cybersecurity into account.
The current version of the AWWA guidance is accompanied by an assessment tool that uses a set of “yes” and “no” questions that enable a water utility to quickly discover how far it needs to go to be truly secure and the most important immediate steps for improvement. Both are available at no cost on the AWWA website.
WaterISAC, a nonprofit established in coordination with industry associations, research organizations and the EPA, is an all-threats security information source for the water and wastewater sector. Its free resource, “15 Cybersecurity Fundamentals for Water and Wastewater Utilities,” is complementary to the AWWA materials, says WaterISAC’s Walker.
“They’re meant to be used in concert with one another,” she says. “Our guide can give you an overview of the things that you need to be looking for, but it’s not deep down in the weeds; their tool takes a system to the next step.”
Federal resources are also available. In keeping with its role as the lead agency for cybersecurity in this sector, the U.S. EPA offers tools including a cybersecurity guide, an incident action checklist, and a vulnerability self-assessment tool. In April, EPA announced the availability of $6.5 billion for low-cost loans to support water infrastructure projects, including “new or innovative approaches” to cybersecurity.
Hope Is Not a Strategy
More funding may be on the way. “Congress is going to be making some decisions in the next few months about water-sector cybersecurity, and it needs to understand that there needs to be a very steep ramp-up of federal investment in training, education and technical assistance, maybe even funding for equipment and tools,” says Michael Arceneaux, WaterISAC’s managing director.
Membership in an information-sharing community such as AWWA or WaterISAC can be another form of support. Just keeping up with threats and determining which are most likely to affect the water sector can be a full-time job, says Walker, a burden even for well-staffed systems.
“What’s really important is that this is not an intractable problem,” says Morley. “There are very feasible controls that can be put in place in any kind of system that don’t require a million-dollar tech solution.”
Progress toward greater security begins when a water utility uses the resources AWWA and others have developed to discover its vulnerabilities. “That’s half the battle,” Morley says. “You’ve got to know what you’ve got because if you don’t know, you can’t manage it — hope is not a strategy.”