Today, public and private sector organizations face an alarming increase in sophisticated and malicious cyber activity along with attacks that directly target municipal systems. Critical infrastructure, including drinking water infrastructure, is the frequent target of these attacks.
Until recent years, water supply security was based largely on the principle of isolation. Process control systems were a series of disconnected systems and applications over decades, air-gapped by virtue of not being connected to other computers or to the internet and making infiltration by external cybercriminals unlikely. However, in the last 20 years, critical infrastructure providers, including water and wastewater facilities, have modernized their plants and distribution networks, integrating IT assets with operational technology (OT) and industrial control systems (ICS).
The converged domains have unified information and control networks, delivering advantages such as centralized management and visibility into OT production and performance. This convergence has also led to an increase in threat actors that are focused on critical infrastructure, with energy and water among the top ten most frequently attacked OT/ICS sectors.
Today’s water sector cybersecurity
A new era of cyber threats has evolved as water and wastewater facilities modernized. It didn’t take long for cybercriminals to discover they could access OT and ICS networks by gaining a foothold on internet-facing IT systems and moving laterally into adjacent connected OT assets. Following this realization, threat actors began to infiltrate IT assets to disrupt business systems, damage equipment, discharge wastewater into environmentally sensitive areas and implant ransomware that disrupted operations.
Today, threat actors have shifted their focus to the OT systems of critical infrastructure providers. Legacy infrastructure, high impacts of downtime, and service interruption make potential ransomware payouts a greater likelihood. A recent research survey of OT and ICS cybersecurity incidents found that a majority of OT takedowns caused by cyberattacks are the result of an IT breach (84%), and 60% of OT incidents result in operational disruption.
How water treatment facilities can improve their cybersecurity
Both public and private sector entities play a role in water treatment operations. In the U.S., approximately 50% of water treatment facilities are owned and operated by public entities, such as municipalities, while the other 50% are owned and operated by private companies. Government authorities and private utility companies contracted to manage services like water treatment must work together to secure the connections between IT and OT networks.
While there are some differences in the way that public and private sector water treatment facilities are operated, they both face similar cybersecurity challenges. Water treatment infrastructure is often aging and outdated, and it can be difficult and expensive to upgrade security. Additionally, water treatment facilities often have limited cybersecurity resources and expertise.
Below are key steps that government and private sectors can take to collaboratively enhance their cybersecurity:
- Assess current cybersecurity posture and implement response plans
The American Water Infrastructure Act (AWIA) requires that all community water systems serving populations of 3,300 people or more conduct two risk management activities every five years. First, entities must complete a risk-and-resilient assessment or vulnerability assessment. Second, they must complete an emergency response plan.
“Smart water” capabilities like real-time monitoring and remote connectivity are also increasingly essential to helping water utilities quickly respond to challenges. This includes using strong passwords, multi-factor authentication, firewalls and intrusion detection systems. - Share information about cyber events between public and private entities
Both the government and private sector need to share information about cyber threats so that everyone can learn from each other and take steps to protect their systems. The Security and Exchange Commission (SEC) recently adopted rules requiring companies to disclose material cybersecurity incidents within four days. The U.S. EPA also provided guidance in January 2023 for reporting cyber events at water and wastewater facilities. Cyber incidents resulting in disruptions of operational processes are of particular concern to the federal government. There can also be benefits to public and private entities reporting their own incidents related to critical infrastructure, so these organizations can get to the bottom of the attacks quickly and help prevent them from impacting the public. - Government investment in cybersecurity training
Most executives know the importance of OT cybersecurity, but they also lack the knowledge of the specific systems and processes that must be in place to secure legacy software and equipment that wasn’t necessarily built with security in mind. Organizations must ensure that teams are knowledgeable of the risks and threats impacting critical infrastructure.
While the EPA provides training resources, cybersecurity training is not federally mandated. In addition to nationwide implementation plans, the federal government must also invest in ensuring public and private companies alike receive cybersecurity training for water treatment facility employees and provide financial assistance to help them implement cybersecurity best practices. - Partner together to develop cybersecurity plans
The best thing water utilities can do is address the challenge head on, with a comprehensive approach to cybersecurity, inclusive of public and private entities. The federal government has taken note of these increasing risks to critical infrastructure and water operations. In March 2023, the EPA released a memorandum calling for states to protect public drinking water by assessing their cybersecurity risk at drinking water systems.
A few months later in July, the White House released its National Cybersecurity Strategy Implementation Plan, highlighting the importance of defending critical infrastructure from increasing cybersecurity threats. Private entities need to take note and work with the government to develop joint plans to ensure action. These plans should include all the above elements for risk assessment, plan for incident response, information sharing, training and more.
Government authorities and private utility companies must work together to secure it from cyber threats. As attacks on critical infrastructure continue to rise, working together is the best course of action to help ensure resilient systems. By implementing inclusive, collaborative cybersecurity practices and training, water treatment and wastewater facility operators can minimize operational disruptions and ensure that the public has access to clean water.
