Water and wastewater systems are part of the critical infrastructure of any nation, which makes them prized targets for physical and cyberattacks. These attacks can disrupt, and potentially contaminate, the supply of clean water. Threat actors may also cause issues with wastewater capture and treatment systems. Both scenarios can significantly endanger public health and safety and, most importantly, consumers’ trust in the water they drink and their natural environment. It’s essential to prioritize water and wastewater information technology (IT) cybersecurity as well as operational technology (OT) security. We must protect both of these in order to safeguard public health and ensure a reliable supply of clean water to communities around the world.
Water and wastewater systems are vulnerable to cyber threats due to their ever-increasing reliance on computerized systems for monitoring, control, and communication. This includes administrative information technology and supervisory control and data acquisition systems (SCADA). Both IT and OT are used to manage and control water and wastewater treatment and distribution systems, while also handling B2B acquisitions and consumer billing/payment systems.
A successful cyberattack on a water system can have real-world consequences. It may lead to service disruptions, water contamination, corrupted water quality data, and physical damage to infrastructure. Due to supply chain challenges, and long manufacturing times, major damage could take years to correct. Many systems are still operating with manufacturers’ default or inadequate user passwords. The infrastructure is aging and often running on outdated software, making systems highly vulnerable to attack. Water and wastewater systems are also vulnerable to internal cyber threats. Insider threats can be intentional or unintentional. The threats can be created through the actions of dishonest, displeased, or simply cyber-naive employees/contractors that have access to the system. In fact, evidence shows that 36% of data breaches were caused by employees falling victim to phishing emails.
A leading concern with trying to secure water and wastewater systems is the lack of effective uniform regulations and protocols. There are over 200,000 publicly and privately owned water and wastewater systems in America alone; most of them are not interconnected with one another. Each system has adopted independent command and control systems. This uniqueness can have both advantages and disadvantages.
Disadvantages of Decentralization
- Imbalance within the industry. With utilities of all different sizes and financial resources, the water and wastewater industry is very disconnected. There is an increasing disparity across the industry and, since hackers usually attack victims with weaker security, this makes smaller entities more vulnerable. Due to limited resources, a lot of smaller utilities find themselves more prone to attacks compared to their larger counterparts.
- Increased complexity. Since there isn’t one central system and related regulations, there are more potentially vulnerable targets for cybercriminals to attack. With every water and wastewater system being essentially unique and standalone, it is more difficult for the government to regulate and effectively track and respond to incidents in the sector. Managing and securing decentralized systems with variable physical, technical, and financial resources requires more regulatory flexibility and additional resources and expertise.
Advantages of Decentralization
- Reduces attack surface and potential impact in a single attack. Data protection and operational control are all separate and often different in how they are implemented, so it’s impossible to bring down the entire water industry with a single attack. When security functions such as authentication, encryption, and data storage are distributed across multiple nodes or systems, the impact of breach or failure in one area or entity is limited. This reduces the overall vulnerability and maintains the integrity of the system.
- Scalability and performance. Decentralization can often provide better scalability and performance, which in turn improves efficiency. This allows for improved processing speeds and overall system performance.
- Distributed knowledge and information. With a majority of water and wastewater utilities being decentralized, there is much more information being discovered, shared, and utilized. All utilities yield different experiences, methods, and systems. The exchange of data can further promote industry awareness around the dangers of cyberattacks and what one can do to prevent them.
Another concern is the lack of awareness and preparedness. Understanding what the risks are and working to minimize those risks are the first steps in avoiding being the “lowest hanging fruit” for cyber threat actors. This term applies in this context to being the easiest target amongst your peers and therefore most likely to be the victim of threat actors.
What Needs to be Done to Minimize Risk?
- Technical Risk Mitigation. Water and wastewater utilities (and other organizations) responsible for supporting infrastructure need to implement robust cybersecurity measures. This will start with implementing the following:
- Regular security assessments and testing
- Vulnerability and patch management
- Multifactor authentication
- Absolute logical separation of IT and OT networks
- Air-gapped and immutable backups
- IT network segmentation
- Systems monitoring
- Intrusion detection and prevention systems
- Malware prevention, detection, and response utilities
- Access controls
- VPN and other secure communications and remote access security mechanisms, where such access cannot be avoided
- Employee training and testing
- Incident monitoring and response plans
- Business continuity and disaster recovery plans
- Regular screening of third-party vendors and their potential vulnerabilities
- Financial Risk Mitigation. It is critical that every organization has adequate insurance coverage for cyber resilience. A qualified broker should be enlisted in the process of policy selection. Organizations should ensure that they have cyber liability and breach response and recovery policies that cover cyber events, with particular emphasis on cyber intrusion, ransomware payments, forensics, and recovery. It is also prudent to be sure that an organization has coverage for financial fraud such as business email compromise.
- Collaboration and Information Sharing. The water and wastewater sector has many options for promoting collaboration and information sharing among utilities, government agencies, and cybersecurity experts. Sharing knowledge of emerging threats, vulnerabilities, and best practices can help in developing effective defense strategies. Entities can choose to collaborate amongst themselves, or even better, join one of the many respected water and wastewater associations and information sharing organizations with industry-specific support. Water and wastewater organizations can join international, national, and statewide/regional groups. A few good examples are:
- WaterISAC, an international water security network
- CalMutuals, The California Association of Mutual Water Companies (state-specific example)
- NRWA, The National Rural Water Association
- Regulatory Frameworks. Governments and regulatory bodies are increasingly recognizing the importance of water cybersecurity. They are developing regulations and guidelines to ensure the protection of water and wastewater infrastructure and encouraging the implementation of cybersecurity practices in the sector. It is critical that those who are part of the water and wastewater ecosystem participate in the process of development and dissemination of the regulations so that they are not surprised or injured by what is created in the absence of their input.
Securing water and wastewater systems is a community challenge that requires dedication to safe and reliable systems and the cooperation of business and government actors to get it right. Insistence by consumers that the systems they rely on for life-sustaining water and wastewater systems be safe and reliable is an important motivator in the process.
Be a part of the solution, whether a sector player or consumer…make your ideas and concerns known.
Alvaka is available 24×7 to assist you with any of your cyber defense needs. Call us at 949.428.5000 or fill out the contact form on this page.
Latest Ransomware Related Blogs
[/fusion_text][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]
Smoke testing is a term used to describe the testing process for servers after patches are applied. 
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.