Recent cyberattacks targeting water utilities across the United States have raised considerable alarm, highlighting the vulnerabilities within the nation’s water supply systems. These incidents underscore the serious implications that such cybersecurity threats impose on the overall safety and reliability of water utilities, prompting various federal agencies to issue extensive warnings and guidelines in response. With both large, resourceful water utilities and smaller, more vulnerable ones in the spotlight, the challenges of reinforcing security measures have become more evident. While larger utilities have started to improve their security protocols, smaller utilities often lack the necessary expertise and resources to adequately address these threats.
Key Incidents and Responses
One particularly alarming incident involved pro-Iranian hackers infiltrating a Pittsburgh-area water utility’s programmable logic controller (PLC), resulting in the display of an anti-Israel message on the utility’s touchscreen interface. This breach forced the utility to switch to manual control of its water pressure-regulating system, thus compromising its normal operations. Additionally, a water and wastewater operator serving 500 North American communities had to sever the connections between its IT and OT networks after a ransomware attack compromised back-end systems and exposed customer data.
Another significant event saw the largest regulated water utility in the US experiencing an outage of its customer-facing websites and telecommunications network following an October cyberattack. These attacks have intensified concerns regarding the security and integrity of water systems, prompting federal agencies such as the Cybersecurity and Infrastructure Security Agency (CISA), the White House, the FBI, the Office of the Director of National Intelligence (ODNI), the Environmental Protection Agency (EPA), and the Water Information Sharing and Analysis Center (Water ISAC) to issue stringent security guidelines and warnings.
Focus on Small Utilities
Despite the high-profile incidents involving larger utilities, a majority of cyberattacks targeted smaller water utilities with limited security awareness and resources. These attacks were largely opportunistic in nature, exploiting the vulnerabilities within the smaller systems. Although larger utilities like Veolia and American Water were also targeted, breaches mainly affected their IT systems without disrupting water services. Gus Serino, president of I&C Secure and former process control engineer for the Massachusetts Water Resources Authority, interpreted these attacks as efforts to undermine confidence rather than causing actual damage.
The primary challenge lies in securing smaller water utilities against future cyber threats without imposing excessive costs or sophisticated security infrastructures. Standing as a testament to this challenge, Dale Peterson, president of ICS/OT security consultancy Digital Bond, highlighted that his first client back in 2000 was a water utility. These utilities often prioritize tangible issues such as replacing old or damaged pipes over investing in sophisticated security monitoring systems that demand both expertise and substantial overhead, which are usually out of reach for facilities without dedicated IT support.
Industry-Wide Challenges
Water utilities, like other ICS/OT industries, have been increasingly equipping traditionally isolated PLC systems and OT equipment with remote access capabilities. These additions allow for more efficient remote monitoring and management but concurrently expose these systems to elevated risks. Operators managing water pumps, adjusting settings, and responding to alarm failures remotely are at risk if these systems are not properly segmented or secured, presenting several vulnerabilities that can be exploited by cyber attackers.
Despite the integration of security features into new PLC units by vendors like Siemens, these advancements are rarely deployed at smaller water plants. Even when new PLCs are present, the security features are often not activated. This oversight opens the door to potential cyberattacks wherein hackers, having gained access to a device on the network, could manipulate the PLC. Addressing these risks demands a concerted industry-wide effort, particularly focusing on the integration and activation of security functionalities in PLCs.
Systems Integrators and Security
ICS/OT systems integrators, tasked with installing OT systems at water utilities, frequently overlook implementing security measures for the equipment and software they set up. This negligence leaves the networks vulnerable due to open ports or default credentials. A notable incident involved the Iranian-based Cyber Av3ngers hacking group exploiting factory-setting credentials to break into the PLCs at the Aliquippa Municipal Water Authority plant, highlighting the cybersecurity weaknesses prevalent in water utilities.
Fortunately, some positive developments have emerged, as significant systems integrators like Black & Veatch have started collaborating with larger water utilities to incorporate security measures into new OT installations from the outset. According to Ian Bramson, vice president of global industrial cybersecurity at Black & Veatch, utilities are beginning to perceive cybersecurity as a physical safety issue and aim to integrate it into systems during the initial phases rather than considering it as an afterthought.
Positive Developments and Resources
Free cybersecurity resources have become available for water utilities facing resource constraints. The Water-ISAC’s top 12 Security Fundamentals and the American Waterworks Association (AWWA)’s security assessment tool are among those initiatives. These tools assist utilities in mapping their environments to the NIST Cybersecurity Framework, identifying security weaknesses, and presenting a coherent cybersecurity business case to their leadership. Such initiatives empower smaller utilities to bolster their defenses against cyber threats without incurring significant costs.
Another promising development is the cyber volunteer program, which pairs cybersecurity experts with rural water utilities requiring cyber assistance. The DEF CON Franklin project has initially enlisted six utilities across Utah, Vermont, Indiana, and Oregon, enabling these experts to evaluate and enhance the security posture of these facilities. Volunteers, including Mandiant’s Chris Sistrunk, recommend foundational security measures such as multifactor authentication, offline backups, and response plans for cyber incidents, thus fortifying these utilities against potential threats.
Basic Security Recommendations
Recent cyberattacks on water utilities across the United States have sparked significant concern, emphasizing the weaknesses in the nation’s water supply systems. These attacks reveal the severe impact such cybersecurity threats can have on the safety and dependability of water utilities. This alarming trend has prompted various federal agencies to issue detailed warnings and guidelines to help mitigate the risks.
Both large and small water utilities are under scrutiny. Larger utilities, with more resources, have begun to bolster their security protocols to defend against cyber threats. However, smaller utilities frequently struggle as they often lack the necessary expertise and financial resources to effectively strengthen their defenses. This disparity in resources and capabilities underscores the broader challenges faced by the water sector in achieving robust cybersecurity.
Federal agencies are working tirelessly to provide support and resources, but the road to securing the nation’s water supply is complex. Improved cybersecurity policies, increased funding, and enhanced training for personnel are critical steps. The urgency to address these vulnerabilities cannot be overstated, as the potential consequences of a successful cyberattack on our water supply could be catastrophic. Essential measures must be taken now to ensure the protection and reliability of water services for all Americans.