Threats to water: the Achilles’ heel of critical infrastructure

Recent cyberattacks on the water industry raise the prospect of more frequent, widespread, damaging incidents that threaten disruption to lives and livelihoods. I know the chaos that stems from disruption to the water supply having led the recovery of systems knocked offline by floods in Iowa. For this reason, we must act now to improve water sector cybersecurity.

Multiple cyber attacks have hit the water industry recently, notably the ransomware attack on Veolia North America that resulted in the loss of personal data of customers and Iran-linked hacker targeting devices commonly used by water companies which led to the release of an advisory from the Cybersecurity and Infrastructure Security Agency (CISA).  

Further, CISA, the Environmental Protection Agency and the Federal Bureau of Investigation released its Top Cyber Actions for Securing Water Systems, which found it necessary to include advice as basic as “Change Default Passwords Immediately” and “Conduct Cybersecurity Awareness Training,” suggesting serious shortcomings in the security hygiene at most water systems.

The water and wastewater sectors are CISA-defined National Critical Infrastructure Functions, but the nation’s 150,000 public drinking water systems and 16,000 publicly-owned wastewater treatment systems are generally considered technology laggards due to resource constraints even as they transition to digital infrastructure like sensors and network-connected systems. Protections and processes are not keeping up with a mushrooming attack surface while incident response coordination and information sharing among companies is lacking.

If the sector is to make significant improvements in cybersecurity, it must focus on three strands: a whole-of-state approach to cybersecurity to share the burden; implementation of zero trust to reduce risk on critical systems; and improvements in incident response processes to aid resilience and recovery. 

Sharing the load

I cannot stress enough how paramount it is to combine efforts to safeguard public safety and national security. By adopting a whole-of-state approach, state and local government organizations can make the most of federal dollars through economies of scale.

Technology and cyber leaders across all SLED levels must put aside short-sighted thinking and pool resources to make a meaningful cybersecurity improvement for information and operational technology (OT) across critical infrastructure like water and wastewater. 

The intersection of risk: IT and OT

Prevention is better than cure. Water and wastewater companies must reduce the risk of compromises to avoid potentially devastating outcomes. One area high on any water company’s priority list must be securing the operational technology that runs the infrastructure and the thousands of IoT devices that gather and transmit data. 

Implementing zero trust to an IoT/OT network as a layer on top of traditional defense-in-depth strategies is one solution. It will ensure that a water control system and SCADA systems that speak to internet-connected IT systems are secure while carrying out tasks like exporting control system data for regulatory and business purposes. Administrators can better control the devices on the network through continuous verification, least privilege access, and granting just-in-time and just-enough access to users.

Zero trust also means visibility across all traffic, enabling utilities to automatically detect, identify, and classify IoT devices like sensors for water quality measurement. By forwarding all traffic to the cloud for security and access, utilities can protect from command and control and other attacks.

Sector-wide incident response 

In parallel, water companies must improve their incident response processes. Last month CISA published its Cyber Incident Response Guide for the Water and Wastewater Sector (WWS), which every water utility operator must get familiar with this resource.

The guide provides a framework for the incident response lifecycle that is adaptable to any utility, covering the federal roles, resources, and responsibilities for each stage: Preparation, Detection & Analysis, Containment, Eradication, & Recovery, and Post-Incident Activity. An example resource that covers the basics is the “15 Cybersecurity Fundamentals for Water and Wastewater Utilities” published by the Water Information Sharing and Analysis Center (WaterISAC). 

These tools can go a long way in standardizing how water utilities and other public- and private-sector organizations that support critical infrastructure can have uniformity, collaboration, and information sharing to meet the cybersecurity goals of the nation across all governing tiers. 

By implementing modern solutions and adopting the measures outlined in the resources provided by organizations like CISA, the Environmental Protection Agency, and WaterISAC, the water and wastewater sector can help ignite a chain reaction that can better secure one of our most precious resources and deliver a shining example of whole-of-state public sector cybersecurity.

What to read next 

Whole-of-state cybersecurity: What it means and why it matters

CISA Live! – Boosting Water Sector Cybersecurity