Water infrastructure is critical to national security, economic stability and public health and safety. While necessary for operations, the increasing automation of the water sector has opened it up to malicious cyber activity that could disrupt or manipulate services. Dating back to 2009, President Obama declared cybersecurity threats to be among “the most serious economic and national security challenges we face as a nation.” In January 2012, in testimony before the House of Representatives, the U.S. director of national intelligence stated that cyber threats pose a critical national and economic security concern.
Over the past two decades, federal investment in water systems has equaled only 4% of the amount that state and local governments invested, and most of the federal funding was in the form of low-interest loans, not grants. Fortunately, the White House earmarked $2 billion from the bipartisan infrastructure bill that was signed into law in 2022 to go toward strengthening U.S. infrastructure against cyberattacks. This couldn’t come at a more critical time as cities such as Los Angeles; San Francisco; Atlanta; Portland, Oregon; and Oldsmar, Florida, have experienced hacks.
Water and wastewater infrastructure security
After Sept. 11, 2001, the federal government directed efforts to secure the nation’s critical infrastructure and initiated programs such as the National Strategy to Secure Cyberspace (Bush, 2003). This program addresses the vulnerabilities of supervisory control and data acquisition (SCADA) systems/industrial control systems (ICS) and called for the public and private sectors to work together to foster trusted control systems. SCADA/ICS systems are an essential component for the effective operation of most water utilities in the U.S. The Homeland Security Presidential Directive and its successor, the Presidential Policy Directive issued in 2013, reaffirmed the water sector as one of the 16 critical infrastructure sectors that must be protected.
There are close to 200,00 drinking water systems in the U.S. that provide tap water to nearly 300 million people. This critical infrastructure spans tens of thousands of miles, involves many remote sites and requires multiple networks with complex software and hardware needs. The sheer size and scope of these systems offers hackers many exploitable entry points. As utilities adopt the cloud, remote access, smart devices and the Internet of Things (IoT), information technology (IT) and operational technology (OT) are no longer separate. Over the past decade, the technology behind water infrastructures and utilities has become more interconnected with OT and IoT devices. The different connected devices such as controllers, sensors and smart meters are being used by water utilities to remotely monitor and manage processes. In a West Monroe survey, 67% of utility leaders cited cybersecurity as their top concern of the converged IT and OT network.
A cyberattack causing an interruption to drinking water and wastewater services could erode public confidence, or worse, produce significant public health and economic consequences. The diverse nature of the water and wastewater sector – with organizations of varying size and ownership, the sector’s splintered regulatory regime and a lack of cybersecurity governance protocols – presents significant challenges. Moreover, entities within the sector often face insufficient financial, human and technological resources. Many organizations have limited budgets, aging computer systems and personnel who may lack the knowledge and experience for building robust cybersecurity defenses and responding effectively to cyberattacks.
A report by the American Water and Works Association, “Cybersecurity Risk & Responsibility in the Water Sector,” states that: “Failing to address cybersecurity risk in a proactive way can have devastating results. Failing to take reasonable measures and employ best practices to prevent, detect, and swiftly respond to cyberattacks means that organizations and the people who run them will face greater damage—including technical, operational, financial and reputational harm—when the cyberattacks do occur.”
Additional software offers enhanced security
While technology has revolutionized the way municipalities conduct business, broader and wider-spread use of technology also brings vulnerabilities. The software and systems aimed at increasing utilities’ interconnectedness have led to greater cyber threats. However, turning to additional technology is one answer to combatting them.
Although replacing legacy systems and networks can be extremely costly, it is essential to work with vendors and cybersecurity experts to implement updates and, if necessary, overhauls of outdated systems. Invoke the help of internal or external advisors to prioritize risk and develop a realistic approach and plan for enhancing cybersecurity. At a minimum, comply with basic standards including restricted physical and technical access, firewalls, logging and encryption.
Additionally, many SCADA systems are simply overexposed to the internet by remote desktop applications (e.g., RDP and TeamViewer). In an attempt to provide process and asset information to operators, organizations have provided much more, ignoring the principle of least privilege (PoLP) and opening their entire control systems and their hosts to remote desktop access by unnecessary parties. Such broad remote access techniques present an increased security risk for organizations. For example, Oldsmar, Florida, experienced this firsthand when an improperly secured TeamViewer application allowed an unauthorized party to increase the amount of sodium hydroxide being added to their water treatment process.
Advanced remote alarm notification software allows remote operators access to only the information they need from SCADA and not access to the SCADA itself or its operating system host. Such notification software is compatible with more secure, layered networks in which a series of firewalls provide added protection from attacks. This is done by deploying notification solutions alongside the SCADA system at the network’s control level and using notification modalities that are not internet-facing or distributing internet-facing notification processes to higher levels. For example, internal email servers, SMS modems and voice via PBX devices allow communication with the outside world without internet exposure. Likewise, distributing the processes that interface with SCADA from those that interface with external email servers, VoIP solutions and cloud apps allows internet-based notifications without compromising security.
Of course, there are valid use cases for desktop sharing software that does not violate PoLP and goes well beyond operator access to process information. For such systems, it’s critical that the remote desktop solutions be implemented with sound security. Utilities should not use unattended access features, and IT leaders should configure the software such that the application and associated background services are stopped when not in use. Integrating the remote alarm notification software through the SCADA system is critical to further reducing cyberattacks.
There are several steps that utilities should take to improve their cybersecurity:
- Update any software to the latest version;
- Deploy multifactor authentication; favor authentication apps and SMS over codes sent to email;
- Use strong passwords changed periodically where multifactor authentication cannot be employed;
- Ensure antivirus systems, spam filters and firewalls are up to date, properly configured and secure;
- Require all personnel to go through cybersecurity awareness training;
- Create or review backup and recovery plans.
Additionally, water utilities can reduce vulnerabilities from cyberattacks or events by:
- Identifying systems that need to be protected;
- Separating systems into functional groups;
- Implementing layered or tiered defenses around each system;
- Controlling access into, and between, each group.
The new normal
According to McKinsey & Company’s report, “Critical resilience: Adapting infrastructure to repel cyber threats,” cyberattacks should be thought of as certainty akin to the forces of nature. Just as engineers must consider the heaviest rains that a dam may need to contain in the next century, those digitizing infrastructure must plan for the worst in considering how an attacker might abuse or exploit systems that enable infrastructure monitoring and control. This shift in thinking will begin to lay the path to connected infrastructure that is resilient by design.