This originally appeared in Water & Wastes Digest.
Across the country, our more than 148,000 public water systems face rising cybersecurity threats — stemming from our own employees, our supply chain, vulnerable information technology and operational technology, and geopolitical tensions. What’s more, this surge comes at a time when chronic underfunding, labor shortages, and widening skill gaps have left utilities increasingly exposed to threats.
Water utilities who do not acknowledge and mitigate cybersecurity threats risk significant reputational, financial, and public health damages. To stay ahead and prevent such attacks, here are five actions that water utilities should take.
Many utility leaders assume malicious actors trying to penetrate their systems pose the greatest threat. In reality, the biggest risks water utilities face stem from inside their own four walls by their own well-intentioned people.
To mitigate these risks, water utilities should validate a process for identity and access management — including the principle of least privilege, role-based controls, multi-factor authentication, and terminating credentials and system access upon employee departure. Utilities should confirm permission levels on a recurring basis to ensure every employee has the appropriate level of access to perform their job.
It is also critical to prevent employees from connecting USBs and other external devices to utility hardware. This can be accomplished by either disabling the port through Device Manager settings or using a port blocker inserted into the USB port. Utilities should also restrict “Bring Your Own Device” policies. By limiting employees from using their personal devices — and confirming devices have remote wiping capabilities — the risks of malware and data breaches can be reduced.
Training is also paramount. Conduct role-specific cybersecurity training, educating personnel on what cybersecurity is, what risks are most prevalent based on their role, and how they can help safeguard utility assets and operations. Furthermore, utilities must continue to educate their staff on phishing risks and take corrective action with employees who fail phishing tests.
Historically some water utilities defaulted to trusting their contractors, leaving them vulnerable to attack should these third parties suffer a data breach or malware intrusion. But with supply chain attacks on the rise by 430%, water utilities must reconsider the level of trust they place in the organizations they partner with.
To manage these risks, water utilities should address the dynamic by constantly evolving systems of interconnected suppliers who provide hardware, software, professional services, and raw materials. Water utilities should start by continuously monitoring and verifying their supplier network, especially as suppliers grow, merge, or disappear. As their portfolio of suppliers grows in complexity, water utilities should also add dedicated management to provide oversight. Doing so will not only expand visibility over the network but also guarantee a degree of control over who has access to critical systems. For example, do you know where your utility’s telecom equipment originated?
Over the last two decades, many electric utilities — in contrast to water utilities — bridged their IT and OT systems. Based on the increasing threat and rate of cyberattacks, however, these electric utilities are now working on isolation projects to “re-airgap” their IT and OT systems as a cyber defense measure.
Historically, attacks on OT systems are rare, but they are increasing in both frequency and severity. OT security challenges persist due to lack of funding and limited understanding of the cyber risks of OT networks. OT systems at water utilities are typically legacy based meaning they’re not designed with cybersecurity as a central focus, and are vulnerable to direct attack. OT system breaches at water utilities are particularly impactful as they can interfere with a utility’s ability to deliver safe water.
Most water utilities are fortunate in that they never bridged IT and OT systems. Water utilities should still conduct analyses to validate that the systems are indeed air gapped, however. Water utilities should also adopt quality controls to protect their systems and ensure OT systems can run at 100% capacity in the event of an IT breach or shutdown.
Despite increased cybersecurity risks in the water industry, opportunities for modernization are on the horizon. The Infrastructure Investment and Jobs Act (IIJA) provides water utilities a significant opportunity to bolster their defenses, setting aside $1.9 billion in funding specifically for cybersecurity and IT network modernization. The act also allocates additional funding for programs to address water cybersecurity threats through the EPA and creates an $100 million Cyber Response and Recovery Fund over the next five years.
Another potential funding opportunity on the horizon is a six-part legislative proposal to address cybersecurity in the water sector, authored by the Foundation for Defense of Democracies. Such legislation would empower an organization to develop sector-wide cybersecurity standards, allocate millions of dollars toward cyber threat information sharing, strengthen the EPA’s oversight of the industry, and overhaul state revolving fund programs.
This legislation proposes a solution to a significant gap afflicting the industry: lack of industry-wide cybersecurity standards. A set of mandatory standards and managed compliance to set standards would improve the resiliency of water utilities. Water utilities should act now to draft standards that address the needs of the industry and its customers, rather than waiting for regulator-imposed standards that may be cumbersome, costly, and do not sufficiently protect water systems from cybersecurity threats.
Finally, the Biden administration, in partnership with the EPA, announced the Water Action Plan as part of the Industrial Control Systems (ICS) Initiative across the water sector. The plan will initially focus on the country’s largest systems by deploying technologies to assist with identifying cyber threats, but will then lay the foundation for supporting the deployment of these technologies at water systems of all sizes.
For over a decade, geopolitical tensions in Eastern Europe have given rise to cyberattacks on critical infrastructure in the U.S. A lapse in water service would ricochet across our communities with severe public health and economic impacts.
One way to improve utilities’ resiliency against geopolitical cyberattacks is to search for indications of state-sponsored tactics, techniques, and procedures on their systems, and immediately report them to authorities if discovered. Utilities should also revisit their Incident Response & Recovery (IRR) plan, which maps out how utilities respond to cyber incidents, and prepare to establish clear procedures for handling a politically motivated cyberattack. If an IRR plan does not exist, one should be created immediately.
Amid the increasing cybersecurity risks water utilities face, one thing is certain: water utilities should not wait to develop and implement cybersecurity improvements. The cybersecurity landscape is constantly evolving in the water sector. Taking these five steps today will provide more robust protection of critical infrastructure that keeps safe water flowing to our communities.