The surge of high-profile cyberattacks targeting US water utilities has continued unabated in recent times. One such incident involved pro-Iranian hackers infiltrating a Pittsburgh-area water utility’s PLC system, defacing the touchscreen with an anti-Israel message, and prompting the utility to switch to manual control of its water pressure regulation system. In response to a ransomware attack that compromised customer data, a water and wastewater operator for 500 North American communities temporarily disconnected its IT and OT networks. Additionally, the largest regulated water utility in the US experienced a cyberattack in October that resulted in its customer-facing websites and telecommunications network going offline.
These alarming events have raised concerns about the security and physical integrity of drinking water and wastewater systems. Various government agencies and organizations, including the Cybersecurity and Infrastructure Security Agency (CISA), the White House, the FBI, the Office of the Director of National Intelligence (ODNI), the Environmental Protection Agency (EPA), and the Water ISAC (Information Sharing and Analysis Center) have issued warnings and security guidelines in response to these cyber threats.
While most attacks targeted smaller, less secure water utilities, larger entities like Veolia and American Water faced IT-focused attacks that did not disrupt water services. According to industry experts, these cyber incidents seem to be aimed at probing vulnerabilities and undermining confidence rather than causing actual harm.
The urgent task now is to bolster cybersecurity defenses in the water sector, particularly for smaller utilities lacking the resources and expertise to combat cyber threats effectively. While larger utilities have made strides in securing their OT networks, many smaller utilities are struggling to implement robust security measures without imposing excessive costs and complexity. Experts emphasize the need for tailored security solutions that address the unique challenges faced by smaller utilities, such as prioritizing infrastructure upgrades and enhancing basic cybersecurity practices.
As water utilities grapple with the escalating cyber risks, industry leaders are advocating for collaborative efforts to enhance security across the board. Major systems integrators like Black & Veatch are working with large utilities to embed security measures into new OT installations, emphasizing the importance of proactive security measures to prevent potential safety hazards.
ICS/OT Cyber-Risk: Something in the Water?
Similar to other industrial sectors, water utilities are increasingly integrating remote access capabilities into their PLC systems and OT equipment to streamline operations. However, this connectivity also exposes critical infrastructure to cyber threats, as many systems lack adequate segmentation and secure remote access protocols.
While some PLC vendors are incorporating security features into their devices, legacy equipment at water plants often lacks these protections. This gap in security leaves water utilities vulnerable to attacks that could compromise essential operations and infrastructure.
Addressing these vulnerabilities requires a concerted effort to secure OT systems from installation to operation. Integrators play a crucial role in ensuring that SCADA equipment and software are properly secured, reducing the risk of unauthorized access and exploitation of default credentials.
The collaboration between industry experts and utilities is essential to fortifying cybersecurity defenses and safeguarding critical water infrastructure from evolving cyber threats.
Cybersecurity Cleanup for Water
Amid the growing cybersecurity challenges facing water utilities, a range of resources is available to support their security efforts. Organizations like Water-ISAC and the American Waterworks Association offer tools and guidance to help utilities assess their security posture and align with industry best practices.
One notable initiative is the Franklin project, a cybersecurity volunteer program that pairs experts with rural water utilities to enhance their cybersecurity resilience. By leveraging external expertise and resources, utilities can strengthen their defenses and mitigate the risks posed by cyber threats.
Industry veterans recommend fundamental security measures such as multifactor authentication, offline backups, and incident response planning to enhance the security posture of utilities. Establishing robust security practices and monitoring systems is crucial to detecting and mitigating cyber threats before they impact critical operations.
By adopting proactive cybersecurity measures and fostering collaboration within the industry, water utilities can build a resilient defense against cyber threats and safeguard the integrity of essential water services.
