© Jaromír Chalabala | Dreamstime.com
Water Treatment Facility

Protecting Water Utilities From Cyberattacks

Feb. 17, 2023
It's not just big manufacturers and banks that need to be worried about cyberattacks. The utility sector is also fair game, and quite dangerous when those utilities are people's drinking water. Here's what can be done to safeguard plants.

As digital evolution occurs, our world is becoming more susceptible to the risks associated with connectivity. Hackers seem to lurk around every corner and only appear to be getting sharper and more sophisticated.

To this point, the FBI has ranked cybercrime as one of its most important law enforcement interests. Every day of our lives, we use all sorts of devices and items that give cybercriminals access to virtually all our personal data. Aside from individuals, even things like critical infrastructure (CI) related to energy production, manufacturing, water supply, and other systems have become victims of cyberattacks.

Water Facilities at Risk

Specifically, water utilities have increasingly begun integrating computer technology into routine operations. Systems that are used to manage automated physical processes essential to the water treatment and distribution systems are now more common in all kinds of water utility systems. The FBI has found that, even with best practices of technology cybersecurity, these systems are still at high risk for cyberattacks.

When plants become prime targets for cyberattacks, it creates a health risk for entire communities. A prime example is a cyberattack at a water treatment plant in Florida in 2021. A cybercriminal took control of a computer within a treatment plant and raised the level of sodium hydroxide to 100 times higher than the regulated amount.

It's necessary to control acidity and remove metals from drinking water, and while it’s not hazardous at low levels, it can be quite harmful at high levels. When ingested, it can cause severe respiratory issues. Fortunately, no residents were harmed in this case, but this attack reiterates the importance of securing our water utilities against attack.

Just a month before, another hacker breached the drinking water system that serves the San Francisco Bay area, deleting water treatment programs, which went unnoticed until the next day.

Thankfully, the good work of technicians mitigated these attacks, but the ramifications are clear. Consider this scenario: much of the U.S. has experienced severe drought conditions in 2022. A cyberattack on a water operator leads to an authorized reservoir release, wasting tens of thousands of gallons. The human and economic consequences would be catastrophic.

Acknowledging the Risk

There are about 3,300 electric utilities in the United States. The water sector has nearly 50,000 individual community systems, more than half of which serve fewer than 500 customers. Simply put, the water infrastructure is not protected to the level it should be, putting them at a heightened risk of cyberattacks. This topic is not new, as even the Center on Cyber Technology Innovation has stated that water security might be the most significant vulnerability in our national infrastructure.

Following the attack mentioned above, Florida Senator Marco Rubio acknowledged that water-system security is essential to national security. In fact, the issue has been discussed at a federal level at great lengths.

In a $1.2 trillion infrastructure bill that passed Congress late last year, lawmakers provided $55 billion to improve the nation’s water supply and $60 billion to modernize the power grid. However, the fact remains that many towns with water treatment facilities at risk operate in a unique threat environment that lacks budgets and an inadequate number of cybersecurity personnel who can handle the elevated cybersecurity risks.

The Environmental Protection Agency has also stepped into the conversation, clearly stating that implementing cybersecurity best practices is crucial for water and wastewater utilities.

In addition to the implications an attack can have on the health of a population, a cyberattack can also cause significant harm by stealing customers’ personal data; installing malicious programs like ransomware that can disable an entire business enterprise or process control operations; deface a website or compromising an email system; and overriding alarms or disabling pumps. All of this can compromise the ability of water utility companies to deliver clean and safe water to their customers, which can impact the customer's confidence in the company and result in financial or legal trouble.

Finding Protection

Because many water utilities might not have the capacity for information technology and security specialists to help with a cybersecurity program, finding protection through cybersecurity solutions is the best way to ensure the highest level of protection. This type of technology can lock all the cyber doors, as well as monitor them and the network on which they live—24 hours a day, seven days a week.

By monitoring network traffic, it can locate, decipher and provide an alert should it detect any cybersecurity threat, malware or viruses. Additionally, water utilities are given on-demand assessments of servers, control systems, laptops, smartphones, and other devices connected to the company’s network.

Safeguarding Health and Security

When there are cybersecurity risks, hackers can find even the slightest vulnerability, which can compromise an entire network in seconds. A platform explicitly designed to mitigate these risks gives everyone on the inside an up-to-the-minute outlook on those vulnerabilities in operating systems and applications. In turn, any risks are prioritized to be addressed and mitigated. This ensures that organizations are protecting systems and the health of the population they serve.

Robert Nawy is CEO of IPKeys Cyber Partners, a provider of an industry-leading, secure OT/IT intelligence platform that addresses the complex cybersecurity, data, and critical infrastructure protection challenges faced by operators of mission-critical networks for customers in the energy, government, public safety communications, and industrial markets. The company’s suite of solutions encompasses cybersecurity, cyber compliance, and operational network monitoring for a range of dynamic OT/IT environments. The company is headquartered in New Jersey and has offices in California, Louisiana, and Texas.