It’s Time for Water Utilities to be Extra Vigilant Against Cyberattacks

June 28, 2022
With their vital role to communities, water utilities are a high stakes target for cyber attacks.

Cyberattacks on critical infrastructure are on the rise, and recent national attacks on water systems leave them vulnerable to hackers breaching water utilities. According to the World Economic Forum, there are 300 attacks on US utilities per week, proving that no industry is immune as society moves further into a digital world.

With the ability to control utilities virtually, threats continue to increase both at home and abroad. Virtual water utility management can provide access for malicious hackers to adjust critical water controls, including water chemical levels and filtration, damaging systems and harming people. We have witnessed several attacks on our water systems over the past twenty years, many of which have been through ransomware attacks. This brings rising concern as utilities try to learn their best on how to mitigate their risks.

Cyberattacks may target an enterprise for a variety of reasons that can include stealing customer payment information, stealing confidential business information, and maliciously controlling computer systems. Water utilities are at high stakes if attacked and breached, considering their vital role in critical infrastructure and their wide reach.

Society relies on these utilities to treat and provide safe drinking water to cities they service, so it is imperative that they ramp up their cybersecurity. This will help to protect their company’s data, help them avoid potential lawsuits, and most importantly, help protect the communities they are servicing.

Identify Vulnerabilities

Many water utilities have adopted several different digital software platforms to help manage their plants. Software tools used in these utilities include billing software, the Internet of Things (IoT), Geographic Information Systems (GIS), and more. One piece of software that many water utilities utilize is a supervisory control and data acquisition (SCADA) system to help automate their treatment functions. Regardless of the size of the utility, the SCADA system, in addition to other software, increases a utility’s risk of a cybersecurity attack if it is not adequately protected.

The first step to protecting a water utility from a security breach is evaluating where the current cybersecurity processes stand. Conducting a risk assessment is a great place to start to help identify risks, not just with cybersecurity but across the organization. Water utilities are subject to many different potential incidents, including hurricanes, extreme cold and winter storms, wildfires, water pressure variability, local government policy implications, and quality risks.

The U.S. EPA provides checklists for these threats along with a cybersecurity checklist. A risk assessment and gap analysis through these checklists will help utilities understand where they can improve their processes and protect their systems.

Common Threats for Water Utilities

Cybersecurity threats are common vulnerabilities that are often caught in a risk assessment. Water utilities may find several areas that need improvement from a cybersecurity front, one of which is as basic as improving their line of defense through passwords. Employees are key to keeping confidential information and systems safe by creating and using strong passwords. They can easily do this by using a combination of upper- and lower-case letters, numbers, special characters and not using any personal information for their login credentials.

Additionally, companies can require employee and organizational passwords to be frequently changed as a tactic to help mitigate the risk of hackers through password cracking. To bolster password access protection even further, organizations may implement multi-factor authentication (MFA) if they have not already. MFA is a great tool, particularly for water utilities that manage their plants from remote locations, to help add a second layer of defense.

Aging software and hardware systems are another common weakness that provides a significant risk for water utilities. This threat expands even further if they go unpatched. While replacing legacy infrastructure can be costly up-front, it should be strongly considered due to the cost savings over time and more robust protection. This is due to the frequent costs and time needed to update and maintain legacy infrastructure through patching any holes they may have.

Newer technology also provides greater control through encryption and authentication already embedded in the devices. Whether a water utility chooses to replace its legacy infrastructure with newer versions or not, water utilities must update their systems and devices to the latest software to provide stronger protection against malicious hackers.

Management Training & Certification

Employee education and training are essential next steps following a risk assessment to set personnel and systems in water utilities on the right track to protect assets. Organizations like the EPA provide training and response exercises as well as self-assessment tools for state and regional water providers.

Third-party organizations like NSF-ISR can go beyond that for further security checks or certification. NSF-ISR tests companies to ISO 27001 certification to help water utility teams manage security threats and build cyberattack resilience. Certification can help identify business risks with a probability and impact assessment and help them build a comprehensive set of controls to help bolster cybersecurity.

Many people agree that more federal loans and grants for systems are needed to reach the wide water sector. In the meantime, ramping up baseline security is not too demanding or difficult and can be done on a leadership level. This can be initiated through manual efforts, including frequently changing passwords.

Additionally, utility managers can implement an incident response policy that will help them be prepared if they experience a security breach. This is a crucial first line of defense in case of a cybersecurity attack on our water sources. Being able to quickly shut systems down and reinforce the plant’s water controls is not optional when defending its critical systems and data. With cyberattacks on the rise, frequent organization-wide employee training is a critical tool.

Leaders can seek additional training through software platforms like KnowBe4 or even learning base training on video platforms. NSF offers free cybersecurity videos through YouTube to help companies on a budget learn more about security.

Other organizations like the American Water Works Association (AWWA) host cybersecurity events that water utility managers can attend throughout the year to learn how to further bolster their cybersecurity. With many online tools, it does not hurt to get creative to learn more about how to protect the business, especially if it is operating on a budget. Learning how to examine current threats, unpack new policies and analyze risks only further helps companies working to protect themselves.

Remain Vigilant

While ramping up cybersecurity defenses is imperative for modern-day business, water utilities will want to stay on guard with their physical security too. They can do this by installing an ample number of on-site cameras to deter any potential break-ins and properly staffing the property with on-site security.

Visitors, including cleaning crews, should be escorted, so they are never alone on-site or have access to secure rooms. In addition, it is important to keep physical locations secure by keeping entrance doors closed and locked and implementing access controls that can provide further protection.

Different days of the year can offer higher risks as well. Both physical and remote employees should be on high alert during holiday seasons, particularly July 4th and Christmas, as most security breaches happen around these times. Hackers like to act on or around holidays because they know there is typically reduced staff during these times. Water utilities can remind their on-site and virtual employees to closely monitor all software systems, particularly those with critical controls, to help keep the utility protected during these festivities.

Continue to Learn

As we continue to take advantage of the efficiency of operating in a virtual world, we need to remember that no industry is immune to cyberattacks. We need to continue to stay educated on the risks we take on in a virtual environment. Businesses can do this by making sure proper systems and plans are in place to help keep cybersecurity defense up, helping reduce the risks associated with online tools.

It is imperative to stay educated, on guard and prepared to help mitigate the risks associated with a cybersecurity attacker. After all, water utilities are a critical piece of our infrastructure and vital to providing clean and safe drinking water for communities across the globe.

About the Author

Theresa Bellish

Theresa Bellish is senior director of commercial water at NSF. She can be reached at [email protected].

About the Author

Tony Giles

Tony Giles is director of information security for NSF-ISR. Tony can be reached at [email protected].