Cybersecurity Snapshots #30 - The Water Sector Needs to Take Cybersecurity Seriously

Cybersecurity Snapshots #30 -

The Water Sector Needs to Take Cybersecurity Seriously

The United States has approximately 52,000 drinking water and 16,000 wastewater systems, many of which service small communities of fewer than 10,000 residents. Many of these systems operate with limited budgets and even more limited cybersecurity personnel and expertise. Security researchers have stated that the automation of technology that these water utilities implemented over the past two decades to save money and increase efficiency has also exposed them to malicious cyber activity that could disrupt or manipulate services. In October of 2021, the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Environmental Protection Agency (EPA) warned that U.S. water and wastewater systems are being targeted by "known and unknown" malicious actors.

Multiple cyberattacks against U.S. water and wastewater systems were discussed in the warning. In March 2019, a cyberattack involved an attempt to threaten a town's drinking water in Kansas. In another cyberattack in September 2020, the Makop ransomware hit a New Jersey water and wastewater (WWS) facility. There was also a cyberattack in February 2021 where an unidentified hacker accessed the computer systems of a water treatment facility in Oldsmar, Florida, and modified chemical levels to dangerous parameters. In March 2021, a Nevada water treatment plant was hit with an unknown ransomware variant. The ransomware affected the victim's SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full Industrial Control System (ICS). An attack in July 2021 saw the ZuCaNo ransomware used to damage a wastewater facility in Maine. In August 2021, Ghost ransomware was deployed against a WWS facility in California. Attackers spent a month inside the system before releasing a ransomware message on three SCADA servers. Recently researchers found that 1 in 10 waste and wastewater plants has a critical security vulnerability.

After these attacks, CISA claimed that they were going to team up with the EPA to provide guidance, technology, and direct support to the sector. After announcing that CISA was teaming up with the EPA, some researchers thought CISA should have chosen the National Association of Water Companies (NAWC) as a partner to tackle the problem instead of the EPA. NAWC supports establishing national standards to safeguard all water systems from cyberattacks and protect the communities they serve. While not all water companies belong to NAWC, researchers found that more than 90 percent of NAWC members have a cybersecurity plan in place, while non-member companies may or may not have plans in place.

In January 2022, it was announced that the White House, EPA, and CISA created a 100-day plan to improve the cybersecurity of the country's water systems. The "Industrial Control Systems Cybersecurity Initiative -- Water and Wastewater Sector Action Plan" includes several measures that officials believe can be taken in just a few months to address cybersecurity gaps within the water utility industry. The plan will create a task force of leaders in the water utility industry, kickstart incident monitoring pilot programs, improve information sharing, and provide technical support to water systems needing help. The EPA will invite water utilities to a pilot program, but participation will be voluntary, the officials said. After the announcement of the new 100-day plan the reaction among ICS cybersecurity experts was mixed. Mark Carrigan, Senior VP of Process Safety and Operational Technology (OT) Cybersecurity at Hexagon PPM, stated that the measures outlined will not be nearly sufficient to reduce the risk to an acceptable level. Carrigan noted that the state of detection technology today is not "fool-proof" and stated that many infiltrations and subsequent attacks start with exploiting zero-day vulnerabilities that are not recognized until after the fact. Carrigan also noted that it is time for critical infrastructure to increase investments to improve operational resiliency to respond to an attack, minimize the impact, and restore operations within an acceptable period of time. Carrigan also stated that as a nation, we must accept that we cannot prevent all cyberattacks due to the nature of the control systems that deliver critical services. Instead, we must improve our ability to respond and recover.

In March 2022, a cyber incident reporting bill was passed. Elke Sobieraj, the Director for Critical Infrastructure Cybersecurity at the White House's National Security Council, stated that before the cyber incident reporting bill was passed, it was very difficult to assess the risks the water sector was facing from ransomware because many water companies did not report ransomware incidents. She hailed the passage of the cyber incident reporting bill, which requires critical infrastructure entities like water companies to report incidents to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency within 72 hours. Sobierai noted that this will make it easier to access the risks the water sector faces from ransomware.

Recently Nick Santillo, VP for Digital Infrastructure and Security at American Water, stated that insurers increasingly require water utilities to meet stringent cybersecurity requirements even to consider insuring them. These requirements include a strong and secure access management program for protecting administrative credentials with privileged accounts and endpoint detection and response tools. Santillo stated that many water utility companies have gone through their renewals and ended up either becoming uninsurable or have implemented some new controls in order just to get to the point of being insurable.

As the cybersecurity risks and threat vectors continue to grow and become more sophisticated, we must be proactive to improve the cybersecurity position across the entire water sector. With the new stringent cybersecurity requirements for organizations in the water sector to get insured, the "Industrial Control Systems Cybersecurity Initiative -- Water and Wastewater Sector Action Plan," and the cyber incident reporting bill, the companies within the water sector will hopefully start to take cybersecurity seriously and take steps to make sure their infrastructure is more secure against cyberattacks.