Beyond the tap: the critical need for cyber defense in water utilities

June 4, 2024
Protecting control systems, process systems, and other back-office support systems should be just as electronically “healthy” as the health and welfare of the employees working.

It's not uncommon within society to state that water and wastewater systems are communities' lifelines, ensuring the delivery of clean and safe drinking water.

Yet, these systems often need more resources and technical capacity for rigorous cybersecurity measures. This lack of robust security exposes them to cyberattack risks and potentially jeopardizes public health and safety.

Water municipalities are a high target because cybercriminals know that IT funding, let alone cybersecurity, is low, especially for smaller water utility organizations that can potentially support 20,000 people.

Suppose the utility is spending money on cybersecurity services or products versus updated technology products for cleaner water. Does that mean money is now unavailable for these critical updates? Risk management for the whole treatment facility is at the forefront of all operations and management decisions. The decision to prioritize IT services over cleaner water overshadows many other decisions.

Like many small organizations and municipalities, water treatment and wastewater companies have mindsets similar to those of these environments. They operate on limited budgets, feel too small to be noticed by cybercriminals and essentially work to improve operations and keep costs low. 

Like other critical infrastructures like energy, transportation, or manufacturing, a strong health and safety culture protects workers' lives within these environments. However, cybersecurity is another mindset that needs to be changed. Culture is a significant factor in ensuring cybersecurity is top of mind and involved with health and safety.

Protecting control systems, process systems, and other back-office support systems should be just as electronically “healthy” as the health and welfare of the employees working. Changing people’s mindsets can be time-consuming and complicated, which requires frequent, if not daily and weekly, efforts to implement.

The recent increase in cyberattacks targeting the U.S. water and wastewater systems presents another notice of the vulnerabilities embedded within our critical infrastructures. These incidents attack physical assets, the public trust and their safety.

There are challenges within these critical infrastructure environments, but there needs to be a substantial effort toward best practices and necessary responses to safeguard these essential services from cybercriminals.

Understanding the Threat Landscape

A letter from the EPA outlines two significant threat actors to the nation's water systems: operations by actors linked to the Iranian Government's Islamic Revolutionary Guard Corps (IRGC) and the People's Republic of China (PRC) state-sponsored cyber group known as Volt Typhoon.

These actors have previously compromised water facilities to disrupt and, if possible, damage water systems through potentially default passwords, unpatched systems, or social engineering.

The EPA's call for comprehensive assessments of cybersecurity practices and deploying necessary controls is a step in the right direction. Simple yet effective measures, such as updating software and changing default passwords, can significantly mitigate risks.

However, the path to cyber resiliency requires a layered approach involving physical and cybersecurity programs, employee training, and emergency response planning.

Securing the water sector against cyber threats requires a concerted effort across the board. The EPA's initiative to form a Water Sector Cybersecurity Task Force is commendable. The task force aims to identify vulnerabilities and challenges while recommending actionable steps for water systems to enhance their cybersecurity posture.

This collaborative approach should extend beyond governmental agencies and incorporate private sector expertise and resources. Utility leaders must proactively leverage guidance, tools, and technical assistance offered by entities like the American Water Works Association, the National Rural Water Association, and the Water Information Sharing and Analysis Center.

Call to Action: Strengthening Our Defenses

Within the hundreds of water treatment facilities, their response to cyber threats through a cybersecurity program can implement tools, technology, and people to protect the infrastructure.

Implementing and testing an incident response program in line with the physical emergency procedures, utilizing technology for cyber assessments, or providing users with frequent and robust security awareness training can be a quick Return on Investment (ROI) and a solid step to effectively protecting the facilities and infrastructure.

Collaboration among the various government and public information-sharing groups can also help keep current on threat intelligence.

Purple Water 

Water treatment facilities must ensure their physical and electronic security. They must thoroughly evaluate their cybersecurity practices and urgently identify and address vulnerabilities. Once any vulnerabilities are identified, they must be resolved promptly, most likely within 18 months.

Determining the vulnerabilities is one step but working with cybersecurity purple teams it is in the water utility's best interest. These teams will not only identify the weaknesses but also work to ensure they are corrected. 

Emergency Procedures and Backup Plans

Preparing for cyber incidents with well-defined response plans ensures quick and coordinated action to mitigate impacts. Preparing and determining gaps in the cyber incident response plans is another step towards reducing the risk to water treatment plants.

Critical infrastructure organizations plan and execute emergency exercises to ensure everyone is aware of their responsibilities and actions to take in the event of an emergency. The same exercise concepts should apply to cyber incidents and have a quick ROI as they focus on people and processes. 

Developing an effective incident response plan for water treatment facilities involves preparing for, managing, and recovering from cyber incidents with minimal impact. It requires identifying potential cyber threats through regular risk assessments and defining clear roles for an all-inclusive incident response team.

Effective internal and external communication strategies are essential for coordinating efforts during an incident. The plan must detail containment, eradication, and recovery procedures, which must be tested through regular drills. Post-incident analysis is crucial for learning and refining the response strategy. Training programs raise organization-wide awareness, enabling quicker detection and response to incidents.

Collaborating with external cybersecurity experts and law enforcement increases the plan's effectiveness by providing additional support and resources. Investing in a comprehensive incident response plan is vital for protecting critical water infrastructure and ensuring the continuity of safe and clean water services.

One final critical aspect to consider is that whatever plans are created for disaster recovery or business continuity should be stored physically and offline from the servers if the servers are unavailable. 

Robust Security Awareness Training

Training employees on cybersecurity awareness and best practices is essential to increasing an organization's security culture. Cybersecurity training is critical for water utilities to bolster their defenses against sophisticated nation-state cyberattacks. This endeavor goes beyond merely conducting training sessions: It’s about cultivating an environment where every employee, from the administrative staff to operational personnel, is aware and proactive about cybersecurity. 

Developing a cybersecurity training program should begin by identifying specific learning objectives tailored to the water sector's unique challenges and risks. These objectives include understanding cyber threats, recognizing phishing attempts, securing operational and information technology environments, and using different, unpredictable, and strong passwords.

Training should be conducted frequently and include various methods to help different learning styles. It means scheduling routine sessions ranging from new employee orientations to annual refresher courses along with emergency response drills. The training formats should vary, incorporating in-person workshops, online modules, and interactive simulations to engage different learning styles and maintain interest. Including real-world case studies of cyber incidents within the training can provide practical insights and lessons learned.

Evaluating the effectiveness of these training sessions is crucial and achievable through quizzes, simulations, and tabletop exercises designed to test employee knowledge and readiness. The outcomes of these evaluations can highlight areas for improvement in the training program and identify knowledge gaps among staff.

Creating a culture of cybersecurity awareness within an organization involves promoting continuous learning and engagement with current cybersecurity trends and threats and facilitating through regular communications like newsletters and security alerts. 

Depending on the organization's size, establishing a security champions or ambassador program, where designated individuals within departments promote best practices and serve as points of contact for cybersecurity concerns, can further reinforce this culture. Recognizing and rewarding employees who actively engage with cybersecurity training and exhibit exemplary behavior can motivate others to prioritize cybersecurity in their daily responsibilities.

For long-term planning, water utilities should invest in the professional development of their employees by providing opportunities to attend external cybersecurity conferences, workshops and certification programs. It enhances their skill set and ensures the organization stays informed about cybersecurity developments. Regular reviews and updates to the training program are essential to keep pace with the rapidly evolving cyber threat landscape. Additionally, engaging in public-private partnerships for knowledge and resource sharing can offer further support and insights for enhancing cybersecurity training programs.

Summing it Up

The ongoing cyberattacks on the nation's water systems call for immediate action to fortify our defenses against nation-state actors and cybercriminals. The federal government's response, through directives and collaboration with state governments and the private sector, will set the groundwork for a more secure and resilient water sector.

While water treatment and wastewater facilities' budgets and resources are stretched, low-cost programs and tools with a quick ROI can be implemented to reduce the risk of a cyberattack. 

However, the urgency to act is now, with water utilities at the forefront of this critical battle to safeguard public health and national security against cyber warfare's invisible yet pervasive threat.

About the author: James McQuiggan is a Security Awareness Advocate at KnowBe4. Prior to joining KnowBe4, McQuiggan worked for Siemens for 18 years where he was responsible for various roles, including Product & Solution Security Officer for Siemens Gamesa Renewable Energy. In addition to his work at Siemens, McQuiggan is also a part-time faculty professor at Valencia College in the Engineering, Computer Programming & Technology Division.