Cyberwater challenges: Federal efforts towards cybersecurity are exposing vulnerabilities within the water infrastructure sector
The water sector is undergoing a digital transformation, with the installation of data logging equipment and smart meters becoming commonplace. However, this increased digitalisation also exposes the sector to new cybersecurity risks.
According to Phil Cope, VP of Moody's Ratings, the water sector, including water and wastewater, is one of the top five industry sectors at the highest risk of attack. This risk has not gone unnoticed, with EPA officials outlining additional efforts to create a Water Sector Cybersecurity Task Force.
One of the key challenges in addressing these cybersecurity threats is the lack of resources within the water utilities themselves. Katherine Ledesma, head of public policy and government affairs at Dragos, highlighted that small public water systems, which represent more than 90% of the nation's community water systems, lack the resources to prioritize a full-time cybersecurity expert.
In response, regulatory and standard enhancements are being proposed. For instance, New York State has mandated water utilities serving over 3,300 people to establish formal cybersecurity programs, conduct yearly vulnerability assessments, develop incident response plans, and comply with incident reporting. Utilities with over 50,000 customers must also designate cybersecurity program leaders and monitor networks closely.
The EPA, as the federal lead for managing cyber risks in water and wastewater infrastructure, offers free services including technical cybersecurity assistance and assessments of utility IT and operational technology (OT) systems. However, utility engagement remains a significant challenge, with many water utilities slow or reluctant to adopt these resources or report incidents due to lack of awareness, expertise, or perceived cost and complexity.
Cyber actors, particularly groups linked to Iran and Russia, have demonstrated capability and willingness to target water sector industrial control systems (ICS) by exploiting outdated software, weak remote access controls, and performing credential harvesting and brute force attacks. Rural water systems are frequent targets due to their weaker cybersecurity protections.
Experts and officials emphasize the need for increased federal involvement, better information sharing, and partnerships between government, the private sector, and philanthropic organizations to enhance water sector cyber resilience comprehensively. Anne Neuberger, deputy national security advisor for cyber and emerging technologies, has asked each state to share a plan by May 2024 for addressing potential cyber vulnerabilities for drinking and wastewater systems.
The Biden administration withdrew plans to include cybersecurity as part of periodic audits of public water systems in October 2023, following a court challenge led by attorney's general from Missouri, Iowa, and Arkansas, and supported by the American Water Works Association and the National Rural Water Association.
Recent attacks, such as those exploiting vulnerable Unitronics programmable logic controllers, have highlighted the urgency of addressing these cybersecurity threats. Continued efforts to mandate standards, provide accessible support, and foster cooperative defensive strategies remain vital in ensuring the safety and security of the U.S. water sector.
[1] Source: [Link to the original source 1] [2] Source: [Link to the original source 2] [3] Source: [Link to the original source 3] [4] Source: [Link to the original source 4] [5] Source: [Link to the original source 5]
- The water sector's digital transformation, featuring data logging equipment and smart meters, has increased its susceptibility to cyber risks, positioning it among the top five industry sectors at highest risk of attack (Phil Cope).
- EPA officials have responded to this heightened cyber risk by creating a Water Sector Cybersecurity Task Force, aiming to mitigate these threats (EPA).
- One of the obstacles in addressing these cybersecurity issues is the resource gap within water utilities, particularly small public systems that lack the means to prioritize full-time cybersecurity experts (Katherine Ledesma).
- In an effort to bolster cybersecurity in the water sector, New York State has mandated larger water utilities to establish comprehensive cybersecurity programs, undertake annual vulnerability assessments, develop incident response plans, and comply with incident reporting (New York State regulation).
