Water has not typically been an industry closely associated with cybersecurity threats. But this has changed in recent years as the sector has become increasingly automated, with the rapid adoption and use of digital environments.
As information technology (IT), operational technology (OT) and Internet of Things (IoT) become digitized and connected, hackers have become more aware of the valuable data to be extracted from critical infrastructure, and how vulnerable they may be. While digital connectivity in utilities has increased, security mindsets have not kept pace. This is a worrying trend – as water becomes more connected, threats from hackers, ransomware, and non-state actors will continue to grow in intensity and severity. OT and IoT networks are kept secure in a different and often more challenge way to IT, where most security focus is directed.
As a provider of a critical service, the effects of a cyberattack on a water utility have the potential to cause major damage to the communities they service.
In its digital transformation period, the water utilities sector must consider cybersecurity, or risk financial losses, data leaks, and even the tap being switched off.
Cybersecurity Risks for Water Utilities
The water and wastewater sector is worth close to $500B but had not been a monetizable target for hackers until recently. There was little automation or need for remote systems access, and beyond physically shutting down the machinery there was limited value for hackers.
Technological advancements in recent years have massively boosted productivity in the water sector. Remote access has enabled those with specialist skills to connect from anywhere in the world to drive innovative ideas or trouble-shoot complex problems. Automation and IoT are now core parts of modern critical infrastructure structures.
However, this digital transformation has not been matched with a cybersecurity transformation, due in part to the structure of the water industry – many utility operators aren’t aware of the kinds of threats they may face. Further, OT and IoT networks are often considered too difficult to secure.
The Water Sector Coordinating Council estimates over a third of water utilities only allocate 1% of their budget to cybersecurity. It’s not just budgets, risk assessment, mitigation and recovery plans have also been overlooked.
Over the past twenty years cyberattacks have ranged in complexity, and the damages have affected all parts of the sector.
- A hacker in Maroochy Shire, Queensland targeted the wireless networks and released over a million liters of sewage into local parks, streets, and rivers.
- Iranian actors hacked an undefended computer controlling sluice gates at the dam.
- In Oldsmar, Florida attackers attempted to change the chemical levels in the water.
Much of the technology used in the water sector is standard around the world – a vulnerability in one facility is likely experienced in another. Once these gaps are spotted by hackers the risk for everyone increases. Although collaboration across companies and with governments is increasing, more needs to be done to build awareness on risks and solutions.
Types of Threats
Organized crime and malicious state or state sponsored actors have previously targeted critical infrastructure due to its valuable role in a community, and the large amount of valuable data it holds. According to IBM, human error is a leading cause of breaches. Weak passwords, sharing security information, or clicking on phishing emails can all contribute to a cyberattack.
- In 2000, a disgruntled former employee hacked the water sewage plants in Queensland, Australia, letting out over a million liters of sewage over a period of several months.
- In 2013 Iranian hackers infiltrated a dam in New York, costing $30,000 to repair.
- In 2016 a phishing operation locked the Lansig Board of Water and Light out of their systems. Lansig paid $25,000 to recover access and $10 million to replace affected computers and software.
- In 2017 a Syrian group was able to alter the chemical dosing at a US water utility.
- In 2018 The City of Atlanta suffered a ransomware attack which disrupted city utilities and prevented to Department of Watershed Management from accessing their work computers for nearly a week. Recovery costs were up to US$5 million.
- In 2020 Greenville Water in the US had their online payments system compromised, affecting 500,000 residents.
- In 2021 a water treatment plant in Oldsmar, Florida was hacked, with attackers attempting to poison the water supply by raising the lye levels in the water. The attack was thwarted before it reached human consumption.
A pre-breach mindset is critical to mitigate water cybersecurity attacks. Even in the smallest utilities it is critical to prepare for a breach early (pre-breach), and continue updating and monitoring for new threats. If a utility can identify an attack early it can prevent some of the damage. Protecting OT and IoT environments requires both proactive and reactive responses:
- Plan: Expect an attack, act now to secure systems and put in place plans to stop a cyberattack, and for recovery after an attack.
- Internal training: Consistent and up-to-date training for staff outlining security procedures, how to detect a threat, and what to do in the event of an attack
- Collaboration: Hackers have identified vulnerabilities common across different utilities. Sharing information on rising threats raises awareness and allows each facility to have all the relevant information in advance.
- Spring cleaning: Assess your entire digital footprint regularly to spot weak systems. Unmonitored and dated applications are particularly susceptible to attack.
- Invest: Around 38% of water utilities in the United States only allocate 1% of their budget to cybersecurity. Mitigation strategies cost money, but are far cheaper than the alternative.
To learn more about how water utilities can improve their cyber defenses, download the industry brief.
Building Cyber Resilience in the Water Sector
Learn about cyber threats facing the water sector, and what organizations need to consider to ensure this critical infrastructure is defended.