As Feds Warn of Hacking Wave on Water Systems, Here’s Our Roundup of Cybersecurity Resources

As the United Nations marks its annual World Water Day on Friday to raise awareness of global water issues, U.S. officials are warning about a wave of cyberattacks on water and wastewater systems across the country, reigniting concerns about the vulnerability of this often overlooked and underfunded sector.

A special meeting of state homeland security deputies on Thursday, a joint letter from the White House and Environmental Protection Agency (EPA) on Tuesday, and a Congressional hearing in January have all stressed the need for heightened cyber defense of water, this after investigators attributed a series of attacks to Iran-backed hackers in November and the FBI cited ongoing threats from China.

For such a critical part of our infrastructure, defenses are woefully low.

Learn how secure or exposed your organization really is—get a comprehensive risk score in just 5 days.

“Drinking water and wastewater systems are an attractive target,” wrote EPA Administrator Michael Regan and national security advisor Jake Sullivan in the letter sent to state governors alerting them to the Iranian hacks and potential future attacks by a China-sponsored group. At too many water facilities, they wrote, “even basic cybersecurity precautions” are not in place, and that “can mean the difference between business as usual and a disruptive cyberattack.”

Consider the latest numbers:

• 150,000 – The number of water utilities that provide drinking water and serve (along with 16,000 public wastewater systems) up to 90% of Americans (EPA, CISA)
• Less than 25% – The percentage of water and wastewater operators who perform annual cybersecurity risk assessments (EPA)
• 25% – The estimated percentage of global water systems that will likely have experienced a cybersecurity breach by 2025. (GHD)
• 98% – The percentage of cyberattacks that could be prevented or minimized with basic cyber hygiene (EPA)

With those sobering stats in mind, we’ve provided here a quick-hit primer on cybersecurity in water, including a rundown of the most recent attacks and government hearings, plus a wealth of tips and resources from the Focal Point files.

On the water (and wastewater) front – hackers and hearings

Last month, the U.S. imposed sanctions on six Iranian officials linked to a hacking group that targeted multiple U.S. water utilities last fall, including the Municipal Water Authority in Aliquippa, Pennsylvania. There, hackers disabled digital water-pressure monitors, forcing plant managers to jump to manual controls. Though service ran undisrupted and water quality remained safe, it was a close call, especially given that many water authorities don’t have such manual overrides.

Water, and particularly wastewater operations, is not a glamorous field.

In January, Veolia North America, which oversees water and wastewater systems in 200 communities across the U.S., reported a ransomware attack on its municipal water division, affecting some of its bill-paying software applications and possibly exposing the personal information of a “limited number” of individuals.

All of this was top of mind at a recent hearing of the House Energy and Commerce Committee, where trade-association officials urged Congress to pass legislation or grant funding to help water utilities obtain cyber training and software updates. Previous legislation, like 2002’s Bioterrorism Act and 2018’s Water Infrastructure Act, offered funding to identify vulnerabilities but little in the way of making repairs. “Hey, we have identified a problem – where are the resources to resolve it?” testified Cathy Tucker-Vogel, a public water supply section chief of the Kansas Department of Health and Environment, and past president of the Association of State Drinking Water Administrators.

[Read also: Why cybercriminals target small utilities]

Since the hearing, the American Water Works Association, a trade group with some 50,000 members, has been meeting with policymakers to encourage the authorization of a collaborative regulatory model designed by water-sector experts, to be overseen by the EPA. Rather than a one-size-fits-all regulation, this would offer a tiered framework, recognizing the diverse nature (and capabilities) of water utilities, notes Kevin M. Morley, federal relations manager for the AWWA, in an exclusive interview with Focal Point.

“[We need] reasonable cybersecurity requirements that focus on practical, protective, and implementable solutions,” says Morley. “We are hopeful that legislation will be introduced in coming months.”

The stakes couldn’t be higher – and they’re falling on an aging workforce.

“When I get a new cellphone, I need my granddaughter to set it up for me,” admitted Rick Jeffares, president of the Georgia Rural Water Association, when he testified before Congress. Not that everyone who works for a water utility is befuddled by their tech, but there’s no denying that the water authority workforce is aging. The average age of a water operator in Georgia is 58, said Jeffares. And throughout the water sector in the U.S., workers tend to be older than in other sectors, with thousands eligible to retire in coming years, according to a 2020 EPA report.

This underlying demographics problem constrains policy to a large degree. And lean budgets limit the kind of competitive salaries that might attract new blood.

Then, of course, there’s the ick factor.

“Water, and particularly wastewater operations, is not a glamorous field,” Jeffares acknowledged.

Such glaring recruitment problems prompted the NRWA to partner with the U.S. Department of Labor on an apprenticeship program. The next generation of water workers will be cyber savvier, for sure, but in the meantime a commitment to comprehensive training programs and proper cyber hygiene is essential, he urged.

The IT and OT of H2O

Water is growing more high-tech by the minute. The convergence of information technology (IT) and operational tech (OT) has helped dwindling utilities staffs operate critical infrastructure remotely. Automation has thus saved the sector – but also leaves it increasingly vulnerable to cyberattacks.

Water utilities are stuck in a digital canyon.

Water authorities are now often managed by remote monitoring systems, which utilize software, hardware, and data networks to control pumps, valves, sensors, and distribution and treatment processes. Hackers can co-opt such components to, say, shut down pumps that supply drinking water (which is what happened in Aliquippa in November) or contaminate water supplies (as in the infamous 2021 attack on a water treatment plant in Oldsmar, Florida, where an as-yet-unidentified hacker altered the level of sodium hydroxide – aka lye – an incident quickly spotted and corrected by alert plant personnel but of serious concern to cyber experts).

These physical assets present fiscal challenges.

“Water utilities are stuck in a digital canyon,” Morley said in his Congressional testimony. The OT running pumps and motors, he explained, has been “unable to keep pace with advances in the enterprise systems that upgrade to new editions at a much faster pace.”

Water authorities must deploy comprehensive endpoint management tools to assist in better visibility, patching updates, and regulatory compliance measures. In some cases, Morley added, outdated OT will require a “rip and replace” capital project, made costlier because such utilities must keep running while the upgrades take place.

Water-as-a-service – a new commercial (and controversial) solution

In recent years, a few states (Indiana, Missouri, California, New Jersey, and Tennessee) have passed legislation to boost water-system cybersecurity protections. Others (Pennsylvania, Maryland) saw legislation fail when bills backed by private water companies prompted pushback from public water authorities, who claimed the bills were merely thinly veiled attempts to fuel privatization, which would inevitably foist higher rates upon consumers.

While that may be true, the sheer size and breadth of this problem suggests a patchwork solution of public and private efforts may be required. And off-grid water systems are gaining attention.

So says Riggs Eckelberry, CEO of OriginClear, who is looking to create a powerful, profitable “Airbnb for water,” privatizing water treatment and funding it with asset-backed, high-yield water annuities. Eckelberry spoke on Focal Point’s companion podcast, Let’s Converge, last year, and his views seem even more relevant in the midst of today’s heightened sense of urgency.

“In 2016, when I started talking about decentralized water, people were like, ‘Huh? What?’” Eckelberry recalled. “Today, people are getting it. More and more people are aware that self-reliance is super important.”

As president and COO of the security software company CyberDefender, Eckelberry led the firm to an IPO on the NASDAQ. Now he’s bullish on water-as-a-service, or water-on-demand, a way residential developments and enterprises, particularly small businesses, can treat their own water. This high-tech mentality of disruption is why “Airbnb took over hotels and Uber took over taxis,” he says. “And it’s gonna happen in water.”

[Listen for more: Ep. 5: The truth about hackers and (yes) your toilet]

How passwords and basic cyber hygiene can help water and wastewater systems

Basic infractions, like poor password security and outdated operating systems, have played a role in many of these attacks. In Aliquippa, CISA investigators discovered that the water authority was still using software with the manufacturer’s default “1111” password.

Cue the facepalm.

It’s a good reminder to enterprise leaders anywhere that basic cyber hygiene can never be reiterated too often.

Granted, it’s not solely an employee problem. Workers take shortcuts for a reason. Onerous login and other network procedures beg for staff workarounds. The solution? Enterprise leaders must improve their digital employee experience, a strategy that can help keep a hybrid workforce more productive and IT desk less stressed.

But back to passwords… getting the balance right between security and convenience is vital. Check out these four key password myths worth busting.

[Read on: Tanium experts bust common password myths]

Water and wastewater funding – the tricks to finding it

Focal Point covered the basics of how to apply in a feature article in 2022 and in a Let’s Converge podcast episode last year. Competition for the third year of funding is about to get tougher, so water workers should start planning now. Opening communication channels with county leaders is a good first step.

For more tips on how to approach the application process, and an analysis on how the program’s rollout has gone thus far, check out our SLCGP update from January.

[Read on: The SLCGP is another year older – here’s what you need to know about federal cyber grants]

---

To report an incident:

All organizations should report any actual or suspected cybersecurity incidents to…

• CISA – For the agency’s 24/7 Operations Center, send an email to [email protected] or call 888-282-0870.
• FBI – Contact your nearest FBI field office or report info to tips.fbi.gov.

---

For more water and wastewater cybersecurity resources

CISA executive assistant director for cybersecurity Eric Goldstein calls the water and wastewater sector “target-rich, cyber-poor.” True – for now. But a slew of resources and tools can help turn things around. Consider any of the following:

Environmental Protection Agency (EPA)

• Cybersecurity Assessment and Technical Assistance – The EPA offers free confidential cyber assessments and tech assistance offered in partnership with Horsley Witten Group, an engineering and environmental consulting firm.
• Cybersecurity Tabletop Exercise (TTX) – This step-by-step guide outlines how water and wastewater utilities can design their own tabletop exercise.
• Cybersecurity Incident Action Checklist – First and foremost, a rock-solid incident response plan requires speed. This PDF offers just that: Designed for “on-the-go convenience,” it divvies up instructions into three “rip-and-run” sections for when cyber incidents strike water and wastewater facilities. There’s even space to add your own notes and contact info. (You can also find water and wastewater checklists for wildfires, floods, tornadoes, and other crises here.)
• Cybersecurity best practices for the water sector – This gallery provides a slew of info and links to water and wastewater resources that address cybersecurity funding, training, planning, and more.

Cybersecurity and Infrastructure Security Agency (CISA)

• Water and wastewater cybersecurity resource center – This gallery of links provides current info on funding opportunities, plus the latest intel on ransomware, phishing, and other issues.
• Water and Wastewater Incident Response Guide – Published in January with the FBI and EPA, this new soup-to-nuts explainer takes water and wastewater operators through the four stages of incident response. Best of all, it’s written in laymen’s terms – no technical expertise required.
• Cybersecurity Performance Goals – A cross-sector set of protections for critical infrastructure entities, both large and small, to reduce the likelihood and impact of cyber threats. It includes a baseline set of cyber best practices and a benchmark to measure and boost cyber maturity.
• Cyber Hygiene Vulnerability Scanning – Provided free for any system that registers, this mostly automated service conducts weekly scans and reports, pointing out weak configurations and known vulnerabilities.

National Institute of Standards and Technology (NIST)

• Computer Security Resource Center – This is the mothership, with info and links to NIST’s cybersecurity projects, publications, news, and events, plus a glossary of terms (you’ll need that).
• The NIST Cybersecurity Framework (CSF) 2.0 – This latest revise, issued last month, offers comprehensive instructions and supplementary resources to help organizations understand, assess, prioritize, and communicate cybersecurity risk. NIST’s framework serves as the source of CISA’s Cybersecurity Performance Goals (CPGs) and is designed for enterprises in all industries.
• Security and Privacy Controls for Information Systems and Organizations – A security publication with the latest updates, templates, spreadsheets, and other assets designed to offer a customizable plan to manage risk.

American Water Works Association (AWWA)

• Cybersecurity and Guidance homepage – An online cyber resource center with a wealth of info for water systems, including the AWWA’s Cybersecurity Guidance and Assessment Tool: First issued in 2014, this regularly updated interactive tool asks utilities questions about the specific tech they use, and generates a customized, prioritized list of controls.
• Water Sector Cybersecurity Risk Management Guidance for Small Systems – Developed in partnership with the U.S. Department of Agriculture, this “getting started guide” helps small, rural utilities assess and implement cybersecurity best practices.
• Proposed regulatory framework – The AWWA has called for a regulatory framework similar to that of the electric industry, in which an organization of water utilities would develop standards to be overseen and audited by the EPA.