Since 2020, the U.S. Environment Protection Agency (EPA) has doled out more than 100 enforcement actions against community water systems (CWS) across the U.S. for violations of the Safe Water Drinking Act.
Securing the nation’s approximately 153,000 publicly owned and operated drinking water systems and 16,000 wastewater systems is a responsibility that shouldn’t be taken lightly. However, the majority (70%) of community water systems inspected since September 2023 don’t even meet the baseline security requirements outlined in the Safe Water Drinking Act (SWDA). That’s why the EPA issued an enforcement alert outlining the urgency of complying with the SWDA.
Gee, that’s comforting, particularly when you consider that cyber attacks against U.S. water and wastewater systems are on the rise. We saw evidence of that this year when cybercriminals attacked a small Texas town’s water facility, causing a tank to overflow.
What can these community water systems (and other critical infrastructure organizations) do to harden their defenses against potential cyber attacks and avert disaster?
Let’s hash it out.
What Threats Against a Public Water Utility Look Like
Eric Goldstein, Executive Assistant Director for Cybersecurity at Computer Information Security Agency (CISA), described Water and Wastewater Systems (WWS) as being “target rich, cyber poor.” This is because subsets of these systems (called community water systems) supply potable water to an estimated 80% of the nation’s population. If something were to happen to this critical infrastructure, we’d be up an aptly named brown creek without a paddle.
What sorts of issues or concerns could arise from a cyber attack against public drinking water and wastewater systems? According to the Computer Information Security Agency (CISA):
“The Water and Wastewater Systems Sector is vulnerable to a variety of attacks, including contamination with deadly agents; physical attacks, such as the release of toxic gaseous chemicals; and cyberattacks. The result of any variety of attack could be large numbers of illnesses or casualties and/or a denial of service that would also impact public health and economic vitality.”
Even seemingly unrelated international events can spill over and directly impact our water supply. Just look at the sanctions that were placed on Iranian officials after a government-sponsored militia group launched a cyber attack on a water authority in western Pennsylvania.
According to the BBC, the facilities used technologies manufactured by an Israeli company. How’d they do it? By exploiting a default password to disable a water pressure regulation monitor. (We’ll speak more about default password security concerns later.)
Thankfully, in this situation, plant managers were able to manually override the attackers before something worse happened. But that may not always be the case in future attacks.
What a Suspected Real-Life Cyber Attack on a Water Treatment Facility Looks Like
In February 2021, we wrote about how a hacker breached a Florida water treatment plant. At the time, it was widely reported that an unknown assailant remotely tampered with the lye levels in the water (which, when used at proper levels, is used for cleaning and pH balancing), raising them to unsafe levels from 100 parts per million to 11,100 ppm. This would cause a wide array of harmful to potentially catastrophic injuries — deadly gastrointestinal issues, hair loss, skin damage, etc.
Needless to say, the news spread like wildfire, making international headlines. The good news here is that the plant employee reportedly observed the level of the caustic chemical skyrocketing to dangerously high levels and changed it back before anyone got hurt. But the situation doesn’t end there. In April 2023, CyberScoop reported that authorities were on the fence about whether an attacker was responsible for the situation after all. They’re still not certain about the cause of the incident.
Whether that situation resulted from a hacker or an overzealous employee, the point is that if it was a hacker, then it could be just one of many water treatment plants that are viewed as being at risk of cyber attacks.
Breaking Down the Risks to the Nation’s Critical Infrastructure Sectors
Some good news for the Water and Wastewater Sector is that it ranked among the lowest in 2023 regarding reported ransomware attacks. Yup, it’s not even in the top 10. The FBI’s Internet Crime Complaint Center (IC3) team reported in its 2023 Internet Crime Report that of the 1,193 complaints received in that period, “only” 8 affected Water and Wastewater Systems (WWS).
Granted, this number is more than double what it was in 2022. But it’s still relatively minor when compared to, say, the Healthcare and Public Health Sector and Critical Manufacturing Sector data shared by the FBI’s Internet Crime Complaint Center (IC3) in its 2021, 2022, and 2021 Internet Crime Reports:
So, even though Water and Wastewater Systems rank near the bottom of the list for reported ransomware incidents, there are other methods of attack that bad guys can employ. They’re essential systems that consumers and businesses across the country rely on every day and must be protected at any cost.
What Makes Water Systems Vulnerable? Insecure IT and IoT
The security of WWS IT infrastructure and systems often depends on how organizations use and (don’t) secure their connected technologies.
How Water Utilities Are Using IoT and OT
U.S. drinking water and wastewater systems often rely on a web of Internet of Things (IoT) and operational technology (OT) devices. These tools help reduce operational costs, increase efficiency, and improve monitoring (e.g., to keep an eye on water quality levels and identify leaks more quickly).
But what do some of these systems entail? Several Polish researchers compiled a summary list of common IoT technologies you’ll find in water quality systems, which include:
- Actuators: These devices allow operators to remotely monitor and manipulate specific chemical levels, adjust water flow, or carry out other necessary functions.
- Gateways: These network devices serve as intermediaries, connecting multiple systems and devices to a central monitoring system to analyze, process, and store their data.
- Smart meters: These tools measure water flow and usage to identify potential issues (such as leaks) and calculate usage for consumers.
- Smart sensors: These devices remotely measure various aspects of a water supply (pH levels, chemical levels, contaminants, water quality, etc.) and collect data for record-keeping and compliance-related purposes.
Of course, depending on your environment, there are likely other devices and systems in place. But there’s no way to cover them all here.
Why Improperly Managed IoT Leaves Systems at Risk
IDC estimates that the number of IoT devices in use will soar to 55.7 billion by 2025, saying that these systems will be responsible for generating nearly 80 billion zettabytes (ZB) of data. (For a layman’s look at what these levels of data really mean, check out our article on how much data there is in the world.)
The problem with using IoT in virtually any system, including WWS, is that these technologies are inherently insecure. Many IoT devices are deployed without a way for manufacturers to deliver secure updates, or updates are infrequent or don’t get rolled out by plant operators quickly.
There are two main areas of concern:
- Data privacy: If organizations don’t use secure, encrypted connections to transmit their data, then the data is at risk of eavesdropping and interception attacks.
- Cybersecurity: Every connected device is a potential attack surface for cybercriminals. If even one device has an unaddressed vulnerability or is no longer supported, it’s a neon flashing “Welcome” sign, pointing to an entry point into your network.
Bad guys with the know-how and opportunity can exploit these deficiencies to capture and read your insecure data or even inject their own malicious code. These attacks can result in everything from health and safety issues and system downtime to financial losses and reputational harm in the eyes of your customers and other stakeholders.
Knowing this, let’s explore some of the U.S. federal government laws and various amendments that aim to protect the quality and security of these essential systems.
Remember the Safe Water Drinking Act Mentioned Earlier? Let’s Touch on That…
As the name implies, the Safe Water Drinking Act is a federal law dating back to 1974. It set the stage for the EPA to create and enforce minimum standards for drinking water quality and safety that public water systems must abide by.
The law has been amended several times over the past 50 years, most recently:
- In 2002: SDWA was updated by Title IV of the Public Health Security and Bioterrorism Preparedness and Response Act. The revision implemented specific security vulnerability assessment, certification, and emergency planning requirements to improve drinking water infrastructure. It added the following sections to the Safe Drinking Water Act:
- Section 1433: Terrorist and Other Intentional Acts
- Section 1434: Contaminant Prevention, Detection and Response
- Section 1435: Supply Disruption, Prevention, Detection and Response
- In 2013: White House Executive Order (EO) 13636 places the EPA in charge of Water and Wastewater Systems Security (including all cybersecurity efforts)
- In 2018: The Federal Register states that Section 2013 of the American Water Infrastructure Act (AWIA) amended SDWA Section 1433. The changes create new requirements regarding risk and resilience assessments (RRAs) and emergency response plans (ERPs) for organizations serving populations larger than 3,300 people. It also specifies that the EPA must provide technical assistance and guidance for water systems serving communities that have 3,300 or fewer people.
In early 2024, a joint Water and Wastewater Sector Incident Response Guide was released. The comprehensive resource aims to help organizations augment their incident response plans and procedures and includes contributions from more than organizations across the sector.
Here’s a quick timeline that showcases this chain of events relating to the industry’s cybersecurity-related concerns:
How Water Systems Are Responsible For Securing Their Infrastructures
Under the AWIA-amended Safe Water Drinking Act, the EPA must provide “technical guidance” to CWS serving 3,300 or fewer people. If a CWS entity serves more than 3,300 people, its owners and/or operators must perform RRAs and ERPs every five years.
(NOTE: Much of this info is covered under the Section 2013 AWIA resource provided earlier):
1. Conduct and Certify a Risk and Resilience Assessment (RRA)
These risk assessments evaluate the following physical security risks, tolerances, and practices of a WWS entity:
- Resilience of the water systems’ physical infrastructure,
- How chemicals are used, handled, and stored,
- Impacts of man-made and natural emergencies, and
- Other key considerations.
According to the EPA, utilities self-certify and create certification statements that they submit to the overseeing agency. (Nothing like having the fox guard the hen house, right?) However, the EPA provides the following resources for carrying out the RRA process:
2. Develop and Certify an Emergency Response Plan (ERP)
This involves documenting strategies and resources for improving physical and cybersecurity responses for if/when crap hits the fan. Although the EPA provides a CWS ERP template, it’s best to tailor the strategy and documentation to meet your organization’s specific needs. The comprehensive resource should touch everything from emergency response and incident command system roles and communication strategies to emergency response and incident detection and mitigation strategies.
An ERP must be done within six months of completing the RRA. (NOTE: ERPs are also self-certified.)
3. Submit Their Certification Confirmations to the EPA.
This involves submitting the certification statements, not the certification documents themselves, to the EPA via email, traditional mail, or via the EPA’s online portal. The EPA tracks each certification by its corresponding Public Water System Identification (PWSID) number.
4. Review, Revise, and Re-Certify
Nothing lasts forever, including your RRA or ERP. CWSs must update these plans every five years as necessary and re-submit their re-certification statements. The next round of RRA and ERP certification deadlines are as follows, divided by the size of the population served:
Population Served | Previous RRA Deadline | 5-Year Re-Submission RRA | Previous ERP Deadline | 5-Year Re-Submission ERP |
≥100,000 | March 31, 2020 | March 31, 2025 | Sept. 30, 2020 | Sept. 30, 2025 |
50,000-99,999 | Dec. 31, 2020 | Dec. 31, 2025 | June 30, 2021 | June 30, 2026 |
3,301-49,999 | June 30, 2021 | June 30, 2026 | Dec. 31, 2021 | Dec. 31, 2026 |
Aren’t Small Towns Safe From These Cybersecurity Risks?
Absolutely not. Remember that town in Texas we mentioned at the beginning of the article that suffered a water system cyber attack? Muleshoe is a community of about 5,000 people, so the town’s water utility would likely fall under these requirements. The Florida water treatment plant we previously wrote about likely would as well, as it’s serving an even larger population.
“Small water systems are not immune from cyberattacks. Recently, disruptive cyberattacks from adversarial nation states have impacted water systems of all sizes, including many small systems. As a result of these increased threats, EPA is increasing its enforcement activity to protect our nation’s drinking water.”
So, no matter if you work at a big or small CWS, you’re an attractive target for hackers and other cyber miscreants. Furthermore, a report from the Congressional Research Service shows that nearly half of the public and privately owned water systems in the U.S. fall within the Community Water Systems classification.
- Most CWSs (81%) serve fewer than 3,300 individuals.
- 9% of CWSs serve more than 83% of the U.S. population served by these water systems (~260 million people).
For example, here’s a look at Florida’s Public Water Supply Plants, which lists 5,884 non-federally controlled or owned facilities:
13 Ways to Harden the Security of Your Water Systems
The joint fact sheet “Top Cyber Actions for Securing Water Systems” from CISA, EPA, and FBI outlines actions that WWS sector companies and municipalities can take to secure their resources and increase resiliency.
We’ve put together the following recommendations of best practices (broken down by area of risk):
Know What’s on Your Network (And If It’s Up to Date)
- Perform regular cybersecurity assessments. These are related but separate from the RRAs that are required for EPA certification. This should involve assessing your organization for physical and digital cybersecurity risks so they can be mitigated.
- Inventory your IoT/OT systems and assets. If you don’t know already, then get a proper accounting of every device, app, or other digital asset operating within your IT ecosystem. Regularly update these inventories and keep them current so no legacy systems fall through the cracks over time.
- Perform regular systems patching. Much like any regular computer, the IT devices and systems running our facility also need to be maintained. This includes regularly implementing security patches and other updates that eliminate vulnerabilities within your systems.
Know Who (and What) Accesses Your Network, Devices, and Data
- Use PKI to authenticate all IoT devices on your network. Public key infrastructure (PKI) is a great way to secure internal resources. You can use IoT device certificates to enable mutual authentication for your IoT devices.
- Use certificate-based authentication for network users as well. This approach enables you to bypass the traditional password-based authentication systems and serves as a form of multi-factor authentication (MFA).
- Shore up your user access controls. Don’t want unauthorized users and devices accessing your critical systems? Don’t give them the chance. Set robust access controls and restrict permissions to only those who absolutely need it to do their jobs and don’t forget to revoke that access immediately once they no longer need it (i.e., when they change or leave their jobs or if their roles/responsibilities change).
Pairing access permissions with PKI-based authentication ensures that only authenticated, authorized users and devices can access your secure systems and data.
Secure Your Entity’s IT Ecosystem
- Button up your public-facing internet exposure risks. One great way to do this is to keep your IoT devices on a separate (ideally dedicated) network from other critical systems. Cross your T’s and dot your I’s to ensure that your public and private network resources stay in their respective lanes. To quote Kipling: “Never the twain shall meet.”
- Secure all network connections. SSL/TLS security isn’t just for your public website. You can use private CA SSL/TLS certificates to secure the data in transit between your internal network apps, services, and sites using public key encryption.
- Educate your employees. Educate and train your employees to recognize and respond to threats appropriately and follow industry cybersecurity best practices. They’re often your organization’s first line of defense against threat actors.
- Avoid using default passwords or hard-coded credentials. Don’t use default credentials and never, ever hard-code them into your systems and apps! This is one of the biggest mistakes companies and organizations across all sectors can make, and they often end up getting leaked by accident.
- Automate your IoT device security lifecycle. DigiCert recently announced its new DigiCert Device Trust Manager (formerly known as IoT Trust Manager), a robust IoT device security and lifecycle management solution that’s part of DigiCert ONE. This tool enables you to secure your devices and data and use automation to deploy and manage your devices.
Plan For the Worst, Hope For the Best
- Develop and maintain current cybersecurity incident response and recovery plans. When things go wrong, it’s crucial to know the systems, plans, and people you have in place to respond and get you back to working order.
- Create regular backups of essential IoT/OT systems and data. It’s virtually inevitable that something will go wrong at some point, so it’s best to be as prepared as you can be for when things do.
Do You Work in Another Critical Infrastructure Sector? These Security Concepts Still Apply
Critical infrastructure is a term encompassing a total of 16 independent sectors, including WWS. So, if you think that many of these security best practices won’t apply to you because you work in another critical infrastructure sector… you’d be wrong.
The overwhelming majority of the practices we mentioned aren’t limited to only Water and Wastewater Systems but are applicable across many (if not all) of the nation’s other 15 critical infrastructure sectors, as they often involve IoT technologies in one form or another:
- Chemical Systems
- Commercial Facilities
- Communications
- Critical Manufacturing
- Dams Sector
- Defense Industrial Base
- Emergency Services
- Energy
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
Although each of these sectors is very different regarding the functions they serve, all of these industries share a growing reliance on IT/OT systems. Without proper security mechanisms in place, these systems are vulnerable to physical or remote access.
This post was originally published on the 3rd party site mentioned in the title of this this site