Security

5 Ways to Strengthen Water Infrastructure Security

Water systems and utilities, under threat from a cascade of cyberattacks and physical breaches, can take several core steps to improve their security posture.

Dominick Sorrentino

Dominick Sorrentino is web editor for StateTech.

In early October, the largest utility in the U.S. was hit by a devastating cyberattack. The provider had to postpone all billing operations in the wake of unauthorized system access, and more than 14 million people were unable to pay for water during the weeklong billing shutdown.

Communities in Kansas, Pennsylvania and Texas also experienced disruptions to water systems after cyberattacks within the past year.

This has prompted warnings from federal agencies, including the FBI, National Security Agency and the Cybersecurity and Infrastructure Security Agency. Most hackers are motivated by financial gain, the agencies say, but others act on behalf of America’s geopolitical rivals such as China, Russia and Iran. Consequently, the EPA has said that it will ramp up inspections in the coming years.

As the cyberthreats and federal pressure mount, utilities can take several steps to significantly improve their security posture.

Click the banner for deeper insight into achieving cyber resilience.

x-cyberresillience4-static-2024-na-desktop

x-cyberresillience4-static-2024-na-mobile

1. Adopt a Cybersecurity Framework and Stick to It

“Pick a framework that you can understand, such as one from the National Institute of Standards and Technology or CISA, and read it 10 times,” said Schene Groom, cybersecurity and infrastructure manager at LB Water Service.

NIST’s guidance, for instance, advises organizations on how to position themselves to identify risks, protect against cyberattacks, detect them, respond to them accordingly and quickly recover from them.

Small water systems, especially those with 50 or fewer employees, will likely need to augment their understanding of cybersecurity frameworks with expertise from third parties.

“If you don’t understand the framework, don’t just throw your hands up,” Groom said, “Engage your resellers and partners who have the staff to help with this.”

2. Secure Workstations, Data and Networks, or Work with an Expert

Small water systems — those serving fewer than 10,000 people — make up 95% of the nation’s community water systems, according to the EPA.

Most of the water utilities inspected by the EPA since September 2023 are out of compliance with the requirements of the Safe Drinking Water Act. Many were found to be using one login for multiple employees and failing to revoke access to former employees.

This partly stems from a lack of in-house security knowledge and expertise, said Groom, especially among smaller water systems. But it shouldn't preclude them from maintaining a stronger security posture.

95%

The percentage of water systems in the U.S. that serve 10,000 or fewer people

Source: epa.gov, “21st Annual EPA Drinking Water Workshop: Small System Challenges and Solutions,” Sept. 24, 2024

“A lot of the smaller utilities just lack the staff they need,” he said. “But there’s no reason why they shouldn’t have the same type of solution as the bigger guys — multifactor authentication, encryption, VPNs, firewalls. A lot of this can be sourced through managed service providers.”

Inadequate security controls don’t just increase the risk of an initial attack. They also heighten the threat of persistence. Hackers burrow deep into the IT environment so they’re harder to evict and are better positioned to inflict long-term damage. This might manifest as exfiltrating personally identifiable information that can be used for fraud.

“Someone who is small in the revenue department can still have a big, very bad breach,” Groom said.

3. Prioritize Penetration Testing and Incident Response

In that vein, Groom advises that water utilities investigate penetration testing to identify weaknesses. He recommends starting with red team pen testing to poke holes in defenses and identify the most at-risk attack vectors.

“From there, you get a sense of what you need to fix now, fix later or just generally what you need to be aware of,” Groom said. “This is not something that has to cost thousands of dollars, especially if you start bundling services with your MSP.”

Every utility should also have an incident response plan that, at a minimum, is based on guidance from an existing cybersecurity framework.

“Utilities need a clear way to identify indicators of compromise, determine what the attack vector was, what they were after, whether and how they got into the network, and how long they were in there,” Groom said.

4. Don’t Sleep on Physical Security

In the summer of 2024, a county in Michigan issued a Do Not Drink Water Advisory after an intruder physically broke into a water treatment plant. The incident highlighted the importance of physical security in conjunction with cybersecurity.

I want a tap on the shoulder, ‘Hey, take a look here.’ You can do that with smart surveillance systems and alarms.”

Schene Groom Cybersecurity and Infrastructure Manager, LB Water Service

As the line between cyber and physical becomes more blurred, smarter, more cost-effective physical security solutions are necessary to secure water treatment plants and physical access to workstations that store customer data.

“Physically managing a perimeter is expensive,” Groom said. “It costs labor and time; it’s an operational expense that repeats every 8 hours.”

While water utilities may not be able to afford advanced, multiperimeter physical defenses, surveillance systems that use artificial intelligence to detect anomalous or potentially concerning activity in camera feeds help fill gaps.

LEARN MORE: The Verkada CD52 Dome camera supports agencies with easy integration.

“I want a tap on the shoulder, ‘Hey, take a look here,’” Groom said. “You can do that with smart surveillance systems and alarms. An alarm tells you what direction to look in and gives a human the opportunity to call the cavalry if needed.”

5. Secure Industrial Internet of Things Devices

Many water utilities are starting to use IIoT devices that improve equipment monitoring and staff safety. Each new end point is a new attack vector.

According to a report from CISA, an Iran-backed hacker group compromised water utilities by breaching poorly secured programmable logic controllers. Water utilities use PLCs to remotely transmit information to and from industrial equipment.

Other IIoT attack vectors that need to be secured include:

Supervisory control and data acquisition (SCADA) systems
Devices that rely on the Modbus communication protocol
Devices that use Message Queuing Telemetry Transport (MQTT) protocol
Distributed control systems (DCSs)

These technologies and communication protocols provide fast and reliable remote access that allows industrial devices to talk to one another in near real time, but they’re not inherently secure. Modbus and MQTT, for instance, are open communication protocols that lack strong authentication by default, according to CISA.

Until defensive actions are taken — such as identifying all assets and endpoints that use these protocols, segmenting IIoT networks and protecting them with firewalls, and implementing strong authentication — these endpoints should be presumed to be at risk.

“This interconnected system has provided so many advantages to the citizens of the United States, but with digital transformation comes digital risk,” Grant Geyer, chief strategy officer for Claroty, recently told StateTech.

Geyer added that running in the other direction is not the right answer. Rather, he advises that utilities act now to face cyber risk so that they can be secure by design and benefit from IIoT devices indefinitely.

“The key is to go from being unaware to being open-eyed about the risk,” he said.

Daniel Balakov/Getty Images