Protecting America’s Water Systems: A Cybersecurity Imperative

America’s water systems are becoming targets for cyberattacks. Cybercriminals and nation-state actors exploit known vulnerabilities, threatening the safety and security of a critical public resource. Recent attacks have highlighted the urgency for water utilities to bolster their capabilities, especially given their limited resources.

The Growing Threat of Cyberattacks on Water Systems

In the past year, around 70% of water utilities inspected by federal agencies violated cybersecurity standards designed to prevent intrusions. Small communities, in particular, have become easy targets for cyberattacks, with threat actors linked to Russia and Iran focusing their efforts on vulnerable systems.

Water utilities rely heavily on sensors and computers to operate treatment plants, control distribution networks, and meet water quality standards. While this reliance improves operational efficiency, it also opens the door to potential cyberattacks. Compromised systems could lead to interruptions in water treatment processes, damage to essential equipment like pumps and valves, or even dangerous changes to water chemistry that could threaten public health.

Why Water Utilities Are Vulnerable

America’s water utilities face a unique challenge. The sector is highly fragmented, with approximately 50,000 utilities, many serving small towns with limited staff and budgets. These constraints make it difficult to implement comprehensive cybersecurity programs.

Without sufficient funding or technical expertise, these utilities often struggle to protect their systems from evolving threats. For many, simply maintaining clean water supplies and complying with the latest regulations is a full-time challenge. As a result, cybersecurity often falls by the wayside, leaving critical systems exposed to attack.

Key Vulnerabilities:

• Outdated Technology: Many utilities rely on outdated process control systems (PCS) and industrial control systems (ICS), often connected to the Internet without proper security measures.
• Lack of Awareness: Local governments and city councils frequently underestimate the scale of cybersecurity risks, leading to slow action on funding and resources for improvements.
• Low Cyber Maturity: Utilities generally have low cyber maturity, with limited capacity for incident detection, response, and recovery.

A Troubling History of Attacks on Critical Infrastructure

Cyberattacks on critical infrastructure are not new but are becoming more frequent and sophisticated. The infamous May 2021 ransomware attack on the Colonial Pipeline, which caused widespread fuel shortages across the East Coast, exemplifies how attackers can wreak havoc on infrastructure.

Similarly, in February 2021, a hacker attempted to poison the water supply at a Florida treatment facility by raising the levels of sodium hydroxide to dangerous amounts. Fortunately, an employee acted quickly to neutralize the attack, but the incident served as a wake-up call to the risks facing water systems.

These incidents underscore that cyberattacks can have real-world consequences beyond just financial damage, i.e., threatening public health and safety.

The Challenges of Cybersecurity in the Water Sector

The fragmented nature of the water sector, combined with resource constraints, makes securing water utilities particularly difficult. Most water systems operate with limited IT staff and low budgets, and cybersecurity initiatives often have to compete with more pressing needs like maintaining water quality and upgrading aging infrastructure.

Challenges Include:

• Funding: Utilities frequently have to navigate long approval cycles to secure funding, and cybersecurity often isn’t prioritized over other pressing concerns.
• Limited Expertise: Smaller utilities often lack in-house cybersecurity expertise, making it difficult to identify and address vulnerabilities.
• Compliance Fatigue: Many utilities are overwhelmed by the sheer number of regulatory requirements they must meet, leaving little time or energy for proactive cybersecurity measures.

Preparedness is Key

Preparedness is the key to safeguarding public health and maintaining the integrity of our water systems in the face of rising cyber threats. While the challenges are significant, there are several practical steps water utilities can take to strengthen their cybersecurity posture.

Here are four key actions that can lead to meaningful improvements:

1. Sign Up for CISA’s Free Vulnerability Scanning Program
   The Cybersecurity and Infrastructure Security Agency (CISA) offers a free service to help utilities identify system vulnerabilities before attackers exploit them. This program is a low-cost, high-impact solution for smaller utilities that may not have the resources to conduct regular vulnerability assessments.

2. Follow EPA’s Cybersecurity Planning Guidance
   The Environmental Protection Agency (EPA) provides detailed guidance to help water utilities develop and implement cybersecurity plans tailored to their operations. This framework can help utilities prioritize risks and allocate resources effectively.
3. Join WaterISAC for Threat Intelligence and Information Sharing
   WaterISAC is an information-sharing platform specifically designed for the water sector. By joining, utilities can stay informed about the latest threats, access best practices, and collaborate with other utilities to improve their defenses.
4. Establish a Baseline with AI-powered tools such as Balbix
   Understanding which hardware and software are connected to the Internet and which have known vulnerabilities is critical for preventing cyberattacks. Balbix can automate this process by tracking PCS systems connected to the Internet and the vulnerabilities impacting them. Specifically, Balbix can help:
   • Identify Process Control Systems (PCS) Connected to the Internet: Many water utilities have PCS and other industrial control systems that are Internet-facing, often without the knowledge of their IT teams. Balbix can map these devices, identify risks, and suggest mitigations.
   • Prioritize the Most Critical Vulnerabilities: Not all vulnerabilities are equal. Balbix assesses which vulnerabilities are most likely to be exploited, helping utilities prioritize remediation efforts based on real-world risk.
   • Reduce IT Workload: By automating much of the vulnerability discovery and prioritization process, Balbix helps water utilities, many already understaffed, optimize their resources and focus on the most critical risk areas.

Resources for Water Utilities

• CISA Water Utilities Free Vulnerability Scanning: Sign Up Here
• EPA’s guide for water resilience: Read the EPA’s Recommendations
• WaterISAC Membership to share Threat Intelligence: Join WaterISAC
• Learn about Balbix: Learn and ask for a demo.

Conclusion

Water utilities cannot afford to take a reactive approach to cybersecurity. By taking advantage of free government resources, joining information-sharing communities like WaterISAC, and deploying advanced tools like Balbix, water systems can better protect their infrastructure from cyberattacks.