With local water departments facing a growing threat of cyberattacks, federal and state government agencies are urging a heightened focus on preparedness and prevention.
As evidenced by several high-profile attacks in recent months, municipal water systems are vulnerable to attacks from individual criminal actors, as well as foreign nations and their proxies.
Last December, the U.S. Cybersecurity and Infrastructure Security Agency briefed Capitol Hill staffers about a series of attacks on local water systems across the country, where a group of hackers accessed a number of facilities that were using the same type of computer equipment. Although the breaches did not lead to widespread disruptions, officials expressed concern because they were relatively simple to execute, essentially using default passwords to gain access.
Andrew Hildick-Smith, a longtime participant in the water industry and a technical assistance provider for the Massachusetts Department of Environmental Protection, said, “There’s a wide range of organizations, from larger firms down to independent attackers, who go after smaller amounts of money, whether it’s $10,000 or selling access to another criminal for $50.”
Potential threats include former employees, disgruntled employees, and criminals who fraudulently represent themselves as vendors looking for payment.
Hildick-Smith said ransomware represents the most common type of cyberthreat to water utilities. Attackers use ransomware to hold data hostage or restrict access to operations, allowing utilities to regain control only after they make a monetary payment. Consulting firm KPMG reports that ransomware attacks have skyrocketed over the last several years across all sectors, but utilities are seen as particularly appealing targets because cybercriminals can threaten to turn off power and water, impacting large populations.
In the water sector, ransomware attacks can impact both the information technology side of water systems and the operational technology side.
“A cyberattack that hits the IT side can impact billing, payroll and engineering files, but doesn’t normally affect the delivery of clean drinking water,” Hildick-Smith said. “Although either type presents a serious threat, an attack on the operational side runs the risk of stopping water treatment or distribution of water altogether.”
Water systems are particularly vulnerable to cyberattacks in part because of the sheer number of entities that exist, and because their resources in terms of funding and regulatory guidance are relatively modest. The U.S. water system encompasses approximately 150,000 entities, most of which serve fewer than 3,000 people. And most water systems are run by municipal governments, bringing additional challenges related to budget and staffing.
“Small, municipal water systems have a range of demands to deal with, such as lead and PFAS standards, so cybersecurity can become a lower priority,” HildickSmith said.
Resources for water departments
There are several different federal and state-level resources to help municipalities and local water departments boost cybersecurity preparedness.
Both CISA and the U.S. Environmental Protection Agency offer free cybersecurity assessment programs for local water utilities. Upon request, CISA will perform a detailed vulnerability scan and provide weekly reports indicating any findings so that action, such as patches, can be taken. CISA and the EPA also offer a range of resources such as cybersecurity briefing sheets, checklists, and tabletop exercises for staff training.
In Massachusetts, the DEP encourages water utilities to take advantage of cybersecurity assessments to meet the state’s cybersecurity requirements and to present results during state-level sanitary surveys.
For its members, MIIA offers cybersecurity insurance coverage, as well as training covering best practices for breach prevention and other cyber-related resources. For more information, visit the Cyber Liability Protection page on MIIA’s website.