Eric Peterson - Director of Cybersecurity Operations - New Era Technology
“Securing Our Water: The Rising Tide of Cyber Threats”
In an era where digital threats loom as large as physical ones, our water systems have become an unexpected battleground. Recent events have highlighted a disturbing trend: cyberattacks on U.S. water infrastructure are not just increasing – they're evolving in sophistication and impact.
The Alarming State of Water Cybersecurity
The statistics paint a sobering picture. According to the Environmental Protection Agency (EPA), a staggering 70% of water utilities inspected by federal officials over the last year violated standards meant to prevent breaches or other intrusions. This vulnerability isn't just theoretical – it's being actively exploited.
With over 148,000 public water systems nationwide, the scale of potential risk is immense. These systems, locally owned and operated on varying budgets, often need help prioritizing cybersecurity amidst other operational demands.
Why Water Systems Are Prime Targets
Outdated Infrastructure: Many water systems rely on aging technology with inadequate security measures.
Resource Constraints: Smaller utilities often need more budget and expertise for robust cybersecurity. As Rick Geddes, a professor of infrastructure policy at Cornell University, notes, "A lot of these systems are stretched thin fiscally. They have enough budget to keep the water system running".
Critical Impact: Disrupting water services can cause immediate and widespread public health concerns. The EPA warns that cyberattacks could interrupt water treatment and storage, damage pumps and valves, and cause hazardous changes to chemical levels in our water.
The Threat Landscape
Nation-state actors from Iran, Russia, and China are actively targeting U.S. water infrastructure. EPA Deputy Administrator Janet McCabe specifically named these countries as "actively seeking the capability to disable U.S. critical infrastructure, including water and wastewater".
Recent incidents illustrate the severity of the threat:
- An Iranian-linked group called "Cyber Av3ngers" targeted a Pennsylvania water provider in late 2023.
- Russian-linked "hacktivists" attempted to disrupt operations at several Texas utilities in early 2024.
- A China-linked group, Volt Typhoon, has compromised IT systems and multiple critical infrastructure systems, including drinking water facilities.
Mitigation Strategies
1. Implement Multi-Factor Authentication: This simple step can significantly reduce unauthorized access.
2. Regular Risk Assessments: The EPA emphasizes the importance of comprehensive vulnerability assessments, including cybersecurity.
3. Employee Training: Human error remains a significant risk factor. Regular cybersecurity training is crucial.
4. Network Segmentation: Isolate critical systems from general IT networks to limit potential damage.
5. Incident Response Planning: Develop and regularly test response plans for various cyber scenarios.
The Path Forward
Securing our water infrastructure is not just an IT issue – it's a matter of national security and public health. The EPA is taking action by offering federal assistance and training to water utilities. However, as cybersecurity expert Robert Siciliano suggests, investing in third-party managed security services may provide additional protection.
The challenges are significant, particularly for smaller water systems with limited resources. Yet, as Amy Hardberger, a water expert at Texas Tech University, points out, developing cybersecurity capabilities is necessary for water utilities despite the difficulties.
As we navigate these turbulent waters, collaboration and knowledge-sharing will be critical. We must treat cybersecurity as an essential component of water infrastructure, deserving the same attention and investment as physical assets.
The threats are real, but so are the solutions. By staying informed, proactive, and united, we can ensure that our water systems remain safe and reliable in the face of evolving cyber threats.
What steps is your organization taking to secure critical infrastructure? Let's continue this important conversation in the comments below.