Critical Infrastructure: How to Protect Water, Power and Space from Cyber Attacks When the water sector runs as it should, wastewater is properl...

Published on by

Critical Infrastructure: How to Protect Water, Power and Space from Cyber Attacks When the water sector runs as it should, wastewater is properl...
Critical Infrastructure: How to Protect Water, Power and Space from Cyber Attacks
When the water sector runs as it should, wastewater is properly treated to avoid spread of disease; drinking water is safe for residents; and water is available for needs like firefighting, hospitals, and heating and cooling processes, per the Cybersecurity and Infrastructure Security Agency (CISA).

But the sector faces threats from profit-seeking cyber extortionists as well as from nation-state-affiliated attackers.

David Travers, director of the Water Infrastructure and Cyber Resilience Division of the Environmental Protection Agency (EPA), said some estimates find a three- to sevenfold increase in the number of cyber attacks against critical infrastructure, most of it ransomware. Some attacks have disrupted operations.

Water is an attractive target for attackers seeking attention, such as when Iran-linked Cyber Av3ngers sent a message by compromising water utilities that used a particular Israel-made device, said Tom Dobbins, CEO of the Association of Metropolitan Water Agencies (AMWA) and executive director of WaterISAC. Such attacks are likely to make headlines, both because they threaten a vital service and “because we’re more public, there’s more disclosure,” Dobbins said.

Targeting critical infrastructure could also be intended to divert attention: Russia-affiliated hackers, for example, could hypothetically aim to disrupt U.S. electric grids or water supply to redirect America’s focus and resources inward, away from Russia’s activities in Ukraine, suggested TJ Sayers, director of intelligence and incident response at the Center for Internet Security. Other hacks are part of long-term strategies: China-backed Volt Typhoon, for one, has reportedlysought footholds in U.S. water utilities’ IT systems that would let hackers cause disruption later, should geopolitical tensions rise.

From 2021 to 2023, water and wastewater systems saw a 300 percent increase in ransomware attacks.
Source: FBI Internet Crime Reports 2021-2023
Water utilities’ operational technology includes equipment that controls physical devices, like valves and pumps, or monitors details like chemical balances or indicators of water leaks. Supervisory control and data acquisition (SCADA) systems are involved in water treatment and distribution, fire control systems and other areas. Water and wastewater systems use automated process controls and electronic networks to monitor and operate practically all aspects of their operating systems and are increasingly networking their operational technology — something that can bring greater efficiency, but also greater exposure to cyber risk, Travers said.

And while some water systems can switch to entirely manual operations, others cannot. Rural utilities with limited budgets and staffing often rely on remote monitoring and controls that let one person supervise several water systems at once. Meanwhile, large, complicated systems may have an algorithm or one or two operators in a control room overseeing thousands of programmable logic controllers that constantly monitor and adjust water treatment and distribution. Switching to run such a system manually instead would take an “enormous increase in human presence,” Travers said.

“In a perfect world,” operational technology like industrial control systems wouldn’t directly connect to the Internet, Sayers said. He urged utilities to segment their operational technology from their IT networks to make it harder for hackers who penetrate IT systems to move over to affect operational technology and physical processes. Segmentation is especially important because a lot of operational technology runs old, customized software that may be difficult to patch or may no longer receive patches at all, making it vulnerable.

Some utilities struggle with cybersecurity. A 2021 Water Sector Coordinating Council survey found 40 percent of water and wastewater respondents did not address cybersecurity in their “overall risk assessments.” Just 31 percent had identified all their networked operational technology and just shy of 23 percent had implemented “cyber protection efforts” for identified networked IT and operational technology assets. Among respondents, 59 percent either did not conduct cybersecurity risk assessments, didn’t know if they conducted them or conducted them less than annually.

The EPA recently raised concerns, too. The agency requires community water systems serving more than 3,300 people to conduct risk and resilience assessments and maintain emergency response plans. But, in May 2024, the EPA announced that more than 70 percent of the drinking water systems it had inspected since September 2023 were failing to keep up with requirements. In some cases, they had “alarming cybersecurity vulnerabilities,” like leaving default passwords unchanged or letting former employees maintain access.

Some utilities assume they’re too small to be hit, not realizing that many ransomware attackers send out mass phishing attacks to net any victims they can, Dobbins said. Other times, regulations may push utilities to prioritize other matters first, like repairing physical infrastructure, said Jennifer Lyn Walker, director of infrastructure cyber defense at WaterISAC. Challenges ranging from natural disasters to aging infrastructure can distract from focusing on cybersecurity, and the workforce in the water sector is not traditionally trained on the subject, Travers said.

The 2021 survey found respondents’ most common needs were water sector-specific training and education, technical assistance and advice, cybersecurity threat information, and federal cybersecurity grants and loans. Larger systems — those serving more than 100,000 people — said their top challenge was “creating a cybersecurity culture,” while those serving 3,300 to 50,000 people said they most struggled with learning about threats and best practices.

But cyber improvements don’t have to be complicated or costly. Simple measures can prevent or mitigate even nation-state-affiliated attacks, Travers said, such as changing default passwords and removing former employees’ remote access credentials. Sayers urged utilities to also monitor for unusual activities, as well as follow other cyber hygiene steps like logging, patching and implementing administrative privilege controls.

There are no national cybersecurity requirements for the water sector, Travers said. However, some want this to change, and an April bill proposedhaving the EPA certify a separate organization that would develop and enforce cybersecurity requirements for water.

A few states like New Jersey and Minnesota require water systems to conduct cybersecurity assessments, Travers said, but most rely on a voluntary approach. This summer, the National Security Council urged each state to submit an action plan explaining their strategies for mitigating the most significant cybersecurity vulnerabilities in their water and wastewater systems. At time of writing, those plans were just coming in. Travers said insights from the plans will help the EPA, CISA and others determine what kinds of supports to provide.

The EPA also said in May that it’s working with the Water Sector Coordinating Council and Water Government Coordinating Council to create a task force to find near-term strategies for reducing cyber risk. And federal agencies offer supports like trainings, guidance and technical assistance, while the Center for Internet Security offers resources like free cybersecurity advising and security control implementation guidance. Technical assistance can be essential to enabling small utilities to implement some of the advice, Walker said. And awareness is important: For example, many of the organizations hit by Cyber Av3ngers didn’t know they needed to change the default device password that the hackers ultimately exploited, she said. And while grant money is helpful, utilities can struggle to apply or may be unaware that the money can be used for cyber.

“We need help to spread the word, we need help to potentially get the money, we need help to implement,” Walker said.

Attached link

https://www.govtech.com/security/critical-infrastructure-how-to-protect-water-power-and-space-from-cyber-attacks

Taxonomy