3 Reasons Water Treatment Facilities Need Cybersecurity & 3 Strategies to Use
About the author:
Emily Newton is an industrial journalist. She regularly covers stories for the utilities and energy sectors. Emily is also Editor-in-Chief of Revolutionized.
Water treatment plants are crucial parts of local infrastructure, ensuring residents have ongoing access to safe, clean water for cooking, bathing, and staying hydrated. However, since hackers love wreaking as much havoc as possible when orchestrating their attacks, it is no surprise that they are starting to target such facilities.
Below is a look at why water treatment cybersecurity deserves further investigation and what professionals in this sector can do to safeguard their systems.
1. The Industry Is at an Elevated Risk of Attacks
Fragmentation is one aspect that makes a water treatment plant theoretically easier to target than some other types of essential infrastructure. That is because there is no all-encompassing effort at the federal or industry level to assess cybersecurity within the water sector.
Mike Keegan, an analyst at the National Rural Water Association Trade Group, explained.
“It's really difficult to apply some kind of uniform cyber hygiene assessment, given the disparate size and capacity and technical capacity of all the water utilities,” he said. “You don't really have a good assessment of what's going on."
More specifically, there are more than 50,000 water facilities in the U.S., most of which are nonprofit entities.
Some water treatment plants have dedicated cybersecurity experts on staff, particularly when the facilities serve large cities. However, those in rural areas may only have a relatively small number of employees overall and none who are cybersecurity professionals.
Moreover, U.S. officials have never conducted a nationwide water security audit, and the government reportedly has no plans to change that. Cyberattacks on water treatment plants are no longer theoretical possibilities. So far, no attacks have caused widespread illnesses or fatalities. However, that may not always be the case if decision-makers fail to take action to safeguard systems.
2. Vulnerabilities Have Already Caused Issues
Cybersecurity experts often identify weaknesses in software or processes, then warn that those problems could have disastrous consequences if left unaddressed. However, water treatment cybersecurity shortcomings have already become apparent in real-life situations.
In one Florida cyberattack incident that received widespread media coverage, evidence suggests that the perpetrators changed the chemical levels used in a water treatment plant’s processes, which could have poisoned the area’s residents.
More specifically, the attackers raised the sodium hydroxide level to 11,100 parts per million (ppm), a substantial increase from the normal levels of 100 ppm. That chemical regulates pH levels and protects pipes from damage. However, it harms human tissue at excessive levels. Fortunately, plant workers immediately detected the changes and restored them to the correct values.
Maintaining water treatment equipment involves understanding how failing to take certain precautions could bring unwanted costs. For example, a fire tube-type boiler can waste 2% of its fuel with a mere 1/32” of scale deposits inside. That problem could bring up to $72,000 in extra operating expenses. However, specialty chemicals can minimize those effects, keeping costs manageable.
Similar to how water treatment professionals use such strategies to reduce adverse consequences with essential equipment, they must understand how appropriate water treatment cybersecurity measures could reduce unwanted scenarios. After all, even if an event does not harm customers, it may still hurt a company’s reputation by causing public distrust.
RELATED: 6 Steps to Cybersecurity Confidence for the Water Sector
3. Hackers Could Lock Employees out of Critical Systems
The threat of hackers tampering with systems and potentially making water toxic is certainly cause for alarm. However, it is not the only kind of damage cybercriminals could cause.
One recent event affected a Maryland water treatment facility and resulted in a ransomware attack. Company representatives released a statement to assure the public that the event did not disrupt water availability or quality. However, the incident did allow criminals to access the facility’s internal data.
Hackers often target city infrastructure when planning ransomware attacks. Public schools, police departments, and hospitals are some of the critical services affected by malicious parties in the past. When criminals demand millions of dollars or more to restore services, some officials decide not to engage. They know that paying the ransom is no guarantee of getting the data back.
However, even if affected water facilities have backups of data compromised in ransomware attacks, it could take months to restore all services and operations. That is why it is ideal for water facility professionals to understand what kinds of cyberattacks could affect them, plus which steps to take to minimize the possibility of future problems.
Strategies for Better Water Treatment Cybersecurity
There is no single best way to strengthen cybersecurity at a water treatment plant. However, these tips will help companies get off to a strong start in making improvements.
Adopt a Zero Trust Approach
Cracking down on cybersecurity vulnerabilities starts by limiting access and never automatically extending it to anyone — not even the most senior employee at a plant. Taking such precautions is necessary because of the potential effects of a successful attack.
Bill O’Neill, vice president of public sector at ThycoticCentrify, confirmed this approach is a strong first implementation.
“To help lock down critical systems, we suggest enforcing least privilege and adopting what is referred to as a ‘zero trust’ approach,” O’Neill said. “This means trusting no one until they have been adequately verified and validated, re-establishing trust. Through self-service workflows, admins can request elevated privileges just in time for a limited time. This approach of verifying who is requesting access, the context of the request, and the access environment’s risk combine to mitigate the risk of a breach.”
Focus on Employee Education
A recent survey found that cyberattacks on critical infrastructure still do not get noticed by many members of the American workforce. For example, 45% of respondents did not hear about the cyberattack on Florida’s water supply. There’s likely a substantially higher percentage of professionals working in the water treatment sector who did hear about it.
Even so, facility managers should strongly consider creating a worker education program that goes over the types of cyberattacks the water industry is most likely to experience, as well as mitigation methods that anyone can practice.
For example, reports say that a recent attack on a San Francisco water treatment plant occurred because the hacker could log in to systems using a former employee’s credentials. It is unclear how the perpetrator obtained them; however, this situation could serve as a learning experience that reminds employees that they should never share passwords and that the responsible parties should deactivate account access immediately once an employee leaves the company.
Identify & Protect Potential Entry Points
The Water Sector Coordinating Council recently released a cybersecurity study that illuminated some areas of improvement within the industry. Awareness of IT assets was one such factor.
For example, only 37.9% of respondents had identified all of their IT-networked assets. However, another 21.7% were working towards that goal. Not knowing where cybercriminals could break into a system will substantially hinder progress in keeping critical infrastructure safe.
However, a lack of necessary resources was another trend identified in the study. The data showed that more than 47% of respondents lacked technical assistance, including advice and access to assessments. Then, more than 41% of those polled cited needing federal grants or loans to move ahead with cybersecurity aims.
These findings emphasize that water facility managers may not have all the resources needed to make enough cybersecurity gains. Even so, they should do their best to identify all the IT assets that cybercriminals could exploit, then assess each one to determine the best protective measures to take.
RELATED: Infrastructure Bill Passes House, Water & Wastewater Funding Breakdown
Cybersecurity Is Critical to Water Treatment Success
Ensuring a water treatment plant operates smoothly is not solely about having the right equipment, using the right chemicals, or having a large enough workforce. Those are important aspects, but managers should also prioritize keeping internet-connected systems safe.
An effective water treatment cybersecurity plan requires more actions than what’s suggested here. However, the tips above give decision-makers excellent starting points that can guide their future actions.