As the only public utility service that we physically consume, a cyberattack on the nation’s water sector can have dangerous and even life-threatening consequences. And with a wealth of data to protect and an expanding attack surface caused by digitalization, cybersecurity vulnerabilities are prevalent — in the past year, 10% of water utilities have reported a critical vulnerability and 40% a high vulnerability, with 80% of these being software flaws discovered before 2017. But despite these long-standing vulnerabilities, 60% of water organizations spent less than 5% of their budget on IT security in 2021.
Why are water utilities vulnerable?
Like other utilities, the water sector has increasingly digitalized its systems, using automation to reduce personnel costs and streamline operations. SCADA and industrial control systems enable organizations to remotely monitor water levels, operate pumps and valves, and adjust chemical treatments. But these advances have also introduced cybersecurity risks, with systems storing more data and becoming increasingly intertwined with the Internet, expanding their attack surface.
A lack of universal security standards
Holding data on each customer, vendor, and partner in their ecosystem, water companies have a responsibility to maintain compliance with a variety of different security regulations, including the GDPR, CCPA, and PIPEDA. But the lack of universal regulations within the water sector means that many systems fail to meet basic security standards, and compliance efforts can divert human and financial resources away from other cyber activities.
The cyber skills gap
More than 70% of surveyed utilities reported having less than three full-time personnel dedicated to IT cybersecurity, and only 30% reported having a Chief Information Security Officer (CISO). Without enough trained personnel or an adequate security budget, water companies will struggle to detect, respond, and recover from a cyberattack.
Cyber breaches targeting water systems
One of the most alarming cyberattacks on the utilities sector was last year’s breach of a water treatment facility in Oldsmar, Florida. A hacker accessed the facility’s network, manipulating the level of sodium hydroxide, commonly known as lye, in the water to a corrosive and potentially poisonous level.
Thanks to an employee who witnessed the hacker’s movements in real-time the attack was thwarted and the city’s 15,000 residents were saved from ingesting contaminated water. However, this employee initially failed to report the incident after assuming it was a fellow employee, and in a subsequent investigation, the FBI cited weak passwords and outdated operating systems as contributors to the hacker’s success in accessing the system, demonstrating a need for better cybersecurity training and regulation.
In March 2019 a similar attack succeeded in shutting down various components of a drinking water plant in Ellsworth, Kansas, after a former employee used their still-active remote-access credentials to tamper with the system. And in 2018, water utility systems in North Carolina and Colorado were hit with ransomware attacks, forcing customer service functions offline and requiring a complete rebuild of some systems.
Nurturing cyber resilience in the water sector
Events such as the attack in Florida serve as a reminder of how frightening the consequences of a cyber breach on the water sector can be. In 2021, a joint advisory was issued by CISA, the EPA, and the NSA, warning of ongoing threats to water systems. The advisory identified that utilities are “inconsistently resourced,” relying on “unsupported or outdated operating systems and software” with known and exploitable vulnerabilities. To strengthen their cyber posture and reduce exposure to cyberattacks, water companies need real-time visibility into all emerging and present cyber threats.
Centripetal’s CleanINTERNET service provides enterprise-class cyber threat visibility to organizations of all sizes, working at scale to analyze over 3,500 intelligence feeds and proactively shield against 99% of known cyber threats. Centripetal’s team of analysts works as an extension of your security staff by delivering actionable threat intelligence directly to your team, bridging the cybersecurity skills gap. By creating a Zero Trust environment within water utilities’ networks, CleanINTERNET reduces the risk of non-compliance and its associated financial and reputational damage.