Cyber trouble in water infrastructure: The federal drive for cybersecurity is exposing the industry's weak spots
The water sector, encompassing water and wastewater industries, is facing significant cybersecurity challenges, according to industry experts and government officials. The withdrawal of plans for periodic audits of public water systems has exacerbated these challenges, reducing oversight and the enforcement of security standards.
Key challenges include vulnerabilities in operational technology (OT) and industrial control systems (ICS), outdated or insufficient cybersecurity measures and emergency plans, under-resourced regulatory bodies, and escalating threats from ransomware groups and nation-state actors. These vulnerabilities, if exploited, can disrupt water quality and supply or even enable poisoning attempts.
To address these challenges, solutions being implemented or proposed focus on enforcing cybersecurity regulations, integrating cybersecurity incident response plans within overall emergency plans, investing in the modernization of OT and ICS infrastructures, promoting board-level accountability, using advanced AI/ML-driven monitoring and threat intelligence sharing, and encouraging cybersecurity insurance, vendor risk management, and broader governance policies.
New York, for instance, has recently implemented new rules mandating formal security programs, risk assessments, access management, network activity monitoring, incident response protocols, and mandatory cybersecurity training for operators every three years.
The industry is pivoting towards robust regulatory frameworks, modernization efforts, and holistic risk management approaches to combat increasingly aggressive cyber threats targeting critical water infrastructure. A failure to do so risks both public health and the continuity of vital water services.
The increasing digitalization through the installation of data logging equipment and smart meters is also contributing to the sector's exposure. In response, agencies like the National Cyber Security Centre (NCSC) in the U.K. and the Cybersecurity and Infrastructure Security Agency are providing extensive resources, including vulnerability scanning, tabletop exercises, and local funds, to water utilities.
The EPA, too, is working on creating a Water Sector Cybersecurity Task Force and has encouraged water utilities to embrace a public-private collaborative model similar to what is used by the electric power industry. However, industry leaders have emphasized the need for more resources to support the industry in enhancing cybersecurity.
The water sector's cybersecurity challenges are a pressing concern, with threats coming from both criminals and nation-states. The recent exploitation of vulnerable Unitronics programmable logic controllers by threat groups linked to Iran's Islamic Revolutionary Guard Corps underscores this threat.
In conclusion, the water sector must prioritize cybersecurity to protect public health and the continuity of vital water services. This involves robust regulatory frameworks, modernization efforts, holistic risk management approaches, and increased investment in cybersecurity measures and emergency plans.
- The water sector, due to its growing digitalization and the increasing threats from ransomware groups and nation-state actors, faces significant cyber risk, particularly in operational technology and industrial control systems.
- One of the key challenges in addressing these cyber risks is the need for more resources to support the industry in enhancing cybersecurity measures and emergency plans.
- To combat these cyber threats targeting critical water infrastructure, solutions being implemented or proposed include robust regulatory frameworks, modernization efforts, and holistic risk management approaches.
- While agencies like the National Cyber Security Centre and the Cybersecurity and Infrastructure Security Agency provide resources to water utilities, the water sector's cybersecurity vulnerabilities and the risk of data breaches highlight the need for increased privacy protection and cybersecurity insurance.
