Leaky Cybersecurity Holes Put Water Systems at Risk

Despite a spate of recent cyberattacks raising the awareness of water-infrastructure vulnerabilities, nearly 100 large community water systems (CWS) continue to have serious security weaknesses in Internet-facing systems, putting the water supply of nearly 27 million Americans at risk.

The critical and high-severity vulnerabilities affect more than 9% of the 1,062 water systems in the United States that serve at least 50,000 people, according to an Environmental Protection Agency (EPA) report released on Nov. 13. The vulnerabilities were discovered through passive assessments conducted in October that looked at more than 75,000 IP addresses and 14,400 domains.

Overall, millions of citizens — along with businesses, schools, and hospitals — rely on the affected water systems. "If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure," the EPA stated.

Over the past three years, water systems have become increasingly targeted by state-sponsored groups, ransomware gangs, and hacktivists. In 2023, Iran-linked cyberattackers compromised programmable logic controllers (PLCs) at a water utility in Pennsylvania, as well as 10 wastewater treatment plants in Israel. In 2021, a hacker targeted a water treatment plant in Florida and even changed the chemical mixture for the water, but did not have the sophistication to evade detection. In September, a water treatment plant in Arkansas City, Kan., switched to manual operation after the facility was the target of a cybersecurity incident.

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

Water system vulnerabilities are a critical issue that could impact businesses, especially power-generation systems and data centers, but especially have the potential to cause human harm, says Vinod D'Souza, head of manufacturing and industry in the Office of the CISO at Google Cloud.

"Water utilities are unique in the [operational technology] OT world because they directly impact public health, requiring stringent security to prevent catastrophic consequences like contaminated water supplies," he says. "Their geographical spread and complex systems pose distinct cybersecurity challenges not found in other sectors."

Water, Water, Everywhere ... Nary a Drop of Security?

The United States has nearly 150,000 water systems, consisting of three types of public infrastructure. Community water systems (CWS) provide water to residents living in a town or city year-round and account for approximately a third (33.7%) of water systems. Transient noncommunity water systems (TNCWS) supply water to travelers and visitors to a specific location — such as a campground or gas station — but not on a permanent basis. These make up 54.3% of public water systems. The final 12% of systems consist of nontransient noncommunity water systems (NTNCWS), which provide water to people in nonresidential locations — such as schools, businesses, and hospitals.

Related:Going Beyond Secure by Demand

Because many water agencies are small and serving communities, they face the same challenges as other local government agencies: a lack of resources, legacy technology, architectures that were not designed to be defensible, and a lack of visibility, says Paul Shaver, global practice lead for ICS/OT security consulting at Google Cloud's Mandiant division.

"This is compounded by the fact that many municipal water agencies have financial constraints that make it difficult to identify risk and develop security capabilities that are appropriate for their organization size," he says.

By EPA regulation, any water systems serving more than 3,300 people must conduct risk assessments, including cybersecurity assessments, and develop emergency response plans. But most do not have the money, and without the funding, the utilities are hard pressed to comply with regulations, Shaver says.

Related:Small US Cyber Agencies Are Underfunded & That's a Problem

The criticality of these systems and their relative lack of protection has government officials worried. In May, the EPA warned that Iran and Russia had stepped up their attacks on water systems in the United States, while the Cybersecurity and Infrastructure Security Agency (CISA) released a cyber-incident response guide for the water and wastewater sector earlier this year.

The May 2024 alert from the EPA noted that "water systems had inadequate risk and resilience assessments and emergency response plans ... [and] found significant failures in best practices, such as failure to change default passwords, use of single logins for all staff, and failure to curtail access by former employees."

US Needs More Investment in Water System Cyber Defense

Even with the current requirements, many water utilities are already failing to meet their cybersecurity obligations, Google Cloud's D'Souza says.

"Simply increasing regulations won't solve this problem, and merely highlights the financial constraints preventing utilities from adequately protecting critical infrastructure," he says.

Overall, the federal government needs to do more than offer regulations and best practices. In many respects, the water sector is no different than any other critical infrastructure sector with a great deal of operational technology, says Sean Arrowsmith, head of industrials at NCC Group, a cybersecurity consultancy.

"Generally, OT protocols were designed when security was not so much of a consideration but the devices and infrastructure they run is deployed for a long lifetime and now there are business drivers to collect data from them and converge OT with IT, which is where the security challenges arise," he says.

In addition, Arrowsmith says that the amount of legacy infrastructure and breadth of the attack surface area continues to make securing water infrastructure challenging.