In January of 2024, several water and wastewater plants in Texas were targeted by hackers, later linked to a Russian group, who gained access to certain supervisory control and data acquisition (SCADA) systems. Fortunately, consequences were limited: the worst impact was a water tank in Muleshoe which overflowed for less than an hour before being brought under control. However, these attacks are representative of a deeply insidious threat to water infrastructure.
Cybersecurity concerns regarding critical infrastructure, like the drinking water that 80% of the U.S. population relies on, are on the rise. A recent report from the Environmental Protection Agency Office of Inspector General (EPA OIG)report from the Environmental Protection Agency Office of Inspector General (EPA OIG) highlights the urgency of the risks to water systems. Addressing these threats is crucial in order to safeguard drinking water systems, protect public health, and maintain economic stability.
The Current Landscape
The EPA report analyzed 1,062 drinking water systems, serving almost 200 million people, to assess them for cybersecurity vulnerabilities. Of these systems, 97 were found to have either critical or high-risk cybersecurity vulnerabilities, while another 211 were identified as having medium and low-risk vulnerabilities, such as those with externally visible open portals.
These risks, from low to critical, have the potential to severely impact water infrastructure across the country. According to the EPA OIG, threat actors exploiting these vulnerabilities could cause service disruptions, physical damage, and compromised water quality, endangering drinking water for millions of people.
Previous attacks on water utilities, both within the U.S. and otherwise, have resulted in a wide range of consequences. Some have experienced data exfiltration, compromised OT forcing temporary manual overrides, and outages in customer service, customer account systems, billing, and water service.
Potential Consequences of Water System Attacks
The consequences that could arise from a severe attack on a water system are catastrophic. The risks to public health are prevalent, as altered chemical levels or water contamination could harm communities. “If wastewater is manipulated to create sickness and pollution in local waterways you then introduce large scale sickness and impact in major areas. Very quickly, entire regions can be tossed into dangerous life threatening situations where critical infrastructure is threatened and lives at risk just by not having drinkable water,” says Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit.
Major attacks can also have extreme economic implications. Water service disruptions can take a significant financial toll: the EPA report estimates that “a state-wide water service disruption could potentially cost at least $61 billion in lost revenue per day.” Similarly, a potential outage in the counties surrounding Charlotte, North Carolina could lead to a lost revenue cost of $132 million each day.
Beyond the financial and public health impacts, water system attacks can have far-reaching impacts on other areas of critical infrastructure. Disruptions to water systems will necessarily have cascading effects on sectors like healthcare and agriculture, where access to clean and safe water is crucial and even hours without water can lead to serious delays in essential processes.
Gaps in Cybersecurity Oversight
The water sector struggles with cybersecurity oversight in a number of ways, making it difficult to protect against threats. “Critical infrastructure suffers the challenge of ageing technology that is more likely to be vulnerable, a general lack of cybersecurity support,” and “the need to maintain uptime,” which often interferes with effective patching and threat mitigation, according to Casey Ellis, Founder and Advisor at Bugcrowd, a San Francisco, California-based leader in crowdsourced cybersecurity.
Currently, there is no EPA mechanism for reporting vulnerabilities or cybersecurity incidents; instead, water system security reporting relies on the Cybersecurity and Infrastructure Security Agency (CISA). This lack of dedicated reporting capabilities is worsened by the absence of formal procedures for responding to water-sector cyber incidents.
While there are a number of regulations in place pertaining to the safety and accessibility of public drinking water systems, the OIG report found that the EPA’s oversight of these requirements was lacking in both enforcement and assistance. The challenges that the EPA faces in adequately enforcing water system safety and security are not easily fixed, but steps must be taken to improve in this area.
Recommendations for a More Secure Future
In order to address the threats pervading water infrastructure, it is vital for steps to be taken at several levels. Developing a National Cybersecurity Strategy to provide a unified plan tailored to the water sector could mitigate risks and offer structure for improved remediation of vulnerabilities and reporting of incidents.
Strengthening legal and regulatory frameworks is also important, as expanding the EPA’s authority and resources will allow them to more effectively address cybersecurity concerns. This requires legislative support to enact EPA recommendations and enable sufficient oversight, assistance, and enforcement for all water system regulations.
It is also essential to encourage innovation and investment in securing water infrastructure. Emerging and evolving technologies can be leveraged to improve the security of water systems, and increased funding can empower decisionmakers to take steps to protect water infrastructure. Government, private sector, and local water utilities must collaborate and form partnerships to efficiently ensure the secure management and protection of these systems.
Public awareness is another significant aspect of protecting critical infrastructure against cyberattacks. It is crucial to engage and educate communities to understand the importance of cybersecurity in safeguarding essential services. Cybersecurity is always a group effort, and preventing attacks on critical infrastructure requires awareness and effort at all levels.
Conclusion
Water infrastructure systems, like many critical areas, are at risk of attacks from bad actors, and the measures currently in place are insufficient for protecting them. Lack of reporting, accountability, enforcement, and security make it challenging to remediate vulnerabilities and prevent threats. It is urgent for policymakers, government agencies, and private water systems owners to work to address the pressing cybersecurity vulnerabilities in water infrastructure to ensure the safety, health, and prosperity of future generations.
