Preventing Cyberattacks on Water Infrastructure

To get a preview of the next possible mass casualty terrorist attack, look no further than the town – and critical infrastructure – of Oldsmar, Florida. In what was surely a Sum of All Fears moment for government officials, a cyber intruder of unknown origin attempted to poison Oldsmar’s water supply on Feb. 5, 2021, by hacking the town’s water treatment plant. Using the remote access program TeamViewer – widely used by IT professionals to provide remote support – the hackers accessed the facility’s control systems and attempted to increase the amount of sodium hydroxide, safely used in minute quantities to reduce lead levels in water, to dangerous levels.

Luckily, an alert plant operator noticed the attack and stopped it, but the outcome could have been far worse. This isn’t the first time hackers have attempted to poison civilians through water infrastructure. Last year, Israel thwarted an assault attempt by Iranian hackers on the country’s control systems of wastewater treatment plants, pumping stations and sewers. In this case, the hackers tried to raise the level of chlorine to dangerous levels.

Cyber attacks on water plants aren’t new. Since the first known hacking attempt on an Australian water facility in 2000, numerous attacks against water utilities have been attempted. And in 2014, the Department of Homeland Security (DHS) warned that America’s nation-state adversaries were mapping U.S. water infrastructure.

For a number of reasons, U.S. water and wastewater utilities are juicy targets for hackers. While some countries, such as the UK, have a limited number of larger water utilities, the U.S. water sector is highly fragmented, with approximately 70,000 water plants, many of which are bare-bones, municipally-run operations. As a result, a lot of water utilities have only one or two IT professionals, no cybersecurity experts and precious little money available to develop any kind of robust cyber defense program.

Moreover, while cyber defenders traditionally have concentrated on threats to organizations’ IT networks, the real threat to critical infrastructure operators are their operational technologies (OT)—the complex industrial control systems (ICS) used to manage the generators, pumps, valves and other equipment used by water plants and other industrial operators. Historically, the OT remained separated, or airgapped, from the internal IT networks connected to the internet; however, with the advent of converged OT-IT networks this is no longer the case. In short, these industrial control systems are now connected to the internet, making them vulnerable to hacking. Despite their vulnerabilities, water utilities can still take a number of steps to protect themselves.

To start with, utilities should conduct regular risk assessments to identify possible security gaps. This will allow management to understand their cybersecurity risk profile and prioritize the order in which vulnerabilities are addressed. A number of free tools, such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, can help guide utilities’ risk assessments.

And since you can’t protect what you aren’t aware of, water utilities – indeed, any critical infrastructure operations – should regularly inventory their organization’s entire asset base. Performing this inventory can enable plant operators to discover and terminate internet connections that pose dangers to industrial control systems.

Water utilities could also consider removing the threat to their OT assets by keeping them strictly airgapped. Alternatively, utilities wishing to enable OT-IT integration safely can use unidirectional security gateways to ensure that while valuable data can flow from industrial control systems to outside networks, IT data is blocked from ever reaching the sensitive OT.

Fourth, water utilities – especially smaller water utilities where an IT manager may frequently provide remote support – can implement so-called secure access service edge (SASE) systems from companies that make accessing private apps simple and secure.

Finally, as information security professionals constantly repeat, simply using proper cybersecurity hygiene can go a long way toward making any organization more secure. Paul de Souza, founder and CEO of cybersecurity training nonprofit the Cybersecurity Forum Initiative, recommends starting with “the simple stuff; the basic blocking and tackling of cyber defense.”

This includes using two-factor authentication, frequently changing passwords, backing up your data, keeping software updated – including adding patches where necessary – and implementing cybersecurity training programs for employees, de Souza said.

Indeed, while it’s natural to think of cybersecurity threats as technical challenges that can be defeated by even better technical solutions, “the number of attacks that could be thwarted simply by training employees not to click on links or attachments of unknown origins is massive,” de Souza added. Indeed, the fact that the hacked TeamViewer credentials were possibly stolen through a successful phishing or social engineering campaign amply demonstrates the value of increasing employees’ awareness of lurking cybersecurity threats.

To be clear, even implementing all these steps isn’t a panacea, and determined hackers can still breach even the best defenses. Taking these steps, however, will still go a long way toward keeping our precious water resources from becoming the vector for a catastrophe.

Recent Articles By Author
Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or … Read More