The cybersecurity landscape for our nation’s infrastructure is evolving rapidly, especially so when it comes to protecting water and wastewater facilities and infrastructure.
Water facilities – which are essential to the public’s health, safety and well-being – feature unique vulnerabilities and the sheer impact of a water facility being taken down by an attack is immeasurable. Water facilities can have a cascading effect on agriculture, fire service, sanitation, hospitals and power plants. That’s why STV and its growing team of cybersecurity experts, in partnership with our water market leaders, are working closely with our clients to walk them through the process and tactics needed to enhance their cyber resilience against the myriad of threats, such as cyber-terrorism and ransomware attacks, against their facilities.
According to the American Water Works Association (AWWA): “Government intelligence confirms the water and wastewater sector is under a direct threat as part of a foreign governments intrusion campaign, and individual threat actors and groups threaten the security of our nation’s water and wastewater systems’ operations and data.”
Following the 2013 issuance of Executive Order 13636 – Improving Critical Infrastructure Cybersecurity – and the development of the National Institute of Standards and Technology (NSIT) Cybersecurity Framework, the AWWA initiated its own project to address specific, step-by-step guidance for protecting water sector process control systems from cyberattacks. The resulting AWWA Water Sector Cybersecurity Assessment Tool, is a voluntary, sector-specific approach for adopting the NIST Cybersecurity Framework. The goal is to provide water utility owners with a repeatable assessment tool and recommended course of action to reduce vulnerabilities to cyberattacks.
Additionally, the Federal Register Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements and a recent EPA enforcement alert, give the federal government broad authority to ensure protection over critical infrastructure by mandating compliance. These policies seek to further vital systems more resilient by protecting them from publicly facing internet, implementing robust redundancy and backups for OT/IT systems, and initiating password complexity, audits and cybersecurity training.
However, even in establishing this framework, implementing these actions is not without significant challenges to water utility owners. Due to budgetary constraints and other factors, water facilities often lack dedicated cybersecurity teams and resources, as well as the ability to train staff accordingly. This shortage of in-house expertise creates a gap in cybersecurity skills that in turn, can make it easier for attackers to target and ultimately breach digital systems in these facilities.
Additionally, many water and wastewater facilities operate using legacy systems that were not designed with modern cybersecurity threats in mind. Much of the technology was built without consideration for being connected to a network, much less the Internet. The systems are quite resilient to chemical vapor, water incursion, dust etc but may be 10+ years out of support by OS vendors. Likewise, many of the field sensors may use wireless technology that is quite robust in terms of getting the data out in a noisy RF environment but lacks encryption or authentication making it vulnerable to command injection and replay attacks. This reliance on outdated technology creates numerous security gaps that attackers can exploit.
Despite some of the efforts by agencies such as DISA and the Infrastructure Protection Agency being in question by recent court rulings, the Safe Drinking Water Act (America’s Water Infrastructure Act Section 2013: Risk and Resilience Assessments and Emergency Response Plans | US EPA) is law which means utilities are mandated to conduct assessments of their systems, secure their systems to industry best practices. The operators are also supposed to submit attestation to the fact that they are doing all the right things they should be.
As part of larger industry efforts to both expand capacity and enhance technology at these facilities, STV’s team of planners, designers and engineers, and project delivery professionals works closely with our clients and communities to create modern award-winning water and wastewater facilities across the country. Through these relationships, our cybersecurity team can provide additional value to a water/wastewater program.
Our team features experts with nearly 30 years of experience in cybersecurity testing and cyber operations, focusing on embedded systems, testing and applications. Our team strives to serve as trusted partners to our clients, providing them with dedicated guidance and walkthroughs on policies and standard operating procedures, as well as immersive training so that they have the tools and capabilities to own this process for themselves.
One of the core tenets to our approach is collaborating with a water utility owner and helping them know their exposure level. That includes auditing systems to gain a full understanding of how they are digitally connected (i.e., radio or RF control), do they require a VPN to access their systems, 2FA and identifying all of the accounts with the credentials to access these systems (and have they been changed/updated if the individual’s role changes, or he leaves the utility). This then leads to account and password audits to ensure common easily guessed credentials as well as default credentials aren’t used in a production environment.
From there, we can partner with the utility to create a fully developed and adaptable cybersecurity plan, which will aid an organization well into the future.
Currently, the list of municipalities that enacted robust cybersecurity planning is disparate and mostly consists of clients who have received federal grant money to develop these programs, or organizations that have already been breached and are now developing standards and procedures reactively. However, in the coming years, these voluntary improvements are expected to become mandates, especially in light of the federal Cybersecurity & Infrastructure Security Agency’s 2023-25 Strategic Plan, which provides a blueprint for how the agency will create more uniformity for cybersecurity and resilience across all of our nation’s infrastructure. That’s why it’s prudent for water utilities to be proactive and act now to protect their infrastructure against the growing wave of threats and bad actors.