Blog / 12 min read
The water and wastewater sector plays a crucial role in health and public safety, as it is responsible for delivering clean drinking water and properly treating wastewater for communities worldwide. A compromise of these systems can lead to the contamination of water supplies, causing potential harm to individuals, and widespread public health risks. In recent years, we’ve seen the water and wastewater sector become increasingly targeted by cyberattacks, threatening its ability to deliver clean water to communities. As the complex control systems and networks in water and wastewater facilities become further interconnected, it is imperative that these organizations implement the proper cybersecurity measures to ensure cyber and operational resilience. Given the cyber exposure of critical infrastructure globally, now is the time to implement cybersecurity for water and wastewater facilities to ensure their cyber-physical systems (CPS) are protected.
The mission of water and wastewater cybersecurity is to protect the industrial control systems (ICS) that provide water to citizens worldwide. Safe drinking water is vital to the stability and health across the globe, and properly treated wastewater is essential for preventing disease and protecting the environment. According to the Cybersecurity & Infrastructure Security Agency (CISA), “there are approximately 153,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment systems in the United States. More than 80 percent of the U.S. population receives their potable water from these drinking water systems, and about 75 percent of the U.S. population has its sanitary sewerage treated by these wastewater systems”.
These statistics display the significant damage a cyberattack could have on the population, with the potential to cause disruptions to services, impacting public health and the economy, or worse, lead to illnesses or even casualties in extreme cases. With the proper cybersecurity measures in place, water and wastewater facilities can ensure the protection of public health, maintenance of operational continuity, safety of critical infrastructure security, preservation of sensitive information, compliance with industry standards and regulations, and can combat the evolving cyber threat landscape.
Among the 16 critical infrastructure sectors identified by CISA, water and wastewater have some of the most unique challenges. Although there are several large water and wastewater corporations, the majority are smaller entities that operate at the country, municipality, or township level. As a result, many of these facilities are at a distinct disadvantage when it comes to cyber know-how, control environments, and staff to protect the facility. Asset owners and operators are mainly focused on operations, infrastructure upkeep, regulatory compliance, and revenue generation — leaving cybersecurity at the bottom of their priority list compared to basic operational needs. Here are three of the major cybersecurity vulnerabilities that water facilities face:
Water and wastewater utilities are inherently geographically dispersed with facilities and devices located across the area they serve. The large physical footprint combined with the company’s rapidly growing infrastructure to support population and business growth in the region, resulted in inconsistent documentation of OT assets and lack of full visibility into the OT environment to detect potential threats and vulnerabilities and mitigate risk.
Many of the facilities and systems used in water and wastewater companies are unmanned. Employees and third-party vendors access these systems to perform remote maintenance and gather operational data. Systems, switches, and controllers may be compromised if the authorized parties’ systems are infected with malware, their access credentials have been stolen, or they otherwise don’t uphold adequate security hygiene. Further exposing these systems to risk, the company had no way to ensure that only authorized parties were accessing appropriate systems and making agreed upon changes.
Under America’s Water Infrastructure Act (AWIA), utilities that provide drinking water must conduct risk and resilience assessments and revise emergency response plans. These changes require a detailed understanding of their OT network in order to meet the U.S. Environmental Protection Agency (EPA) deadline in 2020. The water provider needed additional visibility and data to comply with the new mandate.
The threat landscape is constantly evolving and expanding, with cybercriminals increasing in sophistication and seeking out new vulnerabilities to exploit. If water and wastewater cybersecurity is not properly addressed and enforced, companies will find it difficult to protect their critical infrastructure from attacks. In the next section we will discuss what can happen to critical infrastructure if robust security solutions are not put in place.
Water and wastewater facilities have fallen victim to several attacks targeting critical infrastructure recently. The significant exposure within the sector by remote attackers and malicious insiders who can tamper with critical processes has put public safety at risk. Here are two examples of top attacks:
A series of coordinated attacks attempted to control the systems of wastewater treatment plants, pumping stations, and sewage infrastructure in Israel. Thankfully, the attacks were thwarted, and the organizations affected were ordered to change their network passwords, reduce their network connections, and ensure all software was updated to the latest version. Following the attack, there was a particular concern over the systems related to colorine control due to the risk of water contamination. If the attack was carried out successfully, this contamination could have severely impacted the safety of Israeli citizens consuming drinking water. This attempted attack against the Israeli water supply highlighted the importance of cybersecurity for water and wastewater facilities, which can at times elude the public’s attention as a major source of risk. The combination of legacy systems, growing connectivity, and federated management in many water and wastewater facilities warrants a high prioritization of cybersecurity for the sector on a global level.
Supervisory Control and Data Acquisition (SCADA) systems are commonly used in water and wastewater facilities for process control and monitoring. Although specific incidents may not always be publicly disclosed, these systems have been targeted in various cyber attacks. For example, in an unnamed California facility, threat actors had access to the affected systems for a month, according to the advisory, before a variant of the Ghost ransomware was discovered when three SCADA servers displayed a ransom note. Similarly, a Nevada facility was attacked. The advisory did not name the ransomware used in the attack, but stated the incident affected the victim's SCADA system and backup systems. These incidents illustrate vulnerabilities in these systems, and how difficult they are to mitigate, leaving a lengthy window of opportunity for attackers to take advantage of.
The need for OT asset visibility and controls around remote access to industrial facilities has never been greater. In the next section, we will discuss the major regulations and standards in the water and wastewater sector that have been created to defend the world's critical infrastructure from cyber threats.
Given the cyber exposure of critical infrastructure worldwide, governments and regulatory bodies have taken steps to address the challenges and needs of cybersecurity for water and wastewater facilities. Here are a few of the regulations and standards shaping the industry:
AWIA was enacted by the United States Congress to address the challenges and needs of the Nation’s water infrastructure. Among other objectives, AWIA aims to enhance the resilience and security of water utilities against cyberattacks. Some of the key provisions include conducting risk assessments and developing or updating emergency response plans (ERPs) to include cybersecurity. With these updates, the U.S. government intended to emphasize the importance of identifying vulnerabilities and establishing strategies to effectively respond to incidents if, and when, they do occur. By incorporating these provisions, water facilities can mitigate cyber threats and ensure their critical infrastructure is protected from attacks.
The NIS2 directive focuses on improving the security of networks and information systems across Europe. This directive includes requirements for critical infrastructure organizations, including water and wastewater, to implement the appropriate measures to prevent, detect, and respond to security incidents. By ensuring these key areas of compliance are addressed, organizations can protect their network and information systems from cyberattacks and ensure their compliance with the NIS Directive. The directive was created as a response to the growing threats posed by digitizations and the surge in cyber attacks to critical infrastructure. NIS2 expands on the original NIS Directive issued by the EU and is intended to increase the level of cybersecurity throughout Europe in the longer term.
Aside from America’s Water Infrastructure Act, the EPA enforces several other regulations related to protected water and wastewater facilities. Two major regulations they have established are the Clean Water Act (CWA) and the Safe Drinking Water Act (SWDA). CWA regulates the discharge of pollutants into U.S. waters and sets quality standards for surface waters, while SDWA establishes standards for the quality of drinking water. Both of these acts help ensure that water and wastewater facilities implement the right cybersecurity measures to safeguard their critical infrastructure from cyberattacks. As we mentioned earlier, many facilities find it challenging to comply with regulations, and non-compliance can result in penalties and enforcement actions. Many times, the EPA incentivizes water and wastewater utilities to prioritize cybersecurity and implement the proper measure to protect their systems; however, with a lack of resources and continuous updates regulations it can be difficult for them to incorporate these frameworks.
The Australian government created a framework for the regulation of eleven critical infrastructure sectors, including water and wastewater. The SOCI Act introduced a new obligation for responsible entities to create and maintain a critical infrastructure risk management program. Additionally, it introduced a new framework for enhanced cyber security obligations required for operators of systems of national significance. The reforms intend to make risk management, preparedness, prevention, and resilience business as usual for the owners and operators of critical infrastructure assets. This act also seeks to improve the information exchange between industry and government to establish a more comprehensive understanding of threats. Compliance with SOCI will help keep the critical infrastructure that underpins Australia's economy and society safe.
Following incidents at Colonial Pipeline, JBS Foods, and other high-profile critical infrastructure attacks, the Biden-Harris Administration announced that it will extend the ICS Cybersecurity Initiative to the water sector. Similar to the initiatives for the electric and natural gas pipeline sectors, The Water Sector Action Plan is a collaborative effort between the federal government and the critical infrastructure community to deploy technologies and systems that provide cyber-related threat visibility, indicators, detections, and warning. The EPA and CISA will also participate in this initiative by working with water utilities on a pilot program for ICS monitoring and information sharing. This collaboration between WSCC, CISA, and EPA will promote cybersecurity monitoring to the entire sector. By modernizing cybersecurity defenses and improving information-sharing between the U.S. government and the private sector, this Executive Order will help protect the American people and American interests against cyber threats.
Increasingly, water and wastewater facilities have suffered significant exposure within the sector to remote attackers and malicious insiders who can tamper with critical processes and put public safety at risk. As a result, facilities require a plan to minimize control system exposure, identify and remediate software vulnerabilities, lock down remote access to systems, and conduct risk assessments. To ensure business continuity, adequate threat intelligence, and compliance with regulations, water and wastewater facilities implement the following cybersecurity solutions to protect their critical infrastructure:
Claroty’s xDome: Claroty xDome is a modular, SaaS-powered industrial cybersecurity platform that scales to protect the environments of water and wastewater, and helps fulfill their cybersecurity goals as they evolve. xDome was designed for scalability, flexibility, and ease-of-use regardless of network size, architecture, or diversity of users — helping water and wastewater facilities solve their remote, unmanned facilities challenge. With employees and third-party vendors accessing the systems to perform remote maintenance and gather operational data, xDome ensures that remote connections are secure. xDome also integrates seamlessly with existing security solutions to extend cybersecurity controls and operational infrastructure to your industrial environment.
Claroty’s Continuous Threat Detection (CTD): CTD can provide water and wastewater facilities with full spectrum OT, IoT, and IIoT visibility, continuous security monitoring, and real-time risk insights with no impact to operational processes and underlying devices. By supporting the full CPS cybersecurity journey from asset discovery to network integration and optimization, water and wastewater facilities can identify threats and vulnerabilities in their OT network to mitigate risk and assure continued operations of critical processes. By seamlessly integrating with existing IT security infrastructure and workflows, and continuously detecting anomalies, known and emerging threats, and zero day attacks, CTD provides water and wastewater facilities with the tools they need to comply with industry regulations and standards — allowing for a strong overall security posture.
Claroty’s Secure Remote Access (SRA): Our SRA solution safeguards ICS from threats introduced via unmanaged and/or unmonitored access by remote users, including third-party vendors, contractors, and technicians. This solution is purpose-built for OT, and provides user provisioning, role- and policy-based access controls, alerting, and the capability to audit, investigate, and terminate potentially malicious remote sessions. Having an SRA tool, like Claroty’s, is a necessary requisite for facilities connected to critical assets online. Allowing staff and third parties to access systems to do their jobs from wherever they are. SRA also gives water and wastewater facilities the tools they need to comply with the AIWA mandate, providing the appropriate risk and resilience assessment according to the new requirement.
The water and wastewater sector is charged with delivering a safe and reliable supply of water to citizens worldwide. As the XIoT continues to grow, creating a larger attack surface for cybercriminals, water and wastewater facilities must enhance cybersecurity across its critical infrastructure. By ensuring full visibility across the environment and achieving secure OT remote access, companies can strengthen their cyber and operational resilience and protect their vital infrastructure from cyberattacks.