Does running a water utility these days feel like playing a game of high-stakes poker? You can eke out some excellent small wins, but the cost of anteing up every year keeps rising and nobody seems to be replenishing your chips. You play the best hand you can with the cards you’ve been dealt, but you also know there’s a wild card somewhere in the deck waiting to drop that could up-end the entire game: the cybersecurity card.
It’s impossible to predict if a nefarious group of hackers will successfully infiltrate a US water utility network and cause serious damage, but based on the already existing attempts, it feels likely they will keep trying. Will it take a national crisis to compel action to prevent it on a large scale? Unfortunately, history tells us that the answer to this question is often yes. The Clean Water Act of 1971 only came about after 25 years of sewage trailing downstream from expanding cities, but once public opinion sharply shifted the conversation around pollution, it was enacted into law and the federal government stepped up, giving cities grants and low-interest loans to upgrade their struggling sewage infrastructure. Today, upstream and downstream, everyone is benefiting from those investments 50 years later.
We need that spirit of collective action to both shore up our existing water systems and meet the emerging challenges of the future (climate change and emerging contaminants like PFAs, to name but two), but the odds of that happening may be smaller than the chances of a ransomware group hacking into a rural wastewater system. Even though the scope of these issues can feel overwhelming at times, it doesn’t mean you shouldn’t prepare. Everything a water utility can do to shore up their cybersecurity will be worth it. The right small steps can make a big difference.
Have you heard the alarm bells ringing?
The EPA has been sounding the alarm. They’ve found critical cybersecurity vulnerabilities in over 70% of the water systems that they’ve examined since September 2023. They’ve joined forces with CISA and the FBI to raise awareness and ultimately try to compel water utilities to improve the security of both their hardware and software systems. As you may be aware, the EPA issued a memorandum in March 2023 with plans to fold cybersecurity assessments into sanitary surveys, but this was temporarily halted by the 8th Circuit US Court of Appeals in July and then withdrawn six months later. At the time, many water industry groups were subtly asking a very important question by participating in that litigious conversation: Yes, it's critically important, but who's going to pay for it?
This is a very legitimate response, one that comes to mind while reviewing the latest AWWA State of the Water Industry 2024 report, where 67% of water professionals surveyed said that cybersecurity issues are “very” to “critically” important. And yet, cybersecurity ranked 10th on the list of issues that utilities surveyed are currently addressing. Perhaps the lack of deep federal funding for beefing up security is a key reason that cybersecurity has rocketed up the list in importance, but action is still lacking. The truth is, compromises at this scale take time to iron out, and new wrinkles can be added when the political winds blow every two or four years, making continued progress towards shared goals difficult.
While it may be tempting to delay action until the money arrives, water professionals have something else to spend instead of money: their time. If you’re one of those people, you can begin to close the knowledge gap around cybersecurity for your own water utility by learning how to shut down the most likely attack vectors on your water system.
Peering into the cybersecurity knowledge gap
A 2021 CISA survey reportedly found that over 80% of major vulnerabilities were software flaws discovered before 2017, which suggests that many utility employees have been slow to update their software. If that sounds uncomfortably similar your workplace, it’s time to act.
Making headway against this challenge begins by following CISA’s Top Cyber Actions for Securing Water Systems, which contain a few simple changes you can make, such as avoiding the use of default passwords (change them regularly if you must use them), preventing staff from sharing sign-in credentials, and ensuring that former employees no longer have access to water utility systems.
Going further, you will need to learn how to conduct regular cybersecurity assessments and develop a cybersecurity incident response and recovery plan. CISA has a lot of resources for water utilities to follow around creating a plan, although it is unclear how many water utilities are taking advantage of these resources. The EPA has found that less than 25% of water industry operators are performing annual cybersecurity risk assessments.
As you move forward into the complexities of cybersecurity, it’s important to remember that even though you cannot stop every possible attack from every direction, every step you take to raise your security level will result in better preparedness.
What have we learned about cybersecurity from the cloud?
You may have noticed that, as time goes by, across almost all industries, SaaS solutions are slowly replacing older desktop-only software, which makes sense in an ever-connected and networked world, particularly one that embraces the promise of live digital twin style integrations and tapping into large datasets to benefit from AI, generative design, and advanced analytics. Autodesk has been on its own journey of cloud adoption over the last decade, and from our experience of building secure systems for our customers, there is a lot to be said for the cloud when it comes to software security. Our systems are not infrastructure that is critical to the entire nation, but we treat them that way because our customers must have faith that their work product is always safe and secure.
On our own journey of providing SaaS-based services, we quickly learned that there are important security benefits that come with the cloud that should not be overlooked. In fact, when you choose a software vendor, SaaS or otherwise, you should examine their services closely and, if necessary, put pressure on them to ensure they offer secure, compliant products that meet all of the security assurance certifications and authorizations you require. It may be easier to simply choose what meets minimum government requirements, but details related to cybersecurity should not just be a single checkbox on your list of tech requirements. You’ll want to dig in and fully understand every acronym.
What to look for when you’re looking at the cloud
Some of the problems around cybersecurity for the water industry arise out of the fact that too many water utilities have been saddled with the same legacy IT systems for many years, if not decades. While shifting away from desktop software to SaaS-based applications won’t solve every problem, now is a good time for water professionals to assess the software that they currently use and examine their fears of the cloud. If your utility isn’t using current software or performing regular cybersecurity monitoring, transitioning to a cloud-based system could be an effective way to protect your data, operations and assets for your community.
A big water security benefit of the cloud is your ability to rely on distributed infrastructure, particularly around the issue of resiliency. If you keep all of your tech on-premises, you have some resources if you have an outage, but the cloud allows you a much greater level of redundancy and resiliency. When you embrace the cloud, you gain the ability to host your data in multiple cloud datacenters that can be spread around the region, reducing your risk compared to working with on-premises back-ups. This is obviously helpful if your water utility ever happens to be in the path of a natural disaster.
Another water security aspect to consider is how the cloud can increase your visibility into cybersecurity concerns. When using cloud applications or cloud solutions, every activity is an API call, that is logged and monitored. All these granular activities can potentially be turned into extremely useful alerts and automation. If you want to protect yourself from an adverse event or have a specific security concern that you want to solve for, since every activity is tracked, you can programmatically set up your system to watch for specific threats, and even auto-remediate in some situations.
And, of course, the automation opportunities that come out of cloud solutions go much further than helping you be alert to bad actors. These cloud capabilities can help you simplify common tasks and reduce human error by creating scripts for repeated tasks like maintenance and deployments. This shift to the cloud is something that other industries and sectors, including the military and big banks, pioneered. We learned from their examples when we began our cloud journey, and we encourage those in the water sector to follow the lead of other industries who have built rock-solid cybersecurity practices to keep their own critical infrastructure safe.
Making friends with the infosec community
Adapting to cybersecurity threats won’t be easy, but it starts by gathering knowledge. There’s a lot to learn in a water utility’s cybersecurity journey, but there’s also a lot of people to learn from.
Do you know anyone in the infosec community? If you haven’t befriended an infosec enthusiast, you’re missing out on some excellent advice. You can start by watching from afar on social media, especially in places like Mastodon and Reddit, where the conversation around trends and exploits in the infosec community can go extremely deep. There are many, many groups of very smart people who care deeply about the issues of information security around the world who also love the challenge of digging in and solving both real-world and theoretical security problems. If you haven’t explored the landscape yet and want to join an established community, start by looking at ISSA or similar groups. They offer lots of support for very reasonable yearly dues.
Can’t afford anything on a public water utility budget? There are tons of excellent free resources that will only cost you and your colleagues a bit of time:
- Are you worried about your SCADA systems? Get a free Cybrary account and peruse Chris Kubecka’s ICS/SCADA Fundamentals course, which explains the fundamentals of critical infrastructure concepts.
- For the cost of a few clicks, you can learn the history of industrial cybersecurity through Mike Holcomb’ 20 hour+ free series on YouTube, Getting Started with Industrial (ICS/OT) Cyber Security, which will help you understand the fundamentals of how these environments operate and how to secure specialized networks.
- If you want to keep it strictly official, CISA has its own ICS Training Available Through CISA .
- If you’re running the IT department for a water utility – or just working in one – the SANS ICS Cybersecurity Field Manuals might just be the best-practice guides you’re looking for.
This just scratches the surface of the resources available to water professionals who are curious and want to go deeper than meeting the minimum requirements to tackle this very difficult subject.
Fortune favors the secure in this high-tech game
Will your water utility be attacked by an international cyber-terrorist group? Will a disgruntled former employee sow fear in the community by adjusting the chemicals in the water? It’s depressing to think that such events can even exist, that anyone would want to thwart the good work that water professionals do to safeguard one of the world’s most precious resources, but those are the stakes of the game right now.
Just like in the game of poker, the next card that drops will always be uncertain, although you do know that the dangerous card is in there waiting for you… somewhere. But also, just like in poker, you can be prepared when the cybersecurity card drops. After all, cybersecurity is also not a game of luck – it’s a game of skill.