Connecting Waterpeople
Premium content

Navigating choppy waters: challenges in securing water infrastructure

© González-Cebrián/SWM.
Download PDF article
Download

Water scarcity and insecurity is a global problem. Many countries struggle with access to clean and safe water for drinking, growing crops, and providing basic hygiene. The problem is not just limited to countries with environmental, developmental, and geographical challenges.

Many industrialized nations also struggle with poor water treatment and sewage systems and infrastructure that exposes citizens to inadequate clean water access. In fact, the statistics from the UNICEF Water, Sanitation, and Hygiene (WASH) program are staggering: two billion people live in areas where water supply is inadequate, and half of the world’s population could be living in regions facing water scarcity by 2025. Inadequate cybersecurity for water systems threatens to make this problem worse.

Published in SWM Print Edition 22 - June 2024
SWM Print Edition 22

Unfortunately, critical infrastructure is an attractive and often profitable target for hackers, as evidenced by a recent string of ransomware attacks, including notably, the Iranian-linked cyber group that obtained partial control of the city of Aliquippa’s water system. The essential role of water in everyday life renders water systems appealing and prone to cybersecurity attacks from threat actors (such as China’s Volt Typhoon) motivated by activist causes, financial gain, national interests, or other objectives. Interrupting the delivery of water services can result in widespread fear and chaos, or worse yet, contamination of the water supply affecting the life, safety, and health of citizens.

Why is water an attractive target?

There are several reasons why water systems, particularly in the United States, have evolved into such an attractive target for hackers.

A challenging governance and funding model

Water systems are often overseen by public agencies funded by local governments and ratepayers. These systems are directed by locally elected officials who are juggling the needs of citizens with the reality that cyber threats must be considered alongside other priorities, including their political survival. Municipal water systems are especially at risk as funding for priorities is further limited as the population shifts away from economically depressed communities. Ratepayers (and their political representatives) are highly resistant to rate increases, even when in pursuit of improved service delivery or water quality, and funding options often depend on raising rates or issuing debt in the form of bonds. However, credit agencies like Moody’s are adjusting credit ratings commensurate with cybersecurity exposures, warning investors about the risks they are assuming when buying municipal bonds or other debt-based instruments. In fact, investor-owned water systems face similar budget constraints, often spurred on by the political will of shareholders.

The role of technology modernization

Water systems, especially smaller ones, routinely operate with industrial control systems (ICS) that comprise a mix of legacy and advanced operational technologies operating side-by-side. But legacy technologies do not typically lend themselves to industry-best cyber hygiene and hardening practices. These limitations impede cybersecurity improvement, make water systems harder to operate and defend, and increase the over-dependence on human know-how and intervention — which can result in an “if it ain’t broke, don’t fix it” mentality that deprioritizes cybersecurity investments.

Increasing exposure to third-party risk

Large and small water systems alike share the challenges brought about by dependence on external partners and vendors, expanding their “circle of trust” and increasing risk exposure from remote access and data proliferation. Municipal and investor-owned systems may also embrace advanced technologies that require significant use of vendor-operated Internet- and cloud-based architectures – the result: an expanded threat landscape and increased exposure to malware and Internet-based attacks like ransomware. Efficiencies are gained, but more resources are needed to counterbalance increasing risk inheritance, a particularly high burden for already-constrained smaller systems.

The essential role of water in everyday life renders water systems appealing and prone to cybersecurity attacks from threat actors

What solutions do we have?

The velocity of attacks on critical infrastructure systems, especially water systems, is not abating. In 2021 and 2022, Axio published the results of research studies aiming to characterize the general state of organizational readiness to combat the evolving — and now pervasive — ransomware threat. Using cross-sector critical infrastructure data collected from the Ransomware Preparedness Assessment (part of the Axio360 suite of cyber risk management tools), Axio researchers established a key persistent and durable theme over three years of analysis: success in managing ransomware intrusion and organizational impact is largely affected by the degree to which organizations implement and institutionalize the most fundamental cybersecurity capabilities. These foundational capabilities include managing privileged access credentials, reducing exposure to supply chain and third-party risk, improving incident response, addressing known vulnerabilities in a timely manner, and performing necessary hardening of technology assets and networks — all supported by a cybersecurity-aware culture. It’s imperative to consider that these capabilities are essential to all cybersecurity programs and provide the solid ground on which durable cybersecurity postures can evolve over time to meet current and future threats.

Water owners and operators cannot transform the sector’s cybersecurity posture on their own. Indeed, cybersecurity is a team sport, and it requires collaboration between utilities, government, advocacy organizations, and other stakeholders. Recently, in testimony to the U.S. House Committee on Energy and Commerce regarding the cybersecurity of America’s drinking water systems, Kevin Morley, Manager – Federal Relations for the American Water Works Association (AWWA), argues that a multi-pronged approach to sector cybersecurity improvement is warranted. The testimony asserts that a collaborative approach to improving cybersecurity risk management for water systems can build on the successes of the electricity sector by creating a federally authorized but independently-operated entity to lead the development of cybersecurity requirements for the water sector. 

Recent advances have been made toward this reality. Congressional representatives are working on a bill that would empower the United States Environmental Protection Agency (EPA) to establish cybersecurity standards and certify a non-government organization to oversee compliance, mirroring the electricity sector’s implementation of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (NERC-CIP) standards. However, such collaborations take many years to develop, implement, and operate effectively, and can be costly to organizations that are bound to comply.

Investment into tools that address the inherent cybersecurity weaknesses in the systems and devices that operate water systems is imperative

For water, this governance model would be approved and overseen by the United States Environmental Protection Agency (EPA), encouraging a “shared responsibility that benefits from direct engagement and operational knowledge of owners/operators and the accountability that comes with federal oversight.” While shared governance models can appear regulatory in disguise, they often act as market correctors, such as the improvement in vehicle crashworthiness realized by the efforts of the National Highway Traffic Safety Administration. Recent rulings by the Securities and Exchange Commission regarding cybersecurity disclosure will certainly force additional improvements by investor-owned and publicly traded organizations but won’t necessarily drive improvement in smaller organizations.

© González-Cebrián/SWM.

Additionally, the role of information sharing is front and centre. Better collaboration between the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the EPA, and water sector organizations such as the Water Information Sharing and Analysis Center (Water ISAC) and the Water Sector Coordinating Council (WSCC) is needed to ensure timely dissemination of clear and actionable threat and vulnerability information in a format quickly digestible by owners and operators, sufficiently in advance of known attack campaigns. 

Finally, improving cybersecurity programs and the resistance of water technologies to attack is vital to advancing the cybersecurity posture of the water sector. As Morley notes, common frameworks such as the NIST Cyber Security Framework (NIST CSF) are useful, but not necessarily scalable to the wide range of organizations operating our nation’s water infrastructure. To this end, AWWA offers a sector-specific and tailored tool for the assessment of cybersecurity controls that can be right-sized to fit the operational scope of water sector organizations, consistent with NIST CSF content but pragmatic in application. Continued investment and research into tools and technologies that address the inherent cybersecurity weaknesses in the systems and devices that operate water systems is imperative.

The rapid rise in attacks on water systems will not soon diminish as the barriers to attack success are few and the potential rewards are great

The rapid rise in attacks on water systems will not soon diminish as the barriers to attack success are few and the potential rewards are great. Whatever the motive, the cybersecurity posture of water systems across the board is dependent on evolutionary change in how they are funded, operated, maintained, and architected. Incremental changes have the potential to be force multipliers in the degree to which water systems are more resilient to and able to recover from attack vectors such as ransomware. The will to improve — especially as the water sector emerges as a headline-making target — constitutes an important first step in ensuring the mission of water systems is preserved under rapidly changing operating conditions that are increasingly subject to the will of outside actors.