A British water company experienced a criminal cyberattack earlier this month, prompting concerns about the vulnerabilities of water utilities as Europe endures a severe drought, informs The Wall Street Journal.
South Staffordshire PLC, which provides water to 1.6 million customers, said the attack involved unauthorised third-party access to their systems, but did not have an impact on their ability to provide safe water.
Johan Claessens, a security officer at Dutch utility Water-link, said a cyberattack can be particularly disruptive during drought, as companies do not have a competitor that can provide water to customers if necessary: “We don’t have the luxury to have suboptimal production for an extended period of time”. Hackers tend to take advantage crisis situations to pressure companies. Thus, attacking water companies during a severe drought would be akin to using ransomware against hospitals during the pandemic.
Last year a drinking water treatment plant in the city of Oldsmar, Florida, suffered an attack by hackers which attempted to change the amount of chemicals entering the water system.
Awareness of cybersecurity risks has grown in recent years as technology and digitalisation processes have transformed the water sector. However, managing cyber risks is often a challenge, specially for small water operators or public utilities with tight budgets. As Lee Forsgren, a former deputy assistant administrator for water at the U.S. Environmental Protection Agency (EPA), put it: “Frequently, the person who handles cybersecurity is the same person who operates the system and cuts the grass, so coming up with intricate technical solutions is going to be a challenge”.
The EPA is expected to issue a cybersecurity rule for critical water facilities, while experts from the water industry have called for increased resources for the EPA to address cybersecurity, including hiring experts and providing funding to utilities.
In Europe, the EU Agency for cybersecurity, ENISA, works to increase the resilience of critical infrastructure to cyber threats. But Evangelos Ouzounis, head of policy development and implementation, highlighted the difficulty of water providers to keep up with other sectors: “We deal with thousands of small companies in this field. That makes progress very difficult.”