At the end of 2023, news broke out about a cyberattack on Aliquippa’s municipal water system, serving 6,615 customers, in western Pennsylvania. The hackers, claiming to belong to an Iranian cyber guerrilla group, managed to shut down a pump on a supply line providing drinking water from the Aliquippa Municipal Water Authority’s treatment plant to Raccoon and Potter townships, forcing the water utility to switch to manual systems. The incident was followed not long after by a cybersecurity breach targeting Veolia North America, the service provider managing the water system of the city of Rahway, New Jersey. That same week, the private UK utility company Southern Water, also revealed that cybercriminals had broken into their IT systems, stealing data.
The water and wastewater industry is increasingly a target of cybercriminals, a concern confirmed by a new Moody's Investors Service report, released on Monday. According to the review, water and wastewater utilities are increasingly becoming targets for malicious cyber actors, reports the news service Inside Cybersecurity. Moody’s explains that this is due to the use of digital components becoming more widespread and the potential for cyber-physical attacks rising due to insecure operational technology.
“The water sector's exposure is rising as the sector is becoming increasingly digitalised through the installation of data logging equipment and smart meters, a trend we expect to continue given the need to reduce per capita consumption. Greater digitalisation introduces new vectors of attack for malicious actors, for example, pivoting an attack from the third party vendor used to provide some of the digitalisation services,” Moody’s highlights in its report.
According to Moody's, the primary threat facing water services involves the potential infiltration of operational technology (OT) systems by malicious actors, resulting in the disruption of drinking water or wastewater treatment facilities. While water and wastewater entities commonly employ the practice of "air gapping" to isolate OT from their IT systems as a security measure, Moody's warns that this approach can still be undermined by other cybersecurity vulnerabilities. Furthermore, organizations aiming to enhance operational efficiency by integrating IT and OT systems more closely may inadvertently heighten perimeter vulnerability, as underlined in the report.
The water sector's exposure is rising as the sector is becoming increasingly digitalised through the installation of data logging equipment and smart meters
Moody’s underscores the sophisticated nature of nation-state cyber threats targeting the water sector. According to the report, attacks orchestrated by nation-states pose heightened risks due to their substantial funding and extensive expertise, often aiming for nonfinancial gains by disrupting various sectors of the economy. In contrast, the report suggests that larger, investor-owned utility companies are typically better equipped to allocate resources towards specific cyber defences and implement effective mitigation strategies compared to smaller entities.
In the aftermath of the cyber-attacks on the water sector linked to Iran, the Environmental Protection Agency (EPA) is advocating for water sector entities to voluntarily integrate fundamental cyber measures into their planning and operational processes. This recommendation comes after EPA released a memorandum in March 2023 stressing the need for states to assess cybersecurity risk at drinking water systems to protect the public drinking water, which was later challenged in court by three states and two trade groups and subsequently withdrawn in October 2023.
Other actors in the United States are working to mitigate cyberattack risks facing public water and wastewater systems, such as the West Virginia Department of Health (WVDH), which confirmed on Monday a surge in cyberattacks on water systems and said it was proactively addressing the issue in a press statement. It highlighted that such attacks have the potential to disrupt water treatment and distribution, compromise email communications, pilfer customer data, or introduce malware or ransomware that could compromise process controls.
The efforts of organizations like the West Virginia Department of Health reflect a recognition of the growing threat posed by cybercriminals to the water and wastewater industry, underscoring the collective urgency in safeguarding critical water infrastructure against cyber threats.