The water and wastewater sector faces a rising tide of cybersecurity threats. Recent events such as the ransomware attack on the North Texas Water District highlight the growing focus of nation-state actors and malicious groups on water treatment facilities. This blog post examines the current state of cybersecurity in the water sector, along with US government initiatives aimed at raising awareness and improving cyber defenses.
A Perfect Storm: Vulnerabilities and Malicious Intent
The water sector faces a unique challenge: aging infrastructure and a growing adoption of internet-connected technology to improve efficiency and monitoring. This convergence creates a landscape ripe for exploitation, with outdated systems lacking robust cybersecurity protocols.
Compounding the problem is the growing interest of state-backed actors. “Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities,” National Security Advisor Jake Sullivan and EPA Administrator Michael Regan wrote in a March 18, 2024, letter sent to all state governors.
The letter revealed that the PRC-sponsored group “Volt Typhoon” has been silently inserting itself into critical infrastructure sectors using living off the land (LOTL) techniques to avoid detection. As noted in a 2024 Joint Cybersecurity Advisory document from the FBI, CISA, and NSA, Volt Typhoon actors “are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions … in the event of potential geopolitical tensions and/or military conflicts,” such as a conflict over Taiwan.
In November 2023, the Iranian hacktivist group “Cyber Av3ngers” gained control of at least one device at the Municipal Water Authority of Aliquippa, Pennsylvania, preventing the system from automatically regulating water pressure and forcing the booster station to run on manual mode for more than two weeks. Access was gained through a Unitronics programmable logic controller (PLC) using a default password, as described in CVE-2023-6448. Since November, Cyber Av3ngers has used the same method to attack an undisclosed number of additional water facilities across the United States.
US Government Initiatives: Raising Awareness and Building Defenses
In response to these escalating threats, the US government has implemented several initiatives aimed at raising awareness and promoting improved cybersecurity within the water sector. The Biden-Harris administration, EPA, and CISA met with state and local officials on March 21, 2024, to underscore the urgency of the situation and discuss solutions.
At the meeting, Deputy National Security Advisor Anne Neuberger requested that each state prepare a cybersecurity plan by May 20, 2024. The cybersecurity plan should include details of how the state is working with drinking water and wastewater systems to determine where they are vulnerable to cyberattacks, and what actions they are taking to implement cybersecurity protections.
The EPA also announced the development of a task force to identify challenges the water sector faces and develop strategies to reduce the risk of cyberattacks.
Top Cyber Actions for Securing Water Systems: A Roadmap for Resilience
On February 21, 2024, the EPA released a document on Top Cyber Actions for Securing Water Systems. This resource offers a roadmap for water treatment facilities to strengthen their defenses. Some key recommendations include:
- Reduce Internet Exposure: Implement segmentation to create barriers between different parts of the network, limiting the potential impact of a breach.
- Conduct Cybersecurity Assessments: Conduct internal or third-party assessments to identify potential weaknesses.
- Change Default Passwords: Immediately change default passwords. Employ multi-factor authentication to add an extra layer of security beyond usernames and passwords.
- Inventory and Secure Systems: Identify and secure all connected devices within a system, including control systems, data acquisition systems, and industrial control systems (ICS).
- Develop and Test Contingency Plans: Develop an Incident Response Plan and a Business Continuity Plan. Train employees and conduct regular exercises of these plans.
- Backup OT/IT Systems: Perform regular backups of OT/IT systems and ensure at least one copy is stored offsite. Regularly test backups to ensure successful restoration.
- Reduce Vulnerabilities: Prioritize keeping software and firmware up to date with the latest security patches. Remove unnecessary software from computer and OT systems.
- Educate Staff: Train employees on cybersecurity best practices, including phishing awareness and secure password hygiene.
Industry Collaboration: Building a More Secure Future
The current state of cybersecurity in the water and wastewater sector demands immediate and concerted action from all stakeholders. The EPA recognizes that this is a challenging task for many facilities and offers resources on their Cybersecurity for the Water Sector website. The cybersecurity experts at Summit are available to assist water facility operators with assessing vulnerabilities, implementing robust defenses, and conducting regular training exercises. Connect with us today and find out how we can help.