The Vulnerable Data in Our Water
By Jonathan Betts
According to the U.S. Senate Committee on Environment and Public Works, public water systems are in potential danger, not only from infrastructure or financial crises, but from cyberattacks. From “What Will It Take to Defend Public Water from Cyber Attacks?”, out of the 16 sectors the White House classified as essential to the nation’s health, the committee deemed that drinking and wastewater systems might be among the least protected concerning digital security, and the ramifications can be severe. To counteract the threat represented by cyberattacks, the following are some resources that water and wastewater utilities can access.
The Threats
The U.S. Environmental Protection Agency (EPA) has produced a fact sheet detailing the potential effects of attacks, including:
Stealing customers’ personal data or credit card information from the utility’s billing system
Installing malicious programs, e.g., ransomware, that can disable operations
Defacing the system’s website or compromising the email system
In 2021 alone, multiple water systems across the country were hit by hackers, illustrating the vulnerabilities of the systems used to keep drinking water safe. Some examples include:
In the Bay Area of California criminals broke in to delete programs involved in water treatment
A former employee of a Kansas water system remotely shut down cleaning/disinfecting processes
Hackers in Oldsmar, Fla., tried to poison residents by elevating levels of lye
These are just a handful of the 70,000 water systems in the U.S., creating a “good news/bad news scenario” according to U.S. Sen. Angus King, co-chair of the Cyberspace Solarium Commission. “The good news is our water systems are fragmented and scattered. In other words, it's not like the [consolidated] electric grid where an adversary could take down a whole region of the country…The bad news is that, because they're so fragmented—rarely do [water agencies] have the wherewithal or the knowledge to fully protect themselves. So, they can be picked off one at a time more easily.”
Water systems’ fragmentation lies not only in the number of systems but also in system size. While larger city or county systems have higher revenue earnings to pay for heightened security measures, most water systems are small. For example, a city with 200 customers or a mobile home system supporting around 25 residents, simply do not have the money and resources to update their digital security. It’s these systems that will need the most help in the future to protect from attacks.
Potential Solutions
With the proliferation of big data comes the urgent need for better security around natural resources, and water is no exception.
Fortunately, the issue of water and cybersecurity has garnered growing attention and a growing wealth of resources along with it. Ranging from tips for on-site security measures to available funds, there are increasing resources to assist drinking water systems with their preparedness.
The EPA has produced several resources for utilities large and small to gain knowledge on how to increase their proficiency on cybersecurity. A few of these EPA resources include:
Water Sector Cybersecurity Brief for States
Cybersecurity Incident Action Checklist
Water Sector Cybersecurity Training and Response Exercises
Vulnerability Self-Assessment Tool
The EPA also provides access to the Clean Water State Revolving Fund, such as the program in Georgia, which provides low interest loans that can be used toward risk assessment and training tools.
EMA Inc. out of Milwaukee, Wisc., works with water utility technology and has released an article about potential vulnerabilities and solutions for utilities themselves, entitled “The Five Deadly Sins of SCADA/PCS Cybersecurity,” which gives an overview of on-site practices for increasing security.
How to Start
While more resources and specific staff expertise on cybersecurity issues will give a water utility an advantage, the EPA states that “basic cybersecurity best practices can be carried out by utility personnel without specialized training, and user-friendly resources are available to help.” A good place to start is with the EPA’s Vulnerability Self-Assessment Tool and the Incident Checklist.
Water and its treatment will be of increasing importance in the coming decades. As the sector becomes more digitized, the need for protection of water data will require consistent effort.
This is part of a blog post series funded by the Georgia Environmental Finance Authority (GEFA).
Disclaimer: The opinions of the writers should not be considered legal advice or endorsement by GEFA.
Subscribe Here
Sign up with your email address to receive notices of new blog updates. We post about once per month.