High Tech, High Stakes: How Vulnerable to Cyberattacks Is U.S. Water Infrastructure?

By Andrew Farr

According to government officials, security experts and persistent media reports, all signs indicate that cybersecurity is an issue that is here to stay and puts U.S. infrastructure squarely in the crosshairs of hackers and foreign governments. Recently the issue has been heightened by the war in Ukraine and has increased concerns about a potential Russian retaliation to U.S. sanctions that may come in the form of a cyberattack.

But whether it’s Russia, China, another foreign government or an independent hacker, concerns about how cyberattacks could impact infrastructure in the United States have been elevated – and a look at how they could affect the water industry is fascinating.

In the wake of the COVID-19 pandemic, resilience and emergency response have emerged as top issues for water and wastewater systems. In 2019, the American Water Works Association’s (AWWA) State of the Water Industry report ranked cybersecurity as No. 17 on its list of top issues facing the sector. Last year, cybersecurity moved up to No. 12 on AWWA’s 2021 report, although the survey used to compile the report was completed before the highly publicized February 2021 cyberattack on a Florida water system. In that case, a water utility in Oldsmar, Florida, was compromised when its operations system was hacked, briefly multiplying the amount of sodium hydroxide, or lye, used in the city’s water treatment, by a factor of more than 100. Lye is an ingredient used in drain cleaners that is also used to control water acidity and remove metals from drinking water.

According to the Pinellas County Sheriff’s Department, a plant operator noticed that someone remotely accessed a computer system that monitors and controls chemicals used to treat water as well as other functions. The utility stated that even if the plant operator had not noticed the change in levels, it still had other controls and alerts in place to protect any compromised drinking from going out to the public.

According to AWWA, instances of ransomware attacks and data breaches have demonstrated the need for water utilities to be vigilant in preventing similar attacks. In its 2021 SOTWI report, asked whether their utility was planning, revising or assessing information technology needs to defend against a cyber intrusion: 20 percent of survey participants said their utility had fully implemented some form of plan to address cyber intrusion; while 20 percent said their utility was assessing its cyber intrusion needs.

There are, of course, financial implications to cyberattacks on infrastructure, as well. According to Fitch Ratings, the Colonial gas pipeline cyberattack in May 2021 illustrates the broader financial effects that can result. A breach of critical assets, such as power or water supply or public transportation, that halts service could result in widespread public and private sector shutdowns if utilities cannot provide service or employees are not able to commute to their places of work. Fitch says infrastructure that has been compromised can directly affect state and municipal government finances in the near term through ransom payments and/or the costs of remediation and restoration of data and service, as well as over the longer term, as a result of broad economic disruption that leads to loss of tax revenue.

Recent Regulatory Action for Water

In October 2018, America’s Water Infrastructure Act (AWIA) was signed into law, essentially requiring water utilities to thoroughly assess their vulnerabilities to all types of natural hazards and man-made disasters and develop a detailed plan to address them.

Through an amendment to the Safe Drinking Water Act, AWIA introduced new requirements for every public water system to conduct Risk and Resilience Assessment (RRA) and prepare (or revise) an Emergency Response Plan (ERP) that addresses the deficiencies uncovered in the RRAs. The requirements differ slightly based on population served. Reports do not need to be submitted, but RRAs and ERPs must be updated and re-certified to EPA every five years.

Some experts say that although utilities have dealt with unplanned costs and uncertainty about how to get value from the assessments, the new requirements will bring some standardization to the important issue of cybers resilience.

“The largest threat to financial, monitoring, and other computer systems is a cyber ransomware attack,” said Jacques Brados, cybersecurity consultant, formerly with Black & Veatch Water. “Many financial systems have periodic cyber assessments that may not meet the intent of AWIA, and SCADA systems are typically assessed less often and with less rigor. The unfunded AWIA mandate is a challenge, but it’s also an opportunity to standardize security assessments of electronic, computer, automated, and financial systems to determine risk and improve resilience.”

EPA does not require the use of specific standards, methods or tools for the risk and resilience assessment or emergency response plans. It recommends the use of standards, including AWWAJ100-10 Risk and Resilience Management of Water and Wastewater Systems along with tools from EPA and other organizations.

All critical infrastructure is vulnerable, even the most well financed and technically sophisticated. This is in part due to the evolving capabilities of hackers.

John Sullivan
Chief Engineer, Boston Water and Sewer Commission
Chairman, WaterISAC

Recently EPA has been discussing plans to incorporate cybersecurity audit requirements as part of utility sanitary surveys and NPDES permits. The EPA proposal was included in its FY22 budget request to Congress and officials have been moving forward to implement the concept.

Water sector organizations including the American Water Works Association, Association of Metropolitan Water Agencies, National Association of Water Companies and National Rural Water Association say they have heard near-universal objections to the approach, including from the primacy agencies that would be mandated to implement the new requirement. Among the associations’ rationale:

  • The planned program is legally unjustifiable, as interpretive rules like those governing sanitary surveys may not create new legal standards or requirements;
  • Sensitive information shared with states would not be protected from public disclosure; and
  • State primacy agencies are not qualified to assess the cyber readiness of a water system, which could lead to unmerited significant deficiencies and misinformed advice to utilities.

Water Sector Threats

So, what makes water/sewer systems particularly vulnerable to cyberattacks when looking across all types of infrastructure systems?  

“Since water and wastewater provide the most basic service for daily survival, they are attractive targets,” says John Sullivan, chief engineer at Boston Water and Sewer Commission and chairman of WaterISAC, the organization that manages and shares threat information for the water sector. “The best way to look at it is that all critical infrastructure is vulnerable, even the most well financed and technically sophisticated. This is in part due to the evolving capabilities of hackers.”

WaterISAC issues threat alerts for both physical and cybersecurity for threats ranging from domestic to international and generally collaborates on threat alerts with the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security, as well as the EPA. It also produces case studies on threat events and gives monthly threat briefings and regular webinars on various security topics.

“The water sector is unique in the sheer number of utilities it covers, most of which are trying to keep water rates affordable and are concerned with replacing aging pipes and treatment plants,” adds Sullivan. “That’s why it’s important for Congress to help utilities fund cybersecurity improvements appropriations bills to ensure water and wastewater have the resources to protect these basic services.”

Emerging Threats

The concern over cyberattacks on critical infrastructure is arguably higher than it has even been. The ongoing war in Ukraine prompted the White House to issue a statement on March 20 about an increased potential for Russian cyber-attacks against the United States, urging owners and operators of critical infrastructure to increase their cybersecurity protections. 

“There are advanced threat actors, such as Russia and China, who we may not even realize are in our networks,” says Michael Arceneaux, managing director of WaterISAC and acting CEO of the Association of Metropolitan Water Agencies (note AMWA and WaterISAC are separate non-profits groups with different member utility systems).

“We’ve been briefed by intelligence agencies a couple time since Christmas and they are very concerned that Russia could take action against Western interests to embarrass the [U.S.] government,” he says.

Advanced threat actors like foreign governments, however, only represent a more modern threat as cyberattacks on utilities have generally come in the form of ransomware attacks on the IT side, whereas now, operational threats are emerging.

“We’ve seen an uptick in ransomware incidents such as business or vendor email compromises in which the intent is to launch a ransomware attack or persuade employees to give up credentials. So, we’re concerned about the IT enterprise side of the house – emails, bill payment – because that wreaks havoc on doing business. But what we’re very concerned with now are attacks on operational technology or the industrial control systems (ICS) side, which can be damaging and life-threatening.

The imagination can run wild with worst case scenarios about what a threat actor could do to a water system, but Arceneaux explains that sophisticated actors could hack a system and manipulate pumps or chemical feeds without the utility even knowing they were in the system. They could also create a water hammer that could lead to cracked pipes or release untreated wastewater back into a source water body.

“It only takes one attack on one water utility to frighten the public,” he says.

With this in mind, what is the No. 1 action that many water utilities can take right now to bolster resilience in light of current events?

WaterISAC advises that the most important cybersecurity control right now to implement is multifactor authentication (MFA) on all possible systems. 

Since security is always dependent on multiple layers of protection, it is essential that everyone uses strong and unique passwords, patching is kept up to date, backups are regularly made and stored off the network, and users are given regular awareness training. WaterISAC also advises utilities have cybersecurity incident response plans with constant employee awareness training. Some of its primary recommendations for protecting against cyberattacks include:

  • Multi-factor authentication;
  • Anti-virus and anti-malware programs;
  • Enabling spam filtering to prevent phishing emails from getting through;
  • Keeping software up-to-date and filtering network traffic that monitors threat indicators; and
  • Developing and being prepared to implement incident response plans

Arceneaux says that while attention is growing regarding the issue of cybersecurity, the water sector still has a lot of catching up to do in terms of elevating utilities’ awareness to the consequences of cyberattacks.

“It’s hard to get utilities to make sense of the Colonial Pipeline incident because it’s not water,” he says, explaining how in that scenario there was a ransomware attack that did not directly affect the control side of the pipeline, but as a precaution, the pipeline’s operations were suspended – so the fact that operations were shut down was not a direct result of attack but out of caution.

“What if that happens [to a water system] in a medium or a big city? Maybe it’s only for a few hours, but it could go on for a few days or weeks, depending on how extensive the damage is,” he explains.

“A lot of utilities just don’t see how they can become targets, and it’s just a matter of time before someone at their agency clicks on the wrong email or opens the wrong attachment. If there is an incident like that, I think we can expect Congress to take a very strong interest in water security regulations,” he says, adding that the sector should look to implement a universal best practices for utilities to follow.


Andrew Farr is managing editor of Water Finance & Management, published by Benjamin Media in Brecksville, Ohio. He has covered the water sector in North America for 10 years and also covers the North American trenchless construction industry for sister publication Trenchless Technology.

Leave a Reply

Your email address will not be published. Required fields are marked *

*