Tech Perspectives: What is the State of Cyber Risk in the Water Sector?

Water utilities are on heightened alert for cyber attacks, so Water Finance & Management chatted with Marty Edwards, Deputy Chief Technology Officer for Operational Technology (OT) and Internet of Things (IoT) for Tenable. Edwards recently gave recent testimony in Congress, appearing as a witness before in February before the House Homeland Security Committee’s Subcommittee on Cybersecurity and Infrastructure Protection. The hearing discussed the increased cyber threats targeting the water sector and the strategy Congress should support to protect water and wastewater systems. 

WF&M: Are water/wastewater systems especially vulnerable to cyber attacks compared to other infrastructure systems?

Edwards

Marty Edwards: As highlighted by recent warnings from the EPA and the White House, cyberattacks targeting water systems are increasingly prevalent because downtime in these systems can be costly. Attackers recognize the consequences to water and wastewater systems if operations go down and prey on this vulnerability and desire to restore operations quickly.

Attacks in the water sector are largely due to poor cyber hygiene. Bad actors can easily roam the internet in search of assets that still have the factory default password. Allowing for direct accessibility from the internet, default passwords, and a lack of authentication security is more than negligent; it is a failure of not only the asset owner but of the complete OT security environment.

Overall, cyberattacks against water systems are particularly concerning because these facilities are an integral part of industrial control systems and operational technology, which make up the very fabric of the critical infrastructure around us. Restricting access to any part of the nation’s critical infrastructure can have destructive consequences – as we witnessed with the Colonial Pipeline attack in 2021. We’re starting to see tangible impacts of these cyberattacks more and more, which hopefully will serve as a wakeup call for the importance of securing these systems.

WF&M: Can you briefly summarize for our readers what happened at the water system in Aliquippa, Pennsylvania in November 2023? Which part of the OT system was compromised, and what do you think are some of the lessons learned there?

Edwards: Municipal Water Authority of Aliquippa, Pennsylvania was the target of the exploitation of Unitronics programmable logic controllers (PLCs), a ubiquitous tool that serves as the operational brains of water treatment plants. This facility’s PLC device was directly accessible from the internet and still had the factory default password. Correcting either of those things could have very very easily prevented this incident. A threat actor having direct access to this device was a significant risk because they could have turned motors and pumps on and off, manipulated the chemical settings compromising the safety of the water, planted logic bombs that would have later caused disruption, and potentially so much more.

Attacks like this one are evidence that industrial security needs significant improvements and government regulation, at some capacity, to protect public services like water and wastewater systems. Additionally, critical infrastructure organizations must layer defenses in place, like two robust multi-factor authentication programs – one to get into the enterprise network and another to get between corporate environments and sensitive OT networks, which PLCs fall within.

Municipal Water Authority of Aliquippa, Pennsylvania officials and the U.S. government did the right thing by sharing information about the incident, as this practice of transparency is crucial to bolster the nation’s collective defense.

WF&M: In March, EPA Administrator Michael Regan and National Security Advisor Jake Sullivan sent a letter to all U.S. governors on the urgent need for cyber protection in the water sector. Do you feel the cyber risk to the water sector is heightened at the moment?

Edwards: Efforts to infiltrate the underlying systems that support not only the daily lives of Americans but also our economy are emerging as an acute national security risk. In recent years, there has been an increase of successful cyberattacks against U.S. water systems and utilities, as well as wastewater systems. California, Maine, and Nevada’s water facilities have all fallen victim to ransomware attacks. This month, cybersecurity researchers linked a January 2024 attack on a Texas water facility to Sandworm, a infamous Russian threat group. This is a clear and present nation-state threat to the water sector.

However, it is also worth noting while most experts (including myself) tend to agree that while the rate of attacks is increasing, organizations have become increasingly transparent about incidents as they happen or soon after. This increased transparency and coordination between the private and public sectors goes a long way toward improving the nation’s collective defense.

WF&M: Are most cyber threats to water systems coming from or backed by foreign governments, independent actors, or both? 

Edwards: The cyber threat landscape facing water systems is multifaceted, with both foreign governments and independent actors posing significant risks. Heightened geopolitical tensions have prompted the U.S. government to issue several warnings about nation-state threats targeting critical infrastructure, including water systems, which is something that should cause all of us to sit up and pay attention. In my experience, the government does not make attributions lightly, so when they issue a warning or provide information about a threat actor linked to a specific country, it means they have significant evidence to support it that the public should know about.

I’m concerned about nation-state actors and cybercriminals exploiting known vulnerabilities, getting into these environments and then shutting them down. Ransomware-as-a-Service (RaaS) has further fueled the proliferation of ransomware attacks in these environments, making attacks more accessible to a wider range of threat actors. It’s important to note that criminal ransomware operators don’t typically use zero-days or cyberwarfare-level capabilities; they exploit known vulnerabilities that have been unpatched for years. Attackers aim to use the minimum amount of resources, and zero-days are expensive.

WF&M: Water utilities are calling for a collaborative approach to cybersecurity requirements with oversight from EPA. Which tools does the federal government have right now that are perhaps underutilized or where do you see opportunities for immediate improvement?

Edwards: CISA partnered with the Environmental Protection Agency (EPA) to develop a comprehensive toolkit designed to “help water and wastewater systems build their cybersecurity foundation and progress to implement more advanced, complex tools to strengthen their defenses and stay ahead of current threats.”

Additionally, CISA, the FBI and the EPA issued a joint water sector incident response guide, which was developed under the Joint Cyber Defense Collaborative (JCDC), with participation from Tenable. The guide provides an extensive range of resources that cover the four stages of the incident response lifecycle, from preparation to proactive post-incident activities. The guide also offers best practices for cyber incident reporting.

It is worth noting that following the EPA rescinding its cyber rule, there have been significant efforts within the water sector to support a collaborative approach with federal partners to develop a framework similar to that employed by the North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC) in the electric sector. I am pleased to see this high level of stakeholder engagement in the development phase and the strategic utilization of preexisting successful frameworks to enhance cybersecurity in the water sector. However, while this long-term initiative is considered, it is imperative that we also support more immediate actions. CISA’s Cybersecurity Performance Goals should be the blueprint for implementing effective risk reduction practices in the interim.

WF&M: From your perspective, what are a few actions water utilities at the local level can take right now to bolster resilience to cyber attacks?

Edwards: How we address vulnerabilities today and build security into future systems will be the most important factors in determining the outcome of a large-scale targeted attack on our water infrastructure. It’s critical that water utilities disconnect devices from the internet and change default passwords. It is incredibly easy for attackers to discover internet-facing assets that still have the factory default password – it’s equivalent to leaving your front door unlocked. Additionally, the water sector must master the cybersecurity fundamentals, including regular patching, network segmentation and employee training to prevent successful attacks. It’s also crucial to adopt technology solutions that enhance visibility into critical infrastructure environments, and policymakers should incentivize the implementation of these technologies.

My recommendation to the federal government to enhance the cyber preparedness of U.S. critical infrastructure is to establish baseline cybersecurity requirements or standards of care for critical infrastructure that align with CISA’s Cross-Sector Cybersecurity Performance Goals, international standards, and the NIST CSF, based on effective cyber hygiene and preventive security practices.

Leave a Reply

Your email address will not be published. Required fields are marked *

*