| Survey: Water utilities have work to do to thwart cyber attacks
AWWA Articles

Survey: Water utilities have work to do to thwart cyber attacks

Many U.S. water and wastewater utilities are building their cybersecurity capabilities, but there is a great deal more work to be done, according to a survey conducted by the Water Sector Coordinating Council (WSCC).

Cybersecurity 2021 State of the Sector report cover“There is a clear and evolving cybersecurity threat to the water sectors business and operational systems,” said Kevin Morley, American Water Works Association manager of federal relations. “It is essential for water utilities of all sizes to recognize the threat, assess their vulnerabilities and take action to mitigate the risk. That means integrating cybersecurity into their risk management plans, regularly conducting cyber risk assessments, and taking inventory of their information technology and operational technology assets so they can secure them.”

The report arrives as there is increased media attention to cybersecurity in the water sector, including a story published Thursday by NBC News headlined “50,000 security disasters waiting to happen: The problem of America's water supplies.”

The WSCC conducted the survey in April in the midst of a recent series of high-profile cyberattacks in the United States. AWWA is a member of the council, along with the Association of Metropolitan Water Agencies, the National Association of Clean Water Agencies, the National Association of Water Companies, the Water Environment Federation, National Rural Water Association, The Water Research Foundation and WaterISAC.

The survey was designed to give a broad picture of the sector’s cyber preparedness and to help communicate resource needs to federal decision makers. Results suggest that continuous improvement will be required to harden utilities against cyber attacks.

Kevin Morley“There are several excellent resources currently available to guide utilities in assessing potential cybersecurity risks,” said Morley (pictured right), referencing AWWA’s Cybersecurity Guidance and Assessment Tool and other resources on AWWA’s Cybersecurity & Guidance web page. “We also know that more federal resources are critical in helping the water sector mitigate cyber threats facing information and operational assets.”

According to the report, nearly 60% of respondents reported that they address cybersecurity as they assess their utilities’ overall risks.

To manage cyber risks, it’s essential that utilities generate inventories of networked informational technology (IT) and operational technology (OT) assets.  Nearly 75% of respondents report they have completed such inventories or are in the process of completing them. Thirty-eight percent of respondents have identified all IT-networked assets, and an additional 22% are working to complete inventories. Thirty-one percent of respondents have identified all OT-networked assets, with an additional 23% working to complete inventories.  
IT assets refer to the business or enterprise network of a utility. This includes computers, software, firmware and similar procedures and services, such as email, websites, bill payment and customer management systems, and work order applications. OT refers to required programmable systems that manage devices, monitor and control physical processes and events of a utility. 

The survey illuminates areas where the federal government can partner with the sector to build on existing activities to further the implementation of cybersecurity best practices. Among them are:

  • Water sector specific training and education
  • Technical assistance, assessments and tools
  • Cybersecurity threat information
  • Federal loans and grants

“The federal loans and grants available to water systems are not targeted to support cybersecurity in water and wastewater systems,” Morley said.  “This is a critical need to address to support the implementation of upgrades and deployment of critical services such as network monitoring, especially in resource constrained systems.”

The survey comes as cyber attacks against critical infrastructure and businesses are getting global attention. On June 2, the White House distributed a memo called, “What We Urge You To Do To Protect Against The Threat of Ransomware.” The memo quoted Anne Neuberger, deputy national security advisor for cyber and emerging technology, as saying that ransomware threats are serious and increasing. “All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” the memo stated.

The June 2 White House memo stated that attacks are shifting from stealing data to disrupting core operations. It urged business leaders to discuss the potential of a ransomware attack within their organization and to review security and business continuity procedures. 

Recent attacks upended business processes for JBS meatpacking operations in North America and Australia, the Steamship Authority of Massachusetts’ ferry service, and Colonial Pipeline’s gasoline supply system along the East Coast.

In a separate report issued in May, the U.S. Department of Homeland Security’s Office of Intelligence and Analysis warned that cyberattacks against water and wastewater systems are likely to increase “as criminal, nation-state, and terrorist cyber actors seek to exploit enduring vulnerabilities to achieve financial, geopolitical or ideological objectives.”

In addition, the report states, “Malicious cyber activity against U.S. and international water facilities is common and typically undertaken to secure ransom payments, highlight political or social causes, or the sector is targeted in the context of a broader geopolitical issue or conflict.”

America’s Infrastructure Act of 2018 requires community water systems serving 3,000 or more people to assess cybersecurity vulnerabilities and develop plans and procedures to lessen the impact of such incidents. 

AWWA’s Cybersecurity Guidance and Assessment Tool and other resources to support water systems in complying with this requirement are available on AWWA’s Cybersecurity & Guidance resource page. WaterISAC, an international security network for the water and wastewater sector, developed 15 Cybersecurity Fundamentals for Water and Wastewater Utilities.