In 2021, a cyberattacker tried to poison a Florida city's water supply by remotely accessing internal systems and tampering with levels of lye at the local water treatment facility. Thankfully, that attempt failed, but it was hardly an isolated incident. Earlier this year, hackers targeted plants in Tipton, Indiana and Aliquippa, Pennsylvania with ransomware. Last month, a hacker exploited unpatched software vulnerabilities to disrupt customer service and billing systems at American Water Works, the largest water and wastewater utility company in the U.S.
Despite significant investments in preventative measures like endpoint and perimeter security solutions, breaches continue to occur. To achieve cyber resilience, water treatment facilities must expand their focus and find ways to limit the impact of a successful breach so that catastrophic outcomes are avoided.
Behind the Rise in Water Treatment Facility Hacks
The Environmental Protection Agency (EPA) issued an enforcement alert earlier this year, indicating that 70 percent of the water systems exhibited "alarming cybersecurity vulnerabilities" such as outdated default passwords and insecure single login configurations. This report is especially concerning given that bad actors frequently use AI-powered technology to make their attacks difficult to detect.
Once an attacker penetrates a facility’s network, they may wait undetected for weeks, sometimes months. Meanwhile, these so-called “sleeper cells” will perform reconnaissance looking for vulnerabilities to exploit across the attack surface. The longer attackers remain undetected, the more damage they can do.
Because it is no longer if an attack will happen but when, prevention and detection tools alone are no longer enough. The ability to quickly discover a breach and contain an attack is key to ensuring a breach doesn’t become a cyber disaster. Fortunately, there are several steps security teams can take to mitigate the impact of an inevitable breach starting with complete, end-to-end visibility into their environment. This insight is critical to understand where risk lies therefore, what must be secured.
Next, implement a Zero Trust security model – a cybersecurity framework that operates on the principal of “never trust, always verify” – to continuously verify the identity and legitimacy of users and devices trying to access critical assets. Because there will never be a “one-size-fits-all" solution for Zero Trust in critical infrastructure, organizations must tailor their zero trust strategies and implementation plans to the specific needs and vulnerabilities of their operations.
By aligning efforts with organizational objectives, identifying critical risk areas, and prioritizing security around the most vital data sets, systems, and operations, meaningful progress can be made. Zero Trust technologies, including foundational tools like segmentation, will help agencies proactively prepare for breaches. Microsegmentation is key as it contains breaches by isolating critical systems which prevents attackers from spreading or moving laterally in data centers, clouds, and networks.
Regular security audits and risk assessments enable ongoing identification of vulnerabilities and help determine prioritization of investments in resources and personnel. As the EPA discovered, employees can either be a strength or a vulnerability. Don’t wait for an audit to reveal outdated default passwords, insecure single login configurations, and other risky behaviors. Regularly educate employees about cybersecurity threats and best practices, not just when onboarding new hires.
As the old saying goes, “practice makes perfect.” Develop and regularly update incident response plans to prepare for various attack types, including data breaches and ransomware, allowing for quick restoration of operations.
Continuous monitoring with advanced tools enables real-time detection of unusual activity while investing in AI and machine learning, which enhances threat detection capabilities. Finally, collaborating with industry peers and government agencies for information sharing strengthens overall resilience against cyber threats.
Water treatment facilities can significantly decrease their chances of suffering a data breach or falling victim to ransomware by implementing Zero Trust architecture, regular risk assessments, employee training, and incident response planning. Failing to act on these strategies increases the risk of financial loss and poses severe threats to public safety and trust in essential services.
Prioritizing cybersecurity is not just about protecting systems, it is about ensuring public safety and maintaining trust in the essential services that communities rely on. As threats evolve, so must the strategies employed to safeguard our critical water infrastructure. This requires focusing on preparedness, flexibility, and rapid recovery. Collaborating on safeguarding this critical infrastructure and protecting water supplies from both cyber and operational risks is a collective responsibility among government agencies, utility operators and industry peers.
