A Guide to Cybersecurity for Water and Wastewater Utilities

Chapter 1

Introduction

1.0CYBERSECURITY IN THE WATER AND WASTEWATER SECTOR

2.0ABOUT THIS BOOK

1.0CYBERSECURITY IN THE WATER AND WASTEWATER SECTOR

This nation faces ongoing cybersecurity attacks that threaten its critical infrastructure. This is true in the water and wastewater sector, and perhaps especially so in rural water systems. Despite providing a life-sustaining resource for the community, these systems are afforded only limited resources to mitigate cybersecurity risks.

From the early 2000s, when Vitek Boden used a stolen laptop and a radio to wreak havoc at a water resource recovery facility in Queensland, Australia, through to recent incidents, such as the February 2021 incident at Oldsmar, Florida, wherein the level of sodium hydroxide was changed to toxic levels, either by mistake or intentionally, cybersecurity risks for water and wastewater operators are a constant threat to the critical national infrastructure.¹

Government and private bodies alike have sought to address concerns, but to date, the solutions have served only to increase the administrative burden. The methodologies used to date are too complex for the rural water sector. Nothing has been successful in truly yielding any substantial decrease in cybersecurity risk. This means that the sector continues to present a threat to the security and well-being of the nation.

The effect of a ransomware incident in a rural water system could wipe out an entire annual budget. More importantly, high-profile incidents such as that in Oldsmar, Florida, show that there is the potential for widespread harm to the public and significant damage to the water and wastewater infrastructure such as that seen in Flint, Michigan. Although the damage in Flint was not a consequence of a cybersecurity incident, a similar result would have been possible by changing the chemical dosing in the water supply by malicious or accidental means.

The United States has more than 145,000 active public water systems providing water and wastewater services. Of these, 97% are considered small systems, meaning they serve 10,000 or fewer people, according to the Safe Drinking Water Act.² These smaller systems have limited resources to manage risks to their operations. As noted in the Water Environment Federation’s (WEF’s) Manual of Practice No. 33, Information Technology for Water and Wastewater Utilities, a large portion of the populace do not have the knowledge or skills to recognize or guard against even the most rudimentary cyberattack.³

America’s Water Infrastructure Act was signed into law in October 2018. This requires public water systems to conduct and develop vulnerability assessments and emergency response plans considering resiliency, cybersecurity, and physical security.⁴

According to information about these incidents obtained from the Cybersecurity & Infrastructure Security Agency⁵ and the SCIDMARK database maintained by the Infracritical Organization,⁶ between 2019 and 2021 alone there were at least seven reported incidents in U.S. water and wastewater utilities (WWUs). Four involved the use of ransomware and, in one of those cases, a wastewater treatment facility required manual operation until the computer system was restored. In the other three cases, employees (one of whom was a former employee who still had access to systems despite having left the organization) accidentally or intentionally disrupted operations using their system access.

In March 2023, in response to the continued threat, the U.S. Environmental Protection Agency (U.S. EPA) issued a new memorandum ordering all public water systems to meet a series of basic cybersecurity requirements while also making cybersecurity audits a part of regular scheduled sanitary surveys.⁷ The memorandum was withdrawn in October 2023, following a lawsuit involving the states of Missouri, Arkansas, and Iowa, as well as the National Rural Water Association and the American Water Works Association.⁸

Also in 2023, data from a U.S. EPA assessment were released. The assessment involved 249 public water systems that volunteered to be reviewed in three stages to assess their cybersecurity readiness over a 12-month period.⁹ The data are self-reported and unverified and represent a tiny portion of the 145,000 public water systems in the United States. Although the survey indicates some positive movement toward better cybersecurity readiness, it reveals that there is still a very long way to go until the U.S. water and wastewater sector is adequately managing its cybersecurity risk.

The survey results are not surprising. Cybersecurity guidance is often complex and can be difficult to conduct in the field. There are a multitude of standards, guides, and frameworks, some that are even specific to the water and wastewater sector. Multiple government agencies, including the U.S. EPA, have an oversight role in cybersecurity. Experts will generally provide lists of more than 20 technical related points to be investigated, many that require the skills of a specialist to execute. Although there are many service providers in this area, they are driven by business interests, focusing services on technology, not people and process. For real change to take place, solutions must address people, process, and then technology. More importantly, WWUs need practical help to understand how to address this challenge.

This book recognizes the challenge that WWUs face. Successfully managing cybersecurity requires knowledge, skills, and resources targeted to reduce risk as efficiently as possible. Many WWUs have limited resources and expertise. Despite the many forms of guidance, it remains difficult to know where to begin, and where to focus efforts.

2.0ABOUT THIS BOOK

This book is intended to help those responsible for water or wastewater operations navigate the complex world of cybersecurity. The book assumes basic knowledge of technology and focuses on key issues that readers should consider.

The term water and wastewater utility is used throughout this book to refer to any entity that meets one of the following criteria:

Community water system: A public water system that supplies water to the same population year-round.

Non-transient non-community water system: A public water system that regularly supplies water to at least 25 of the same people at least 6 months per year. Examples include schools, factories, and hospitals that have their own water systems.

Transient non-community water system: A public water system that provides water in a place such as a gas station or campground where people do not remain for long periods of time.

These systems may or may not provide wastewater treatment services.

This book is intended for use with WWUs of any size:

Very small water systems serving 25 to 500 people.

Small water systems serving 501 to 3,300 people.

Medium water systems serving 3,301 to 10,000 people.

Large water systems serving 10,001 to 100,000 people.

Very large water systems serving more than 100,000 people.

Although larger systems may have more resources and capabilities than their smaller counterparts, the methodology described in this book applies equally well to any system.

The book begins with an introduction to the cybersecurity risk to WWUs. Whereas the number of publicly reported issues may seem low, it is crucial to understand the potential consequences of a cybersecurity incident in a WWU. There are many reasons why issues go unreported, including lack of awareness of incident cause, concern over repeat attacks, and in the case of WWUs, concern over bond devaluation and other reputational effects.

Having described the risk in Chapter 2, Chapter 3 then discusses one of the biggest challenges that WWUs face: knowing where to focus their limited resources to achieve the best possible result. Chapter 3 discusses how to do this, through a clearly defined risk assessment process.

Chapter 4 provides more details of the cybersecurity controls that should be in place in a WWU and gives guidance on the issues around these controls.

One of the most important things that a WWU can do to manage cybersecurity risk is to raise awareness within their team. Everyone can play a part in reducing cybersecurity risk. Chapter 5 gives guidance on how to develop a culture of good cybersecurity management.

Water and wastewater utilities do not operate in isolation. Third parties, such as engineering companies, system integrators, product vendors, and others interact on a regular basis. No matter how well the WWU manages their cybersecurity risk, if third parties do not manage their risk, the WWU remains vulnerable. Chapter 6 gives guidance on how to work with third parties to ensure they are managing their cybersecurity risk.

Cybersecurity risk management is a continuous process requiring constant vigilance and focus. Chapter 7 discusses how WWUs should maintain cybersecurity management.

Finally, Chapter 8 provides a list of recommended further reading and resources, including various assessment tools that can be used in the risk assessment process.

¹ The incident in Oldsmar, Florida, was originally reported as an intentional cybersecurity attack. It was subsequently reported that it was an operator error. However, both are forms of cybersecurity incidents that require management. This is discussed further in Chapter 4, Cybersecurity Barriers.

² U.S. Environmental Protection Agency. (n.d.). Safe Drinking Water Act (SDWA). Retrieved January 21, 2024, from https://www.epa.gov/sdwa

³ Water Environment Federation. (2022). Information technology for water and wastewater utilities (2nd ed.; WEF Manual of Practice No. 33), p. 179.

⁴ U.S. Environmental Protection Agency. (n.d.). America’s Water Infrastructure Act of 2018. Retrieved January 21, 2024, from https://www.epa.gov/ground-water-and-drinking-water/americas-water-infrastructure-act-2018-awia

⁵ Cybersecurity & Infrastructure Security Agency. (2021, October 25). Ongoing cyber threats to U.S. Water and wastewater systems. Retrieved January 21, 2024, from https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-287a

⁶ Infracritical. (n.d.). Systems and cyber impact database markup. Retrieved January 21, 2024, from http://search.infracritical.com/

⁷ U.S. Environmental Protection Agency. (2023, March 3). EPA takes action to improve cybersecurity resilience for public water systems. Retrieved January 21, 2024, https://www.epa.gov/newsreleases/epa-takes-action-improve-cybersecurity-resilience-public-water-systems

⁸ U.S. Environmental Protection Agency. (n.d.). Cybersecurity in sanitary surveys. Retrieved January 21, 2024, from https://www.epa.gov/waterresilience/cybersecurity-sanitary-surveys

⁹ Geller, E. (2023, July 25). Exclusive: America is struggling to safeguard water supply from hackers, new EPA data shows. The Messenger. Retrieved September 10, 2023, from https://themessenger.com/tech/exclusive-america-is-struggling-to-safeguard-water-supply-from-hackers-new-epa-data-shows

Chapter 2

The Cybersecurity Risk to Water and Wastewater Utilities

1.0INTRODUCTION

2.0REPORTED INCIDENTS IN THE WATER AND WASTEWATER SECTOR

3.0CYBERSECURITY INCIDENTS IN WATER AND WASTEWATER UTILITIES

3.1Contributing Factors

3.2Consequences

3.3Threats and Exploits

3.3.1Amateur Hackers

3.3.2Professional Hackers

3.3.3Activist Hackers

3.3.4Disgruntled Employees or Contractors

3.3.5Nation-States and Terrorists

3.3.6Unintentional Acts

3.4Vulnerabilities

3.4.1Technical Vulnerabilities

3.4.2Process Vulnerabilities

3.4.3People Vulnerabilities

3.4.3.1Phishing

3.4.3.2Removable Media

3.4.3.3Passwords

3.4.3.4Physical Security

4.0SUMMARY

1.0INTRODUCTION

Water and wastewater systems are one of the 16 sectors in the United States’ critical infrastructure. The Department of Homeland Security (DHS) works to improve the security of the United States. The department’s work includes customs, border, and immigration enforcement; emergency response to natural and human-made disasters; antiterrorism work; and cybersecurity. The Department of Homeland Security notes that: Safe drinking water is a prerequisite for protecting public health and all human activity. Properly treated wastewater is vital for preventing disease and protecting the environment. Thus, ensuring the supply of drinking water and wastewater treatment and service is essential to modern life and the Nation’s economy.¹

The Cybersecurity & Infrastructure Security Agency (CISA) is a component of DHS responsible for cybersecurity and infrastructure protection. The Cybersecurity & Infrastructure Security Agency recognizes water—along with energy, communications, and transportation—as the four infrastructure sectors that are critical to the operations of all other sectors, and as such are fundamental to the delivery of the basic societal functions communities seek to provide.²

To reinforce this further, critical infrastructure experts Robert Radvanovsky and Allan McDougal identify water and wastewater as a sector that is critical to a life-sustaining environment and highlight examples in Cape Town, South Africa, and California, United States, where a lack of water challenges the order of society.³

Water and wastewater entities are not immune to a variety of cyber-induced incidents, including

loss or theft of confidential customer data or regulatory reporting data;

deliberate or accidental loss of service, resulting in loss of revenue and possible damage to reputation; and

deliberate or accidental inappropriate use of equipment, resulting in harm to employees or the public, equipment, or the environment.

Consequently, critical services, such as firefighting and healthcare, as well as other sectors such as energy, food and agriculture, and transportation systems, can suffer significant negative effects from compromised water and wastewater systems.

2.0REPORTED INCIDENTS IN THE WATER AND WASTEWATER SECTOR

Table 2.1 provides a list of known or reported incidents related to the U.S. water and wastewater sector. Note that for a variety of reasons, not all incidents are reported. In some cases, incidents were not attributed to a cybersecurity cause. In other cases, incidents were not reported due to confidentiality concerns. As a result, this list is likely incomplete.

The information about these incidents is obtained from CISA,⁴ the Repository of Industrial Security Incidents,⁵ and the Systems and Cyber Impact Database Markup database maintained by the Infracritical Organization.⁶

3.0CYBERSECURITY INCIDENTS IN WATER AND WASTEWATER UTILITIES

3.1Contributing Factors

Water and wastewater utilities (WWUs) are constantly at risk of being affected by a cybersecurity incident, even if they are unaware of this fact. This risk applies to every WWU that has any programmable electronic equipment, such as an office personal computer, a programmable logic controller (PLC), a supervisory control and data acquisition (SCADA) system, a smart meter