Highlighting Cyber Exposures in Wastewater Infrastructure

The water and wastewater treatment industry, like other industries, is facing several cyber exposures. The cyber threats affect this sector disproportionately compared to other utilities, given local-level wastewater processing. Along with physically securing its critical infrastructure, the wastewater treatment industry has to leverage available resources to protect against cyberattacks.

Last April, Israel’s National Cyber Directorate received reports about an attempted major cybercrime on its water infrastructure. The attack consisted of assault attempts on control systems of wastewater treatment plants, pumping stations, and sewers—threats like this highlight the need to protect the security of water resources.

Here’s a better look at cyber exposures in the wastewater infrastructure industry.

The Challenges of Securing Water Treatment Facilities

The additional call for cybersecurity protections now compounds the need for physical security at water treatment facilities. Cybercrime can come at any moment as utilities are otherwise engaged in natural disasters or experiencing physical damage. Hackers and other cybercriminals can send malware or ransomware to a particular water treatment facility. Cybercriminals can determine that since the water treatment facility is already being hit by a hurricane, severe thunderstorm or flood and trying to recover, they would be able to lock down a facility’s system and extort them for money.

At a water treatment facility in Harrisburg, Pennsylvania, hackers digitally compromised the location through spam email. Because there were vulnerabilities in the system, things that hadn’t been patched up or analyzed for a specific cybersecurity vulnerability led to compromising the entire network system.

Water treatment facilities typically do not have the resources to replace or upgrade costly systems. Water utilities operating at a local level may not have the same access to resources and protections to combat cybercrime as a large electric utility company or a natural gas distributor.

Furthermore, with only a small staff tasked with running the local facilities, many water companies do not have the bandwidth to focus on cyber health while trying to operate a facility’s daily functions. Often facilities have double-hatted individuals who are stretched thin conducting operations, monitoring the system, and making whatever repairs need to be made. They may not have room in their schedule for managing cybersecurity needs.

A significant challenge that water facilities face is a capacity challenge. The number of personnel that is assigned to take care of these kinds of cyber threats is minimal. Cybersecurity is often considered but not highlighted in a facility’s hierarchy of needs because staff on board are trained to focus on water treatment needs first and foremost. What’s more, available funds typically go to infrastructure, not cybersecurity.

Protecting Wastewater Infrastructure

To protect against cyber exposures, wastewater treatment facilities should access control of cyber systems. Access control goes hand in hand with segmentation. Whenever there is a connection to a network from another network, a treatment facility should want to know who it is and why they want to make a connection. It’s essential to have access control for the people working at a facility that uses the system.

An operator at a facility should be able to tell a pump at the facility to stop or start, or initiate a controls strategy, but not be able to change the control strategy itself. This is a role-based access outline that limits access but keeps staff working and focused on their particular tasks.

Authentication is also an essential part of keeping cyber crimes limited and exposure mitigated in the wastewater industry. It may sound pedestrian, but creating a robust system password can go a long way toward strengthening the first line of defense. As in any business or industry, passwords should be sufficiently complex and changed regularly.

Lastly, hardening network components should be executed to provide as much protection against threats as possible. Hardening network components aid in locking down functionality to prevent unauthorized access. This disables any unused functions and ensures that configurable options are set to their highest security levels.

About Watercolor Management

WaterColor Management has insured the water industry for over 30 years.  Our policies include unlimited defense cost coverage in the event of a lawsuit against you. Call us at (256) 260-0412 or email info@watercolormanagement.com for a quick quote for your Water Business Professional, Products/Completed operations, Pollution and General Liability Insurance.