The U.S. Environmental Protection Agency (EPA) is taking steps to try to improve water treatment plant cybersecurity and experts aren’t sure the effort is enough.
In recent years, there have been more than a handful of attacks on water treatment plants, with some blame placed on nation-state attackers and others on insiders gone rogue. In January 2021, a threat actor deleted software programs at a water treatment system used to process drinking water. Fortunately, the event was mitigated the next day, public safety was not impacted, and the programs were reinstalled without much additional incident.
However, an incident in November 2023 proved to be more frightening when a default password was exploited and threat actors, alleged to be Iranian-backed attackers, compromised an Internet-connected controller used to maintain water pressure. The Aliquippa, Pennsylvania-based water treatment plant was forced to fall back to manual operations.
According to an enforcement alert recently issued by the EPA regarding cybersecurity vulnerabilities in drinking water systems across the country, such attacks against community water systems are increasing in frequency and severity. These attacks enable threat actors to manipulate operational technology (OT) and disrupt water treatment, distribution, and storage. It’s even possible that such incidents can result in damaged equipment and chemical levels altered to potentially hazardous levels.
"It's tough to apply some kind of uniform cyber hygiene assessment, given the disparate size and capacity and technical capacity of all the water utilities."
—Mike Keegan
When it comes to securing the nation’s water systems, there are significant challenges ahead. Perhaps the biggest is the sheer number of public water systems. According to the EPA, there are more than 148,000 such systems within the U.S. Some are publicly owned, others are community-owned, and there are transient non-community systems that provide water to places where plenty of people traffic, such as campgrounds.
"It's tough to apply some kind of uniform cyber hygiene assessment, given the disparate size and capacity and technical capacity of all the water utilities," Mike Keegan, an analyst at the National Rural Water Association, a trade group for the sector, told NBC news. "You don't have a really good assessment of what's going on," he said.
Michael Echols, former director at the Cyber Joint Program Management Office at the U.S. Department of Homeland Security and currently the CEO at cybersecurity consultancy Max Cybersecurity, adds that the nature of O.T. (operational technology) security creates additional challenges. “There is a general challenge related to O.T. across a host of critical sectors. The management of O.T. systems deviates from those practices we have come to appreciate for managing I.T. cyber risk,” Echols says.
According to the enforcement alert, more than 70 percent of water treatment systems the EPA inspected since September 2023 had basic Safe Drinking Water Act (SDWA) requirement violations. These included missing sections in their risk and resilience assessments and missing emergency response plans.
Some of the violations were alarmingly basic, including failure to change default passwords, the use of single logins for all staff, and the failure to curtail access for former employees.
To help improve security across water treatment plants, the EPA says it will increase inspections of community water systems, focusing on cybersecurity compliance with SDWA. The EPA also said it may take civil, even criminal enforcement actions for imminent and substantial endangerment situations to address vulnerabilities identified during inspections.
The EPA, CISA, and FBI recommend implementing basic cyber hygiene practices outlined in the "Top Cyber Actions for Securing Water Systems" guidance. That guidance includes reducing internet exposure, conducting cybersecurity assessments, changing default passwords, asset inventory, incident response planning, system backups, vulnerability management, and security awareness training.
The EPA also offers technical assistance, guidance, tools, training, and direct consultation to help water systems improve cybersecurity resilience.
While inspections and some technical assistance are a welcomed step in the right direction and will help to ensure better water systems, regularly assess cyber resilience, and develop adequate emergency response plans, the experts we spoke with say without the proper resources for these plants to establish the necessary comprehensive cybersecurity and risk management programs, assessments and enforcement may not be enough to dramatically improve the security posture of these plants.
“I strongly believe that those that run small plants don’t choose to be insecure but are facing incredible demands for resources,” says Fernando Montenegro, principal cybersecurity analyst at market research firm Omdia. “We need to analyze which areas represent the greatest improvement potential and conduct interventions there – is it around vulnerable software? Is it around training and operations practices? Something else? This kind of disclosure is a step in that direction,” Montenegro says. “Getting regulations just right – in a way that can meaningfully change outcomes while respecting the multitude of constraints and competing interests that exist – is incredibly complicated,” Montenegro adds.
Echols says he applauds the effort to pressure water providers to make changes that increase the resilience of their cyber systems but that “it is also important to remember that there are cost and education considerations paramount to achieving the goal. We must mature and move practices to harden critical systems forward, making best practices for cybersecurity standard practice. However, reality must be injected and challenges to meeting the requirements mitigated to truly meet cyber goals.”
That reality, he says, is that the U.S. Government must ensure the regulated have the resources required to achieve the hardening and resilience goals to protect communities. “CISA and other federally responsible organizations have spent millions on education, workshops, technical assistance, and templates for cybersecurity in general. Understanding that the integrity of water systems could be critical to life, a special effort should be made to ensure end users have what they need to meet requirements,” Echols said.
Further, Echols notes that Federal law designates CISA as the lead agency in helping critical infrastructure owners and operators address cyber risks to O.T. and that a recent GAO report, “Improvements Needed in Addressing Risks to Operational Technology,” highlighted the challenge CISA has in providing support to all who need it. The report highlighted limited staff and a failure to understand the effectiveness of products. “Yes – now is the time to build on practices to secure water systems as the EPA has identified. The question is: how far is the U.S. Government willing to go to ensure cyber plans and remediation activity are worth the paper it is written on?" True cyber hardening and resilience must be a partnership,” he said.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
