Infrastructure Cybersecurity: Water Systems

KEY TAKEAWAYS

• There are approximately 153,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment systems in the U.S. A cyberattack on any one of these systems could lead to service outages, damage to critical infrastructure, and potentially illness and loss of life.
• Hackers gained access to water treatment systems in California and Florida last year in large part due to those systems’ lax cybersecurity protocol implementation.
• Both attacks used remote access systems, which are increasingly common on critical infrastructure IT systems and are a key cybersecurity vulnerability.

Securing critical infrastructure from cyberattack continues to be a top national security priority. The Cybersecurity and Infrastructure Security Agency considers “supplying water” and “manage wastewater” to be “national critical functions.” These are functions “so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

Typical Water and Wastewater System

the threat

According to CISA, there are approximately 153,000 public drinking water systems that supply more than 80% of the U.S. population with potable water. More than 16,000 publicly owned wastewater treatment systems in the U.S. treat the sanitary sewage of about 75% of the population. Cyberattacks on these systems could lead to widespread panic and potentially significant illness and loss of life. In addition, a disruption in the water or wastewater system would have substantial effects on other critical services, such as firefighting and hospitals.

According to a 2021 report by one water industry organization, the top concerns for utilities are the need for cybersecurity training and education specific to the sector; technical assistance, assessments, and tools; threat information sharing; and financial support in the form of federal loans and grants.

The threat is not just hypothetical. In January 2021, hackers gained access to a water treatment facility in the San Francisco Bay area using the username and password of a former employee that had not been removed from the system, as best cybersecurity practice would dictate. The hackers deleted several programs used to treat water, and the hack was not discovered until the next day. Fortunately, no one appears to have been hurt by the incident.

In February 2021, hackers gained access to controls for a water treatment facility in Oldsmar, Florida, using outdated software and widely shared login credentials. The hackers attempted to increase the levels of sodium hydroxide, commonly known as lye, from 100 parts per million to 11,100 parts per million. A vigilant employee monitoring the levels saw what was happening and was able to stop it. Thousands of people could have been poisoned had the worker not caught the attack. Symptoms of lye poisoning include breathing difficulties, lung inflammation, burning of the esophagus, severe abdominal pain, vision loss, and shock.

The hackers gained access to the water treatment controls through a remote access system that had been dormant for half a year but remained on the system. The hackers may have gotten the password for the remote access account or may have used more sophisticated techniques to gain control. An investigation found it may have been part of a broader attack targeting the water sector, especially in Florida. Both of these attacks highlight the vulnerabilities presented by remote access systems, which are increasingly common on critical infrastructure IT systems and are a key cybersecurity vulnerability.

Former director of CISA Chris Krebs wrote in an op-ed after the Florida incident, “Unfortunately, that water treatment facility is the rule rather than the exception.” He noted that, for many critical infrastructure entities, budget and other constraints mean “even the basics in cybersecurity often are out of reach.” He urged the private sector to improve its efforts on cybersecurity: “Companies have a responsibility to customers, stakeholders and, depending on where they sit in the economy, a responsibility to the country.”

government responsibilities and Responses

The Environmental Protection Agency is designated as the lead federal agency responsible for managing cybersecurity risks for the water and wastewater sector. The EPA has a variety of programs to help fulfil this mission. These include conducting training for water and wastewater employees, assisting utilities with improving their water surveillance, and requiring risk assessment and emergency response plans for systems serving more than 3,300 people.

In July 2021, the Government Accountability Office released a report highlighting 22 “high priority” recommendations for how the EPA could improve its efforts. One was that EPA “develop methods for determining the level and type of cybersecurity framework adoption by entities across the water and wastewater systems sector.”

Also in July 2021, the Senate Committee on Environment and Public Works held a hearing examining vulnerabilities in the nation’s physical infrastructure. A witness representing the Association of Metropolitan Water Agencies, which counts the largest publicly owned water systems as members, testified on the cybersecurity challenges facing the sector. He argued for more “rigor and accountability” for water systems operators and urged Congress to “come up with a fresh approach … that takes into account the urgency and complexity of cybersecurity and the diversity of the sector.”

CISA director Jen Easterly cited water systems as the key driver behind the Biden administration’s request for an $80 million increase in a Federal Emergency Management Agency grant program to improve the cybersecurity of state and local critical infrastructure operations. She testified to a House Appropriations subcommittee in April: “I would draw your attention in particular to water. Water entities that, frankly, are very target rich – as we saw with Oldsmar in February of 2021 – but resource poor, and so being able to provide grant money to help them raise their cybersecurity baseline, I think, is really important.”

At the state level, Maryland Governor Larry Hogan signed a package of cybersecurity laws earlier this month. One law requires public or private water or sewer systems that serve 10,000 or more users and receive financial assistance from the state to assess their vulnerability to a cyberattack. Another measure requires reporting of cyber incidents and says that state agencies must complete cyber assessment and create or update preparedness and response plans.