US water providers are ‘especially vulnerable’ to a cyberattack

The resevoir of the Darbandikhan dam in northeastern Iraq is almost full, with heavy rains breaking four consecutive years of drought – Copyright AFP Shwan MOHAMMED

There are persistent vulnerabilities plaguing water and wastewater systems across the U.S. Following the White House and EPA’s recent warning to U.S. governors about the susceptibility of U.S. water infrastructure to cyber threats, it is clearly time for utility providers to take note and to instigate appropriate action.

Looking into the matter for Digital Journal is Nick Tausek, Lead Security Automation Architect at Swimlane.

Tausek begins his analysis by assessing the nature of the risk and the potential damage that could be caused: “A primary focus of threat actors targeting U.S. water facilities is to disrupt critical infrastructure to weaken the United States security posture and impact human and environmental health.”

Furthermore, there is a wider societal effect: “These attacks erode trust in US institutions’ ability to protect their residents, undermining democratic participation. Threat actors seek to extract ransoms, customer information, and OT knowledge from the water facilities for monetary gain and other criminal purposes.”

One of the roots of the current level of risk relates a failure to build a robust cyber-defence. Tausek is critical in his analysis, noting: “The historically outdated security posture of water infrastructure and the long-term risk potential make these systems an especially attractive target for cybercriminals.”

Furthermore, the water sector has lagged behind other utilities: “Compared to power generation, for example, water infrastructure receives much less attention, but as we have seen with cities like Flint, disruption to the water supply’s safety, whether from malfeasance or cyber-attack, can have extremely long-lasting and dramatic repercussions.”

This also raises the likelihood bar, says Tausek: “It’s not hard to imagine a nation-state actor using this historically easy target to simultaneously degrade water safety in multiple areas of the country during a future conflict to erode trust in institutions, harm the populace, and stretch resources away to deal with the water crisis.”

There also needs to be greater proactivity. According to Tausek: “A defensive approach is no longer sufficient. Water facilities must implement a proactive cybersecurity defense to effectively mitigate cyber threats.”

As an example, he recommends: “The utilization of automated security practices allows organizations to standardize their threat detection and alert monitoring, significantly reducing incident response times. This visibility into the IT infrastructure facilitates a more threat-informed response with increased efficiency. In addition, they must request that those in control of budgets take the criticality of a safe water supply into account when allocating resources for cybersecurity initiatives.”

Tausek has one more point to make: “Facilities should be using the tools, techniques, and advice provided by CISA.”