Combatting Cyber Attacks at Water and Wastewater Facilities

Cybersecurity is a top priority for the water and wastewater sector. Entities, and the senior individuals who run them, must devote considerable attention and resources to cybersecurity preparedness and response, from both a technical and governance perspective. Government intelligence confirms the water and wastewater sector is under a direct threat as part of a foreign government’s multi-stage intrusion campaign, and individual criminal actors and groups threaten the security of our nation’s water and wastewater systems’ operations and data. Managing cybersecurity is a complex challenge that requires an interdisciplinary, risk-based approach, involving an organization’s business leaders, as well as their technical and legal advisors.

A robust and tested cybersecurity program is critical to protect public health and safety, prevent service disruptions, and safeguard customer and employee personal and financial information. Inadequate cybersecurity measures and flawed responses to cybersecurity incidents carry tremendous risk. In addition to serious threats to people, property, operations and data, cybersecurity incidents also can result in potential civil and regulatory liability, and reputational harm.

Attacks will happen; do not be caught unprepared

Despite sector challenges, it is critically important to bolster cybersecurity protocols and defenses. Getting cybersecurity “right” is not an easy issue. Threats are persistent and mutable. The diverse nature of the water and wastewater sector, with organizations of varying size and ownership, the sector’s splintered regulatory regime, and a lack of cybersecurity governance protocols, present significant cybersecurity challenges. Moreover, entities within the sector often face insufficient financial, human and technological resources. Many organizations have limited budgets, aging computer systems, and personnel who may lack the knowledge and experience for building robust cybersecurity defenses and responding effectively to cyber attacks.

Despite these challenges, organizations – on their own and with outside technical and legal experts as needed — must develop a plan and give sufficiently rigorous attention to cybersecurity. An optimistic reliance on sovereign immunity defenses or insurance policies, or an unconfirmed expectation that someone else within the organization is “handling” cybersecurity issues, are not sufficient to protect an organization or its leaders from the repercussions of a cybersecurity attack and the related reputational harm.

There are scalable and effective measures that water sector members – individually and collectively – can take to improve the cybersecurity of their organizations, and of the sector as a whole. Given the very real threat and significant consequences of a cyber attack, it is critical that organizations prioritize cybersecurity and take reasonable steps to prevent, detect and respond to cyber incidents.

Water sector under attack

Cyber risk is the top threat facing business and critical infrastructure in the United States, according to the Director of National Intelligence, the Federal Bureau of Investigation and the Department of Homeland Security. A survey of more than 20,000 utility employees revealed that cyber threats are what they fear could have the biggest impact on operations, with a lack of resources and conflicting priorities as the greatest challenges. Water and Wastewater Sector entities have suffered a range of attacks, including from ransomware attacks, tampering with Industrial Control Systems, manipulating valve and flow operations and chemical treatment formulations, and other efforts to disrupt and potentially destroy operations. In March and April 2018, the U.S. Department of Homeland Security and Federal Bureau of Investigation warned that the Russian government is specifically targeting the water sector and other critical infrastructure sectors as part of a multi-stage intrusion campaign.

Attacks for financial, political and terroristic gain are a serious concern. The effects of a cybersecurity attack on critical water sector operations could cause devastating harm to public health and safety, threaten national security and result in costly recovery and remediation efforts to address system issues as well as data loss. Attacks causing contamination, operational malfunction, and service outages could result in illness and casualties, compromise emergency response by firefighters and healthcare workers, and negatively impact transportation systems and food supply.

Water sector entities also are responsible for protecting sensitive personal information, including employee records and customer billing data. This personal information is an attractive target for cybercriminals and the stolen data business continues to grow. Indeed, the U.S. had 16.7 million identity fraud victims in 2017, with $16.8 billion stolen from U.S. consumers through identity fraud.

Some recent examples

City of Atlanta ransomware attack. The City of Atlanta was crippled by a ransomware attack in March 2018, which disrupted city utilities, courts and other operations. 5 For roughly a week, employees with the Atlanta Department of Watershed Management were unable to turn on their work computers or gain wireless internet access, and two weeks after the attack Atlanta completely took down its water department website “for server maintenance and updates until further notice.” It has taken Atlanta months, and estimated costs of up to $5 million in recovery efforts, to address the attack. (While the Atlanta attack focused primarily on public-facing operations, the Colorado Department of Transportation was hit with a sequence of ransomware attacks on its back-office systems, costing approximately $1to $1.5 million to address.)

Ransomware attack on a water utility effected through spear-phishing. An employee clicked on a malicious email link that caused malware to download. Cybercriminals gained access through an Internet-facing commercial network and locked the utility out of its own systems, demanding the equivalent of $25,000 in Bitcoin to recover access. Replacing the infected computers and software cost $10 million, and full remediation costs (including paying the ransomware in this instance) were approximately $2.4 million, $500,000 of which was not covered by insurance. 10 This attack underscores the importance of resiliency and redundancy of systems, malware detection and prevention, and employee training, as well
as the importance of having cyber-insurance in place.

Attack on Industrial Control System (ICS) of a water and sewage authority. Cybercriminals exploited a vulnerability in a remote wireless Internet connection for operations for approximately two months, and also exploited a hard-coded factory password. This attack underscored the importance of staying current with vendor patches and firmware updates, and regularly (if not continuously) scanning networks for intruders. It also highlights a common developer flaw of hard-coded passwords, which should be avoided if possible; if the password is for the initial default account, that account should be deleted after the set-up.

• In one water utility attack, cybercriminals exploited antiquated computer systems to gain access to valve and flow operations and were able to manipulate the water flow and amount of chemicals used to treat the water. Cybercriminals also accessed customer data via the company’s online payment system, through which the attackers gained administrator credentials and maneuvered laterally through the network.

To access the full references, read about more examples and to find out how cybersecurity attacks on the water system can be prevented, download the rest of this white paper on the American Waterworks Association website. This article is an extract from the original white paper “Cybersecurity risk and responsibility in the Water Sector” – authored by Judith Germano and published by the American Waterworks Association.