Cybercrime is on the rise, and water treatment plants are particularly vulnerable
With most town water treatment plants serving less than 50,000 people, they’re facing a problem: budgetary constraints preventing administrators from investing in their digital defenses, making them prime targets for cybercriminals.
“It’s definitely becoming a trend—possibly because ransomware has become a thing now where people can make money. Water plants do matter to the general public,” said Loney Crist, vice president of cyber security software development at IPKeys Power Partners, a New Jersey-based cybersecurity firm. “When you get a ransomware attack, it can be tens of thousands of dollars or hundreds of thousands of dollars.”
Some choose to pay the ransom; others get another system up and running: “It comes down to how much they think it’s going to cost to get their system going,” he said. “The majority of water plants are going to have some sort of remote access. And that tends to be the biggest vulnerability.”
Smaller systems, especially, don’t have enough revenue to pay for a plant’s physical and cybersecurity upgrades. And inside a system’s perimeter defenses, “Once you get on a network, they’re fairly flat. They’re fairly small networks,” Crist said. “They haven’t seen a need to segment them.”
Beyond the monetary concern, there’s a greater fear of the physical harm that could come to constituents if a cybercriminal were able to gain unimpeded access to a water treatment plant’s system digitally.
Last year, for example, a hacker broke into the Oldsmar, Fla. community water treatment plant and remotely turned up the levels of sodium hydroxide. At high levels, sodium hydroxide can seriously damage the human tissue it touches. Operators at the plant intervened manually before anything happened, preventing catastrophe. But the incident revealed an important vulnerability in systems across the United States.
It’s one that many managers are moving to address.
“Cybersecurity is an onion in terms of how much you can spend on it,” Crist said. “There are very basic levels of things you can do just to help.”
Among those easily implemented security measures that can be taken, Crist said zero-trust measures and multi-factor authentication are “very basic things you can do” right away. And “If your password does leak, they can’t get in anyway,” he continued. The idea is to digitally “lock your door,” prompting would-be attackers “to go to the next door over and find a softer target.”
Educating staff members about the dangers of cyberattacks like phishing and email scams is another easy and inexpensive step people can take.
“Social engineering is generally the way they get into these systems,” Crist said.
Of all the challenges, encouraging cooperation and information sharing between water organizations is perhaps the most difficult for those working to mitigate the challenge to overcome.
“Water companies tend to be nonprofit. … They don’t tend to share information,” Crist continued. “That’s something the electric industry and power generation has been doing for a while.”
Given the fiscal challenges and the educational shortfall pervasive in the industry, bolstering the defenses of water treatment plants is something the federal government has taken note of. Earlier this year, the Biden-Harris Administration extended the Industrial Control Systems Cybersecurity Initiative to encompass the water sector.
The plan was developed in concert with the Environmental Protection Agency, and assists plant operators “with deploying technology that will monitor their systems and provide near real-time situational awareness and warnings. The plan will also allow for rapidly sharing relevant cybersecurity information with the government and other stakeholders, which will improve the sector’s ability to detect malicious activity,” according to a brief from the White House. “This sector is made up of thousands of systems that range in size from the very small to ones that service major metropolitan cities that have little or no cybersecurity expertise and are unsure what steps they should take to address cyber risks.”