OT Insights CenterWater & WastewaterWebinar Recording: Engineering Cybersecurity Mitigations for Municipal Water Systems

Webinar Recording: Engineering Cybersecurity Mitigations for Municipal Water Systems

Mariano Martín Tirado (Acciona), and Rees Machtemes (Waterfall Security) discuss the risks and threat environment that Water Utilities face and how to counter against them.

Waterfall team

• June 20, 2024

Large water utilities are looking to gain efficiencies by adopting new distributed edge devices and digital transformation initiatives incorporating the latest machine learning and AI algorithms. Meanwhile, small to mid-size municipalities, are wanting to maintain their reliability without increasing their rate-base. Yet, a worsening threat environment looms over North American and European operators. Increasingly sophisticated criminal ransomware, hacktivist, and nation-state actors have penetrated water utilities – without yet causing severe consequences. Nevertheless, the fact is that attacks have reached into critical networks and are nearly doubling year-over-year.

In this webinar recording, Mariano Martín Tirado, a Tech Leader at Acciona, and Rees Machtemes, Waterfall’s Director of Industrial Security, discuss:

 The latest incidents and trends impacting the Water industry.

Recent developments in the field of engineering-grade mitigations to cyber risks that apply to Water & Wastewater operations.

Strategies to protect water distribution and collection control systems.

 Opportunities to boost municipal cyber security for water systems through the purchasing and procurement process.

 Enabling the digital transformation of municipal water systems in the most secure way.

Watch Now:

Share

Trending posts

I don’t sign s**t – Episode 143

September 10, 2025

Secure Industrial Remote Access Solutions

August 28, 2025

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

August 28, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

• industrial cyber attacks
• NERC CIP
• IEC 62443
• NIST
• OT security Standards

The post Webinar Recording: Engineering Cybersecurity Mitigations for Municipal Water Systems appeared first on Waterfall Security Solutions.

OT Insights CenterWater & WastewaterWater Industry Cyber Threat Landscape

Water Industry Cyber Threat Landscape

An overview to help in better understanding the water industry’s current threat landscape with some recent cyberattacks on water infrastructure to help highlight the prevailing issues and risks.

Waterfall team

• June 13, 2024

Running water and working indoor plumbing are a basic necessity for modern cities. Most of us take for granted that the tap gives us water and that the water goes down the drain when we are done with it without giving it much thought. Behind this simple capability, there is a complex set of infrastructures for sourcing, purifying, treating, distributing, delivering, and pressurizing clean water to reach our taps, as well as a similarly complex system of infrastructures that handle the water once we are done with it.

Watch our recorded webinar about securing Water Systems

Aside from regular maintenance and resource issues for all this infrastructure, there is a constant threat of cyber attackers trying to cause harm to these water systems with the goal of disrupting the society that depends on it. Let’s have a look at the threat environment that Water Utilities contend with.

“…there is a constant threat of cyber attackers trying to cause harm to these water systems with the goal of disrupting the society that depends on it.”

A Well-Balanced Chemical Mixture

One of the most basic threats to any water facility is that someone will tamper with the chemical mix of the water. Aside from the Hollywood style threat of hackers getting into the systems and putting too much of a common treatment chemical into the water to poison it, such as lye which usually controls the PH levels, there is also a risk that they would put in too little of the chemical which will cause pipes to corrode and eventually cause leaks everywhere, which would be a difficult problem to fix, especially if the pipes are inside walls or underground.

This type of threat is well addressed contained in the industry, and the chances of a cyberattack succeeding by changing chemical mixes or the process is unlikely. That’s because sensors and operators routinely track the PH other chemical levels throughout the process, because humans can do manual tests as needed, and because results are routinely submitted to the government or regulatory bodies. At most, malicious attackers might be able to achieve limited chemical changes within a small window of time between routine or manual observations and tests. And while some chemically imbalanced or tainted water might get released before the issue is caught, an emergency solution would most likely require diverting water and re-treating it, or would be too diluted to be significantly dangerous to public health. To date, no publicly known chemical or poisoning attack on water systems has yet occurred. In cases where the process was tampered with, the changes were quickly caught and remediated. Such an attack would require prolonged periods of water passing through the process with an improper mixture, and existing safeguards are so far sufficient to avoid such a problem.

Turning off the taps

The most realistic cyberthreat on water infrastructure are attempts to deny water services to the people who depend on it, or for wastewater treatment to cease functioning. While the amount of finished (treated) water reserves vary from utility to utility, it is always finite. Likewise, wastewater and stormwater treatment and collection facilities vary in size but have a limited design capacity. Considering that both water and wastewater infrastructure is tightly coupled, an incident may trigger treatment & distribution operations to shut down fairly soon as there is no way of storing all that wastewater. The release of untreated wastewater back to the environment, regardless of the cause, is often strictly regulated or prohibited by local laws and statutes.

Water Cyberattacks

In the last few years, most of the cyberattacks on water that caused downtime happened to small municipalities and townships, or impacted only several thousand residents. For example, one recent case in Columbia had 40,000 resident that lost water service from a ransomware attack on the local utility’s billing system, running on their IT network. The town used a billing method in which people pre-pay for their water, which prompted the issue to impact physical distribution. Usually, attacks on IT systems don’t lead to a disruption of service, but with so many utilities around the globe there is room for each case to be unique.

Want some more real-world examples of recent cyberattacks on water facilities and other critical infrastructure that use similar systems? Check out our 2024 OT Threat Report.

Get our 2024 Threat Report

Preparing Against Cyberattacks:

One of the most basic precautions against cyberattacks is having the ability to run equipment manually. The ability to operate manually is an effective way to bypass an ongoing cyberattack, and comes in handy when equipment malfunctions for any reason or requires regular maintenance. Manually running things works great for some processes – like –water distribution pumps, but once the scale goes up, or if the operations require real-time high speed automation to meet regulations, then manual operation may not realistically be feasible. In those cases, a solution like Waterfall’s Unidirectional Gateway is ideal. When it comes to securing water utilities against cyber-attack, Waterfall provides the highest level of cyber-physical security available on the market. Contact Waterfall to learn more about how unidirectional technology can help secure your water facilities.  

>>Join our upcoming webinar on June 18th>> and learn more about securing Water and Wastewater facilities

About the author

Waterfall team

Share

Trending posts

NIS2 and the Cyber Resilience Act (CRA) – Episode 142

August 18, 2025

SCADA Security Fundamentals

August 14, 2025

What is OT Network Monitoring?

August 14, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

• industrial cyber attacks
• NERC CIP
• IEC 62443
• NIST
• OT security Standards

The post Water Industry Cyber Threat Landscape appeared first on Waterfall Security Solutions.

OT Insights CenterWater & WastewaterProtecting Water Utilities and Wastewater Treatment Plants

Protecting Water Utilities and Wastewater Treatment Plants

Water systems cybersecurity expert Mariano Martin Tirado of Acciona shares with Waterfall his insights about protecting Water Utilities and Wastewater treatment plants.

Mariano Martin Tirado

Tech Leader at Accianoa S. A.

• May 22, 2024

Watch the recorded webinar about municipal water cybersecurity

The first problem with securing water facilities is that many were built over 20 years ago. None of the common security protocols are in place. No firewalls, no passwords, nothing to prevent cyberattacks. And the reason for this problem is because such capabilities and threats didn’t exist when the water facility was first installed decades ago. So that is the first issue that needs to often be dealt with.

Water utility clients are naturally very concerned about cybersecurity attacks because you only have to watch the news to see the threats cyberattacks pose to water facilities around the world. Nowadays, cyberattacks that try to target these types of facilities do so because of their strategic/critical importance. The attacker’s motivation isn’t for money usually, but rather for clout and bragging rights. There is also a common concern that unfriendly governments will target such facilities as a strategic threat, as well as the common threat of ransomware.

“The first problem with securing water facilities is that many were built over 20 years ago.”

Cyber Threats of Water Utilities

When someone attempts to maliciously access water facilities, there are two main types of motivations. One of them is to SHUTDOWN the facility with the goal of making it not possible to start up again. In water starved areas, this can be a very big problem. The second possible motivation is that someone may try to change the mixing and chemical makeup of the water such as adding too much chlorine, lye, or any other chemicals which can cause a problem to the health of those bathing or drinking the water.

The control systems that run these water systems have many alarms and warnings to make sure the chemicals are within the approved parameters, but if someone takes control of the control systems, they would be able to deactivate these alarms. Manually tested samples are taken from the water too, but usually this is done once a day -not constantly like the automated censors. It could be that the tainted water has already entered the main supply by the time it gets manually tested.

Risks for Wastewater Treatment Plants

Attacks on the wastewater systems are also a big concern. Imagine a big city with the entire wastewater and sewage system not running. It would become a very unpleasant problem very quickly. The motivations and risks from an attack on wastewater systems are similar to an attack on regular water utilities. Concerns are also similar, with the risk of someone breaking or shutting down the wastewater systems, or someone messing with the controls so that sewage is not treated properly, also impacting the health of the people when it is released into the environment.

Water and wastewater are physically separated so that a hacker can’t mix the two, but the wastewater that can’t be treated because of a cyberattack needs to be released by the bypass which then damages the rivers and streams that it is released into.

IT and OT in Water Utilities

The billing of the water facilities is part of the IT system and is kept fully separated from the OT network that ensures the water supply. It is impossible to jump from IT to OT and OT to IT when the systems are properly isolated.

Part of a Supply Chain Attack

There is also a concern of a supply chain attack of someone attacking the electrical systems powering the water utility. With wastewater it is important to not require external power to run. It is very common that solar and clean energy supply part of the energy needs, as well as burning methane that comes off the wastewater. Wastewater treatment plants do use external power, but they don’t rely on it. The newest plants use renewable energy but have a connection to external power just as backup resource. When it comes to water utilities, it isn’t possible to have fully internal power resources. Desalination plants use lots of power that always require external power resources, as well as normal water suppliers that use pumps to move massive water volumes around, which doesn’t apply to wastewater. So supply chain attacks are a threat to Water utilities, but not as much of a threat to wastewater treatment plants.

Keeping Water Infrastructure Secured

The ever-evolving threat landscape requires a proactive approach to securing our water infrastructures. While the age of many facilities presents a challenge, it’s not insurmountable. Upgrading outdated systems with modern security protocols is certainly a step in the right direction, and implementing network segmentation can further secure critical operational technology (OT) networks from the internet and its threats.

Talk to an OT security expert

About the author

Mariano Martín Tirado

Mariano is an advanced IT and OT expert with years of experience in Electrical engineering, communication networks, customised software and hardware solutions, and the application of new technology in the industrial sector. He is the technical leader responsible for the digitalization, technology and circular economy department at Acciona for water and wastewater treatment. He is passionate about using his expertise to drive innovation and to make a difference in the future of our planet. He holds degrees in both computer engineering from the college Innovation Luis Vives and in political science from the Complutense University of Madrid.

Share

Trending posts

What Is ICS (Industrial Control System) Security?

August 14, 2025

Network Duct Tape – Episode 141

August 13, 2025

Credibility, not Likelihood – Episode 140

August 6, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

• industrial cyber attacks
• NERC CIP
• IEC 62443
• NIST
• OT security Standards

The post Protecting Water Utilities and Wastewater Treatment Plants appeared first on Waterfall Security Solutions.

OT Insights CenterWater & WastewaterWebinar: Engineering Cybersecurity Mitigations for Municipal Water Systems

Webinar: Engineering Cybersecurity Mitigations for Municipal Water Systems

Join our webinar for a look at how municipal water systems are engineered to mitigate cybersecurity threats and risks.

Join us on June 18, 2024, 11AM Eastern Time

Large water utilities are looking to gain efficiencies by adopting new distributed edge devices and digital transformation initiatives incorporating the latest machine learning and AI algorithms. Meanwhile, small to mid-size municipalities, are wanting to maintain their reliability without increasing their rate-base. Yet, a worsening threat environment looms over North American and European operators. Increasingly sophisticated criminal ransomware, hacktivist, and nation-state actors have penetrated water utilities – without yet causing severe consequences. Nevertheless, the fact is that attacks have reached into critical networks and are nearly doubling year-over-year.

In this webinar, Mariano Martín Tirado, a Tech Leader at Acciona, and Rees Machtemes, Waterfall's Director of Industrial Security – passionate engineers with decades of combined industry experience – discuss:

 The latest incidents and trends impacting the Water industry.

Recent developments in the field of engineering-grade mitigations to cyber risks that apply to Water & Wastewater operations.

Strategies to protect water distribution and collection control systems.

Opportunities to boost municipal cyber security for water systems through the purchasing and procurement process.

Enabling the digital transformation of municipal water systems in the most secure way.

Join us on June 18th, to look at the latest and most powerful techniques for assuring safety, reliability, and efficiency in a world of ever-increasing cyber threats.

About the Speakers

Mariano Martín Tirado

Mariano is an advanced IT and OT expert with years of experience in Electrical engineering, communication networks, customised software and hardware solutions, and the application of new technology in the industrial sector. He is the technical leader responsible for the digitalization, technology and circular economy department at Acciona for water and wastewater treatment. He is passionate about using his expertise to drive innovation and to make a difference in the future of our planet. He holds degrees in both computer engineering from the college Innovation Luis Vives and in political science from the Complutense University of Madrid.

Rees Machtemes, P.Eng.

Rees Machtemes is a Director of Industrial Security at Waterfall Security Solutions, and the lead researcher for Waterfall’s 2024 Threat Report. He is a professional engineer with 15 years of hands-on experience with both IT and OT systems. Rees has designed power generation and transmission substations, automated food and beverage plant, audited and tested private and government telecom solutions, and supported IT data centers and OT hardware vendors. This experience has led him to champion cyber-safe systems design and architecture.

An obsessive tinkerer and problem-solver, you’ll often spot him next to a soldering station, mechanic’s toolbox, or stack of UNIX servers. He holds a B.Sc. in Electrical Engineering from the University of Alberta.

Share

Register Now

The post Webinar: Engineering Cybersecurity Mitigations for Municipal Water Systems appeared first on Waterfall Security Solutions.

OT Insights CenterWater & WastewaterHow Waterfall Security Protects Water Facilities

How Waterfall Security Protects Water Facilities

Waterfall’s Unidirectional Gateways are used to secure water utilities by creating a one-way communication channel that allows the flow of information in only one direction –> out of the facility. This configuration prevents any data from flowing in the opposite direction back into the facility, making it physically impossible to remotely inject malicious code into the system. In the context of water utilities, this can help protect critical control systems and prevent unauthorized access or tampering and makes sure that a clean supply of water continues uninterrupted, even if other systems are compromised.

Here’s a general overview of how Waterfall’s Unidirectional Gateway could be implemented to secure a water facility:

1. Network Segmentation: A water facility’s network should be segmented into separate zones to isolate critical control systems from non-critical systems and external networks. This helps contain potential security breaches and limits the overall attack surface.

2. Unidirectional Communication: A Unidirectional Gateway such as the WF-600 can be installed at the boundary between the critical control system network and any external networks or systems. This allows data to flow from the critical control system network to external networks/systems but prevents any data from flowing back into the critical network. This ensures that no unauthorized commands or malicious data can be sent back into the control system.

3. Secure Data Transfer and Encryption: Waterfall Security’s Unidirectional Gateways can be configured with whichever connectors are required to work with existing 3rd party encryption protocols which allows the outflowing information to be encrypted as it leaves the facility, helping ensure that it’s integrity and confidentiality remain intact.

4. Monitoring and Logging: It’s an understood fact that robust monitoring and logging systems should be in place to track and record all communication activity passing throughout the network. This helps in detecting any suspicious behavior earlier, identifying potential threats, and conducting forensic analysis any time a breach or attempt has been detected. Furthermore, Waterfall’s Blackbox creates a tamperproof copy of your logs, which can be used to quickly reveal what hackers may have attempted to conceal by comparing the tampered and tamperproof logs.

5. Enforce Remote Access with Hardware: Software-mediated remote access risks exposing sensitive operations systems to cyber attacks that exploit vulnerabilities in the remote access solution. This may be an acceptable risk when the worst-case consequences of compromise of OT systems are acceptable. More often in water treatment and distribution systems, worst-case consequences are unacceptable. When remote access is essential, operators should consider hardwared-enforced remote access (HERA) technology to address the risks of software exploits exposing OT systems to attacks.

6. Flip to enable Security Updates: Let’s face it, all computerized systems need to be updated sooner or later. When it comes to industrial control systems, the whole operation can be at risk if an update has even the smallest hiccup. The Blue Screen of Death is not an option for a critical water facility. Waterfall Security’s FLIP allows for updates to be done on a copy of the ICS, so that it can be confirmed to work and not contain any malware before it is sent to the PLCs and the entire system to update.

7. Audit without disruptions: With the increased regulation that has started flooding the water industry, an increase in audits and forensic activity is a fair expectation. However, it is critical that all the pumps and valves keep working and that people have an uninterrupted water supply during these audits. Waterfall’s unidirectional loggers such as the WF Blackbox are ideal for enabling this process, while eliminating the need to shut down the system for the technical portion of the audit or forensic investigation.

8. Cloud Connectivity: While the water systems are physical and require a human operator present, there are many 3rd party solutions that require the OT to be connected to the cloud. The Waterfall Unidirectional Cloud Gateway makes it possible to safely connect to the cloud, without risk of compromise, by providing a virtual copy of the PLCs to interact with the cloud, which only passes information in one direction, and sequesters updates to the “copy” to negate it being used as an attack vector.

9. Securing IDS: Intrusion Detection Systems are designed to prevent intrusion. However, the sensor computer that runs the IDS software maintains a connection to the OT system via the mirror port, and a talented hacker would be able to exploit this vulnerability to send malicious packets into the OT. WF for IDS prevents this vulnerability by effectively placing a “one way valve” between the mirror port and the sensor computer, so that no matter how talented an adversarial hacker might be, it is still physically impossible for any data to make its way back from the IDS to the mirror port.

It’s important to note that implementing Unidirectional Gateways are just one aspect of securing a water facility. A comprehensive security strategy would involve a combination of physical security measures, network segmentation, access controls, encryption, intrusion detection systems, and regular training and awareness programs for personnel. Additionally, it is crucial to engage with security experts who specialize in securing critical infrastructure to ensure the implementation is tailored to the specific needs and risks of the water facility.

Talk to an OT security expert

Share

Trending posts

Rethinking Secure Remote Access for Industrial and OT Networks

August 6, 2025

Unidirectional vs Bidirectional: Complete Integration Guide

July 30, 2025

The Top 10 OT-Capable Malware: What We’ve Learned and What Comes Next

July 20, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

• industrial cyber attacks
• NERC CIP
• IEC 62443
• NIST
• OT security Standards

The post How Waterfall Security Protects Water Facilities appeared first on Waterfall Security Solutions.

Rees and Andrew then introduce us to some examples of engineering-grade designs that can be used to help get ahead of the EPA’s ‘audit advice’ for water utilities, while also “futureproofing” industrial cybersecurity for years ahead.

Presenters:

The post Engineering-Grade Cybersecurity for Water Utilities | Recorded Webinar appeared first on Waterfall Security Solutions.

Importance of Cybersecurity for Vital Water Infrastructure

Water infrastructure plays a crucial role in delivering clean and safe water to people worldwide. This infrastructure includes water treatment plants, distribution systems, dams, and reservoirs. Any disruption to this infrastructure can have severe consequences, including water shortages, public health risks, and even loss of life. Therefore, it is essential to secure water infrastructure from cyberattacks, which can cause grave damage to the system and the societies that depend on it.

Water infrastructure is increasingly connected to the internet, which makes it vulnerable to cyberattacks. Hackers can use malware and other techniques to gain unauthorized access to water infrastructure and disrupt the system’s operation. In recent years, there have been several incidents of cyberattacks on water infrastructure worldwide. For example, in 2021, a hacker had the username and password of a former employee’s Team Viewer account of a water treatment plant in San Francisco and the Bay area. The hacker deleted programs that the water plant used to treat drinking water to try to poison it. A bit later the same year, another hacker attempted to poison the water supply in Oldsmar, Florida.

The Threats Faced by Water Infrastructure

One of the most significant threats for Water Infrastructure are cyberattacks, which can compromise the system’s security and even cause physical damage to the infrastructure. Hackers can use several techniques to gain unauthorized access to water infrastructure, including phishing emails, social engineering, and brute force attacks. Once hackers gain access, they can steal data, disrupt operations, and even cause changes to the water’s chemistry. One of the biggest emerging threats is that once hackers are in, they can then target the OT systems using AI (such as ChatGPT) to generate the obscure code needed for the “payload” which manipulates the system and is the primary goal of the cyberattack. Previously, only hackers with very expensive and large teams could target such systems.

Want to learn how to secure your water facility?

Get our EPA Checklist Critical Water Infrastructure

Get the full checklist

Challenges in Preventing Cyberattacks on Water Infrastructure

Preventing cyber-attacks on water infrastructure requires a multi-pronged approach.

Here are some examples of common IT measures, and why they can’t be applied so easily to industrial OT systems.

1. Conducting Regular Cybersecurity Assessments:

Just like with an office IT department, water infrastructure operators should conduct regular cybersecurity assessments to identify vulnerabilities in the system. These assessments should be conducted by qualified cybersecurity professionals and should include penetration testing, vulnerability scanning, and risk assessments.

The challenge is that such tests are prohibitively expensive, and many assessments require the closing of parts of the water system. Smaller water operators are not able to afford the costs, and larger, citywide water systems (which might be able to afford the costs) have difficulty in finding the right time to shut off everyone’s water in the name of “preventative measures.”

2. Implementing Access Controls:

Just like an IT Dept, water infrastructure operators should in theory implement access controls to limit access to critical systems and data. Access should only be granted to authorized personnel who have undergone background checks and have a legitimate reason to access the system.

The challenge is that providing remote access to OT systems also generates more backdoors for hackers to exploit. The most secure solution for water operators would be to completely airgap their industrial systems from all remote access, which would however create many other issues.

3. Train Employees and Teach Them About Cybersecurity:

Most office-based businesses are eager to train their employees so that they understand the best practices for password management, phishing awareness, and social engineering. This might be a feasible step for large water systems and the big players in the field that have the budgets. But many smaller operations for water systems simply do not have the resources to make this a reality.

4. Encryption:

Most IT departments have encrypted most of the flow of information. The goal is to stop outsiders from easily viewing or accessing sensitive data in transit or at rest. This includes data stored in databases, transmitted over networks, and stored on portable devices. Water infrastructure operators cannot use encryption for many of their OT systems, as they are very unique systems that don’t easily integrate with standard encryption protocols.  Furthermore, the main concern with industrial systems is not that someone will exfiltrate sensitive data, but that they’ll inject something malicious into the system. Encryption doesn’t help much in that regard.

5. Deploying Firewalls:

Hard to imagine that there are any IT departments that have not deployed firewalls to protect their systems from unauthorized access and malicious traffic. While firewalls are great for controlling what information flows in and out of a water facility, they can be bypassed by a talented hacker and therefore do not offer hermetic solutions when it comes to guaranteeing an uninterrupted supply of water. In addition to a classic firewall setup, water infrastructure should also integrate an unbreachable unidirectional gateway in order to be 100% certain that their OT systems can’t ever be breached remotely. This includes segregating the networks so that OT and IT are separated in order to isolate critical systems from the rest of the network. This segregation limits the impact of a cyberattack and prevents attackers from moving laterally within the network, especially lateral movements from the IT environment to the OT environment.

6. Install and update Anti-virus

Installing anti-virus is one of the most basic cybersecurity tasks that IT regularly carries out with ease. But when it comes to industrial control systems, it is much harder. Common antivirus software can’t really be installed on PLCs. And to make matters worse, the anti-virus certificate signatures need to be updated daily, or sometimes twice-a-day. And the anti-virus software itself needs to be updated regularly too. All this updating amounts to a “constant and aggressive change” which makes it very difficult to manage an OT network.

The idea with cybersecurity is that we are supposed to control change to reduce risk to operations. Anti-virus software updates are mistaken sometimes and flawed signature updates risk quarantining parts of the industrial automation. So, while OT systems certainly could use an anti-virus suite, it’s very hard to actually install it on industrial controls.

7. Installing Patches and Update Software:

Any IT worker will stress how important it is to update software regularly, especially when that update contains a security patch. This helps prevent known vulnerabilities from being exploited by attackers. But updating and patching is not as simple when it comes to industrial OT. While in theory it makes sense to apply this logic to industrial control systems, the reality is not so simple. Patches and updates introduce too many frequent changes for an OT system and the cure is as bad as the disease here. Any solution that risks “The Blue Screen of Death” on industrial control systems is not a realistic solution.

8. Develop backups and a Cybersecurity Incident Response Plan:

IT departments will often have an incident response plan in place so that if there is a cyberattack, they can revert everything to how it was before the incident, with frequent backups that can restore everything other than the last few hours/days of work that was done since the latest backup.

Water infrastructure systems are not that simple to backup, and there is a risk that the backup will also restore the malicious code which led to the cyberattack. To realistically restore an OT system, original floppy discs need to be on-hand near the site so that everything can be reset to its original settings. And the best way for a water facility to weather an incident is to have the workforce and the capability to switch to fully manual mode, as the priority will always be to keep the clean water flowing to homes and businesses.

9. Using Multi-factor Authentication

IT departments frequently use multi-factor authentication to secure their systems. Multi-factor authentication requires users to provide two or more forms of authentication, such as a password and a fingerprint scan. While this detail seems trivial and overly simple, it is one of the best ways to block some of the most prevalent hacking methods.

However, when it comes to OT, any kind of remote access is just way too dangerous, as hackers can persist until they get through. The best solution for an industrial system is to be fully air gapped for smaller systems, or to use a unidirectional gateway for larger systems.

So in conclusion – it’s hard, and it doesn’t give us as much protection as we’d like. Threat environments are deteriorating rapidly – and cyber attacks with physical consequences for critical infrastructure and manufacturing facilities are more than doubling annually. New regulations are dropping on us as government authorities have become aware of this situation. In another few years, after another few doublings of attacks, we should expect even more stringent regulations coming down the pipe. In the posts & webinars ahead we will be looking at how to get ahead of these issues by deploying simple, affordable protections today that will stand the test of time. Stay tuned!

Want to learn how to secure your water facility?

Get our EPA Checklist Critical Water Infrastructure

Get the full checklist

The post 9 Cybersecurity Challenges for Critical Water Infrastructure appeared first on Waterfall Security Solutions.

Securing water supplies is important, both practically and symbolically.

Here are some important aspects to consider when securing a water providing utility:

What are the cyber-risks for a Water Utility? 

The idea that hackers will somehow hack into a water utility and poison the water supply is for Hollywood movies. In reality, there are too many physical constraints that make such a hacking goal impossible, including the fact that workers manually check the water before it is released for tap use.

If a hacker did try and poison the water supply, they’d probably just cause a large batch of water that needs to be dumped or diluted.

Want to learn how to secure your water facility?

Get our EPA Checklist Critical Water Infrastructure

Get the full checklist

So, what is the REAL risk to a Water Utility?

There are many more risks that are much more dangerous than poisoning the water supply. Most ongoing operations in Water Utilities consist of orchestrated and automated systems, without a realistic option of switching to full manual operation.

If an attacker comes along and simply disrupts the industrial process in any way, it creates a huge mess! It costs lots of money to keep everyone working overtime to fix everything, and then there is still the issue that they have to do something with all the water. Hackers might also compromise physical systems in a way that can break pipes and pumps, which can cost a fortune to fix.

Many of these kinds of attacks are NOT THAT technically complex, but can cause huge physical damage as a consequence.

The 2 Stages of an ICS cyber-attack:

Stage 1 is when the hacker passes the cybersecurity defenses, either physically, socially engineered, or any way of getting past the firewall.  This 1st stage of the attack includes finding vulnerabilities and exploiting them and would most likely resemble a run-of-the-mill cyberattack on an IT department. Once the hacker is able to get past this part, they’d use that access to then progress into the OT system.

Stage 2 is the actual cyber-attack that the hacker carries out in the Industrial OT environment, often called “The Payload”. So far, 99% of cyberattacks on Water Utilities are usually attempts to encrypt systems for a ransom, or to exfiltrate sensitive data. Only rarely do the attacks introduce malware into the utility’s systems because industrial control systems are very unique, and the hacker(s) would have to be very familiar with each specific system to write a malware script that would work.

So the big new risk in the near future, is that hackers could use an AI (like ChatGPT) to help them write a malware script that the hacker would then inject into a water management facility’s OT, which can then break pumps, rupture pipes, or cause other physical damage that is costly, and will disrupt the water supply for days, weeks, or even months.

Water is a critical infrastructure for other critical infrastructure, such as hospitals and factories. Hackers might target a drinking water plant, with the goal of disabling another target which is using that water, not the water plant themselves -which constitutes a supply-chain attack.

Even though these new AI-driven capabilities seem to be focused on Stage 2, it greatly incentivizes more Stage 1 efforts as hackers will now have what to do once “they’re in”.

Historically, many water infrastructure facilities found comfort over the years in the fact that while their system might get hacked, the hackers would have nothing to do once inside their system, as the obscurity of their system made delivering a custom payload nearly impossible without a large team in place. That comfort is now longer afforded to water facilities.

Want to learn how to secure your water facility?

Get our EPA Checklist Critical Water Infrastructure

Get the full checklist

The post Water Utility Hacking 101 appeared first on Waterfall Security Solutions.

OT Insights CenterWater & WastewaterGet the Checklist | EPA Cybersecurity Guidelines for the Water Sector

Get the Checklist | EPA Cybersecurity Guidelines for the Water Sector

As part of the Whitehouse’s broader efforts to protect American infrastructure from attacks by nation-states and other cyber threats, the EPA has released a 13-page PDF memo that outlines the steps that public water systems need to take in order to protect drinking water supplies. We’ve reviewed the EPA’s memo and created a checklist that highlights the most important take-aways, and also includes some more robust protections that the EPA will undoubtably impose in the near future.

Share

Fill out the form and get it by email

The post Get the Checklist | EPA Cybersecurity Guidelines for the Water Sector appeared first on Waterfall Security Solutions.

For the first time in two years, the Western Canada Water Operators Association held their annual conference in a face-to-face format. It was a nearly week-long opportunity to reach out and connect with water operators across Western and Northern Canada. The primary focus of the event was technical training and networking for professionals, and naturally, Waterfall was there to talk about water infrastructure cybersecurity solutions for small operations.  After two and a half years of isolation amid an exponential increase in attacks to ICS, there was a lot to discuss.

What Small Water Infrastructure Looks Like

Our booth was visited almost exclusively by small water operators. Small operators are those municipalities with ten thousand residents or less. Their budgets are modest, and their teams are small. Sometimes only one person will manage and operate all four key components: watershed and resources management, water treatment, water distribution, and wastewater collection and treatment. Most operations are connected to the Internet.

For small operations, water treatment systems are delivered on a skid, in a small package that is modular and easy to deploy nearly anywhere. Process time – from untreated water in through to treated water out – is typically 3 to 6 hours. If more capacity is needed, additional skids are run in a new ‘train’, in parallel. Finished water reserve capacity is generally less than one day’s supply for residents, often much less.

Small operators told us their biggest cyber risk and fear was a complete process shutdown. The bad news is that such a shutdown is the simplest and most common consequence for cyber attackers to bring about. For example, two operators approached us at the event to say that they had been hit by separate ransomware incidents in the last 18 months. They were looking for solutions, because any downtime over a day means very negative outcomes including boil water advisories, water restrictions and trucking in water. For both ransomware attacks, through a combination of luck and swift action, the operators were able to recover in hours – without exhausting their finished water reservoirs.

Integrated IT/OT Cybersecurity Solutions

The common theme at the show on the cyber front was IT/OT integration to unlock business efficiencies. The prevalent solutions were designed to leverage the cloud, by connecting a plant’s SCADA system through traditional firewalls and VPNs. These solutions provide benefits such as easy access to treatment chemical replenishment, predictive maintenance programs and process monitoring by any operator from their laptop or smartphone. Completely integrated remote control solutions were on offer as well. Naturally, the vendors involved assured prospective customers that all this remote access and remote control would all be done with the most “modern and effective” of cyber security techniques.

Water Infrastructure Cybersecurity Recommendations

The point of my talk of Friday morning was controversial. If you are a small operator, can you afford anything close to an IT grade security program? Such programs cost even small operators a half million to a million dollars a year. Yes, remote access and remote control saves you 45 minutes driving into the plant every morning and that savings has a real dollar value. But have you compared that dollar value savings to the cost of the cybersecurity program that you really need to assure public safety?

Worse, expensive IT-grade security programs are designed for business-critical IT networks, not for safety-critical or public-safety-critical operations network. The networks controlling the creation and distribution of our drinking water really should be protected by deterministic, engineering-grade security. My conclusion? The smallest operators have no business connecting to the Internet, not directly and not indirectly. The risks to public safety are too great.

Small operations should operate air-gapped. An air gap is cheap, effective, and deterministic. It does not matter how fancy attacks become on the Internet because if the attackers cannot reach our control systems, they cannot compromise those systems. In larger systems, where cost savings of remote access to industrial data approach millions of dollars, use unidirectional gateway technology to enable that access. The gateways, again, are deterministic. They push industrial data out to remote users and business automation, with no chance whatsoever of Internet-based attacks “leaking” back into operations.

And yes, even with air gaps and unidirectional gateways we still need a security program. Contractors bringing their Internet-exposed laptops into contact with our systems is still a risk that needs to be addressed, in no small part by using strong contract language and liability clauses. Anyone bringing Internet-exposed USB drives into contact with our systems is a problem. These measures cost much less than an IT-grade security program while providing far greater protection. All of this and more is the topic of the recent book Secure Operations Technology, which is still being distributed for free as a public service by Waterfall Security Solutions.

Your Next Capital Upgrade

Feedback from participants at the event is that, while it can be difficult to fund engineering-grade cybersecurity initiatives out of operating funds, every water system sees significant capital projects at least every few years. Embedding engineering-grade security upgrades into capital projects is very do-able, especially when we make the case that engineering-grade protections both dramatically increase protection for public safety from cyber threats and dramatically reduce cybersecurity program operating costs compared to IT-grade programs.

As always, Waterfall Security Solutions remains your trusted partner for OT Security, and we are happy to provide (free) advice as to residual risks and exposures in your existing security program. We can also provide advice as to simple measures you can take to improve your security. Feedback is welcome. Please reach out to me on LinkedIn or at any time via info@waterfall-security.com or the waterfall website.

The post Water Infrastructure Cybersecurity for Small Operators appeared first on Waterfall Security Solutions.