9 Cybersecurity Challenges for Critical Water Infrastructure

Picture of Waterfall team

Waterfall team

In recent years, the issue of cybersecurity for vital water infrastructure has become a growing concern worldwide. Water is one of the most critical resources on our planet, and access to clean and safe water is essential for human life. Therefore, protecting water infrastructure from cyber-attacks is of utmost importance. In this article, we will discuss the importance of cybersecurity for vital water infrastructure worldwide, the threats faced by water infrastructure, and measures to prevent cyber-attacks on water infrastructure. Beyond that, we’ll address the challenges that water systems face when it comes to implementing the solutions to guard against cyberthreats.

Importance of Cybersecurity for Vital Water Infrastructure

Water infrastructure plays a crucial role in delivering clean and safe water to people worldwide. This infrastructure includes water treatment plants, distribution systems, dams, and reservoirs. Any disruption to this infrastructure can have severe consequences, including water shortages, public health risks, and even loss of life. Therefore, it is essential to secure water infrastructure from cyberattacks, which can cause grave damage to the system and the societies that depend on it.

Water infrastructure is increasingly connected to the internet, which makes it vulnerable to cyberattacks. Hackers can use malware and other techniques to gain unauthorized access to water infrastructure and disrupt the system’s operation. In recent years, there have been several incidents of cyberattacks on water infrastructure worldwide. For example, in 2021, a hacker had the username and password of a former employee’s Team Viewer account of a water treatment plant in San Francisco and the Bay area. The hacker deleted programs that the water plant used to treat drinking water to try to poison it. A bit later the same year, another hacker attempted to poison the water supply in Oldsmar, Florida.

The Threats Faced by Water Infrastructure

One of the most significant threats for Water Infrastructure are cyberattacks, which can compromise the system’s security and even cause physical damage to the infrastructure. Hackers can use several techniques to gain unauthorized access to water infrastructure, including phishing emails, social engineering, and brute force attacks. Once hackers gain access, they can steal data, disrupt operations, and even cause changes to the water’s chemistry. One of the biggest emerging threats is that once hackers are in, they can then target the OT systems using AI (such as ChatGPT) to generate the obscure code needed for the “payload” which manipulates the system and is the primary goal of the cyberattack. Previously, only hackers with very expensive and large teams could target such systems.

Want to learn how to secure your water facility?

Get our EPA Checklist Critical Water Infrastructure

Get the full checklist

Challenges in Preventing Cyberattacks on Water Infrastructure

Preventing cyber-attacks on water infrastructure requires a multi-pronged approach.

Here are some examples of common IT measures, and why they can’t be applied so easily to industrial OT systems.

1. Conducting Regular Cybersecurity Assessments:

Just like with an office IT department, water infrastructure operators should conduct regular cybersecurity assessments to identify vulnerabilities in the system. These assessments should be conducted by qualified cybersecurity professionals and should include penetration testing, vulnerability scanning, and risk assessments.

The challenge is that such tests are prohibitively expensive, and many assessments require the closing of parts of the water system. Smaller water operators are not able to afford the costs, and larger, citywide water systems (which might be able to afford the costs) have difficulty in finding the right time to shut off everyone’s water in the name of “preventative measures.”

2. Implementing Access Controls:

Just like an IT Dept, water infrastructure operators should in theory implement access controls to limit access to critical systems and data. Access should only be granted to authorized personnel who have undergone background checks and have a legitimate reason to access the system.

The challenge is that providing remote access to OT systems also generates more backdoors for hackers to exploit. The most secure solution for water operators would be to completely airgap their industrial systems from all remote access, which would however create many other issues.

3. Train Employees and Teach Them About Cybersecurity:

Most office-based businesses are eager to train their employees so that they understand the best practices for password management, phishing awareness, and social engineering. This might be a feasible step for large water systems and the big players in the field that have the budgets. But many smaller operations for water systems simply do not have the resources to make this a reality.

4. Encryption:

Most IT departments have encrypted most of the flow of information. The goal is to stop outsiders from easily viewing or accessing sensitive data in transit or at rest. This includes data stored in databases, transmitted over networks, and stored on portable devices. Water infrastructure operators cannot use encryption for many of their OT systems, as they are very unique systems that don’t easily integrate with standard encryption protocols.  Furthermore, the main concern with industrial systems is not that someone will exfiltrate sensitive data, but that they’ll inject something malicious into the system. Encryption doesn’t help much in that regard.

5. Deploying Firewalls:

Hard to imagine that there are any IT departments that have not deployed firewalls to protect their systems from unauthorized access and malicious traffic. While firewalls are great for controlling what information flows in and out of a water facility, they can be bypassed by a talented hacker and therefore do not offer hermetic solutions when it comes to guaranteeing an uninterrupted supply of water. In addition to a classic firewall setup, water infrastructure should also integrate an unbreachable unidirectional gateway in order to be 100% certain that their OT systems can’t ever be breached remotely. This includes segregating the networks so that OT and IT are separated in order to isolate critical systems from the rest of the network. This segregation limits the impact of a cyberattack and prevents attackers from moving laterally within the network, especially lateral movements from the IT environment to the OT environment.

6. Install and update Anti-virus

Installing anti-virus is one of the most basic cybersecurity tasks that IT regularly carries out with ease. But when it comes to industrial control systems, it is much harder. Common antivirus software can’t really be installed on PLCs. And to make matters worse, the anti-virus certificate signatures need to be updated daily, or sometimes twice-a-day. And the anti-virus software itself needs to be updated regularly too. All this updating amounts to a “constant and aggressive change” which makes it very difficult to manage an OT network.

The idea with cybersecurity is that we are supposed to control change to reduce risk to operations. Anti-virus software updates are mistaken sometimes and flawed signature updates risk quarantining parts of the industrial automation. So, while OT systems certainly could use an anti-virus suite, it’s very hard to actually install it on industrial controls.

7. Installing Patches and Update Software:

Any IT worker will stress how important it is to update software regularly, especially when that update contains a security patch. This helps prevent known vulnerabilities from being exploited by attackers. But updating and patching is not as simple when it comes to industrial OT. While in theory it makes sense to apply this logic to industrial control systems, the reality is not so simple. Patches and updates introduce too many frequent changes for an OT system and the cure is as bad as the disease here. Any solution that risks “The Blue Screen of Death” on industrial control systems is not a realistic solution.

8. Develop backups and a Cybersecurity Incident Response Plan:

IT departments will often have an incident response plan in place so that if there is a cyberattack, they can revert everything to how it was before the incident, with frequent backups that can restore everything other than the last few hours/days of work that was done since the latest backup.

Water infrastructure systems are not that simple to backup, and there is a risk that the backup will also restore the malicious code which led to the cyberattack. To realistically restore an OT system, original floppy discs need to be on-hand near the site so that everything can be reset to its original settings. And the best way for a water facility to weather an incident is to have the workforce and the capability to switch to fully manual mode, as the priority will always be to keep the clean water flowing to homes and businesses.

9. Using Multi-factor Authentication

IT departments frequently use multi-factor authentication to secure their systems. Multi-factor authentication requires users to provide two or more forms of authentication, such as a password and a fingerprint scan. While this detail seems trivial and overly simple, it is one of the best ways to block some of the most prevalent hacking methods.

However, when it comes to OT, any kind of remote access is just way too dangerous, as hackers can persist until they get through. The best solution for an industrial system is to be fully air gapped for smaller systems, or to use a unidirectional gateway for larger systems.

So in conclusion – it’s hard, and it doesn’t give us as much protection as we’d like. Threat environments are deteriorating rapidly – and cyber attacks with physical consequences for critical infrastructure and manufacturing facilities are more than doubling annually. New regulations are dropping on us as government authorities have become aware of this situation. In another few years, after another few doublings of attacks, we should expect even more stringent regulations coming down the pipe. In the posts & webinars ahead we will be looking at how to get ahead of these issues by deploying simple, affordable protections today that will stand the test of time. Stay tuned!

Want to learn how to secure your water facility?

Get our EPA Checklist Critical Water Infrastructure

Get the full checklist


Stay up to date

Subscribe to our blog and receive insights straight to your inbox