Water Industry Cyber Threat Landscape

An overview to help in better understanding the water industry’s current threat landscape with some recent cyberattacks on water infrastructure to help highlight the prevailing issues and risks.
Picture of Waterfall team

Waterfall team

Water Industry Cyber Threat Landscape

Running water and working indoor plumbing are a basic necessity for modern cities. Most of us take for granted that the tap gives us water and that the water goes down the drain when we are done with it without giving it much thought. Behind this simple capability, there is a complex set of infrastructures for sourcing, purifying, treating, distributing, delivering, and pressurizing clean water to reach our taps, as well as a similarly complex system of infrastructures that handle the water once we are done with it.

Aside from regular maintenance and resource issues for all this infrastructure, there is a constant threat of cyber attackers trying to cause harm to these water systems with the goal of disrupting the society that depends on it. Let’s have a look at the threat environment that Water Utilities contend with.

“…there is a constant threat of cyber attackers trying to cause harm to these water systems with the goal of disrupting the society that depends on it.”

A Well-Balanced Chemical Mixture

One of the most basic threats to any water facility is that someone will tamper with the chemical mix of the water. Aside from the Hollywood style threat of hackers getting into the systems and putting too much of a common treatment chemical into the water to poison it, such as lye which usually controls the PH levels, there is also a risk that they would put in too little of the chemical which will cause pipes to corrode and eventually cause leaks everywhere, which would be a difficult problem to fix, especially if the pipes are inside walls or underground.

manhole cover with WATER on itThis type of threat is well addressed contained in the industry, and the chances of a cyberattack succeeding by changing chemical mixes or the process is unlikely. That’s because sensors and operators routinely track the PH other chemical levels throughout the process, because humans can do manual tests as needed, and because results are routinely submitted to the government or regulatory bodies. At most, malicious attackers might be able to achieve limited chemical changes within a small window of time between routine or manual observations and tests. And while some chemically imbalanced or tainted water might get released before the issue is caught, an emergency solution would most likely require diverting water and re-treating it, or would be too diluted to be significantly dangerous to public health. To date, no publicly known chemical or poisoning attack on water systems has yet occurred. In cases where the process was tampered with, the changes were quickly caught and remediated. Such an attack would require prolonged periods of water passing through the process with an improper mixture, and existing safeguards are so far sufficient to avoid such a problem.

Turning off the taps

The most realistic cyberthreat on water infrastructure are attempts to deny water services to the people who depend on it, or for wastewater treatment to cease functioning. While the amount of finished (treated) water reserves vary from utility to utility, it is always finite. Likewise, wastewater and stormwater treatment and collection facilities vary in size but have a limited design capacity. Considering that both water and wastewater infrastructure is tightly coupled, an incident may trigger treatment & distribution operations to shut down fairly soon as there is no way of storing all that wastewater. The release of untreated wastewater back to the environment, regardless of the cause, is often strictly regulated or prohibited by local laws and statutes.

Water Cyberattacks

large water valveIn the last few years, most of the cyberattacks on water that caused downtime happened to small municipalities and townships, or impacted only several thousand residents. For example, one recent case in Columbia had 40,000 resident that lost water service from a ransomware attack on the local utility’s billing system, running on their IT network. The town used a billing method in which people pre-pay for their water, which prompted the issue to impact physical distribution. Usually, attacks on IT systems don’t lead to a disruption of service, but with so many utilities around the globe there is room for each case to be unique.

Want some more real-world examples of recent cyberattacks on water facilities and other critical infrastructure that use similar systems? Check out our 2024 OT Threat Report.

Preparing Against Cyberattacks:

One of the most basic precautions against cyberattacks is having the ability to run equipment manually. The ability to operate manually is an effective way to bypass an ongoing cyberattack, and comes in handy when equipment malfunctions for any reason or requires regular maintenance. Manually running things works great for some processes – like –water distribution pumps, but once the scale goes up, or if the operations require real-time high speed automation to meet regulations, then manual operation may not realistically be feasible. In those cases, a solution like Waterfall’s Unidirectional Gateway is ideal. When it comes to securing water utilities against cyber-attack, Waterfall provides the highest level of cyber-physical security available on the market. Contact Waterfall to learn more about how unidirectional technology can help secure your water facilities.  

>>Join our upcoming webinar on June 18th>> and learn more about securing Water and Wastewater facilities

About the author
Picture of Waterfall team

Waterfall team


Stay up to date

Subscribe to our blog and receive insights straight to your inbox