The Rising Threat of Cyberattacks on Water Facilities

In an age where technology permeates every aspect of our lives, the vulnerabilities of critical infrastructure have come to the forefront of national security discussions. A cyberattack on a water facility can jeopardize entire communities and businesses, with even a brief disruption in clean water supply leading to severe public health and safety consequences. Threat actors are acutely aware of the potential damage they can inflict, making the security of water utilities a pressing concern.

The Shift Towards Digitally Connected Systems

Water utilities are increasingly moving away from isolated operational technology (OT) systems toward more digitally connected frameworks that integrate with information technology (IT). This transition allows for more accurate, real-time data, enhancing efficiency and performance. However, it also introduces new cyber risks. As these systems become more interconnected, they become more attractive targets for cybercriminals looking to exploit vulnerabilities.

Vulnerabilities in Water Systems

Water systems are often more susceptible to cyber threats than other types of critical infrastructure. Many are municipally owned or operated by smaller utility providers, which have historically faced underinvestment. This lack of resources has hindered their ability to modernize, hire skilled staff, or invest in robust cybersecurity measures. Consequently, these smaller providers may represent the greatest danger in the landscape of water security.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about the vulnerabilities of water and wastewater systems. Attackers frequently exploit weaknesses in outdated or unsecured OT and industrial control systems (ICS), particularly those exposed to the internet or still using default credentials. The U.S. Water Alliance estimates that a one-day interruption in water service across the U.S. could threaten $43.5 billion in economic activity, underscoring the stakes involved.

Recent Cyber Incidents

The urgency of addressing these vulnerabilities is highlighted by recent incidents. The U.S. Environmental Protection Agency (EPA) identified 97 drinking water systems serving approximately 26.6 million users as having critical or high-risk cybersecurity vulnerabilities. Water utility leaders express particular concern over ransomware, malware, and phishing attacks. For instance, American Water, the largest water and wastewater utility in the U.S., experienced a cybersecurity incident that forced the company to shut down some of its systems. Similarly, Arkansas City’s water treatment facility had to revert to manual operations following a cyberattack.

These threats are not confined to the U.S. In the UK, Southern Water admitted to a breach of its IT systems, while in Denmark, hackers targeted the consumer data services of water provider Fanø Vand, leading to data theft and operational disruption. Such incidents reveal that the threat landscape is global, with authorities suspecting involvement from foreign actors.

According to Semperis, 60% of attacks on utilities are attributed to nation-state groups. It is believed that major cyber powers have infiltrated rival infrastructure for years, implanting malware that could disrupt essential services at a moment’s notice.

The Role of Operators in Cyber Defense

Cyberattacks on water facilities pose direct risks to community safety and the daily operations of utility operators. Therefore, it is crucial for operators to remain vigilant and prepared.

Key Risks Include:

• Operational Disruptions: Cyberattacks can disable pumps, disrupt chemical dosing, or incapacitate monitoring systems, complicating efforts to maintain safe and reliable water supply.

• Public Health Risks: Tampering with water treatment processes could lead to contamination, endangering the health of entire communities.

• Increased Pressure on Staff: Recovering from a cyberattack often requires extended hours, urgent troubleshooting, and close coordination with emergency responders.

Operators serve as the first line of defense. Their intimate knowledge of the system, combined with awareness of cyber threats, is essential for spotting suspicious activity early, adhering to security protocols, and responding effectively to potential issues.

Government Approaches to Cybersecurity in the Water Sector

In response to the growing threat, the European Union has adopted a proactive stance on cybersecurity, implementing stricter regulations and long-term investments in essential services. The NIS2 Directive mandates that member states adhere to security standards, report incidents, and coordinate national oversight, thereby enhancing the resilience of utilities.

Conversely, the U.S. appears to be moving in the opposite direction. The EPA’s proposed budget for fiscal year 2026 includes a 54% cut, reducing funding from $9.14 billion to $4.16 billion—the largest reduction in fifty years. This raises serious concerns about the federal government’s capacity to support cybersecurity efforts in the water sector, particularly for small and rural utilities grappling with aging infrastructure and limited resources.

However, some U.S. states are stepping up to fill the void. For instance, New York has introduced new cybersecurity regulations and a grant program aimed at bolstering utility defenses.

Steps to Improve Cybersecurity

To mitigate risks, water utilities can adopt several proactive measures:

1. Limit Exposure to the Internet: Reduce public internet access to operational devices like controllers and remote units. Regularly scan for and address any internet-exposed assets.

2. Perform Regular Cybersecurity Assessments: Conduct frequent evaluations of both operational and IT systems to identify weaknesses and vulnerabilities.

3. Change Default Passwords Immediately: Replace default passwords with strong, unique ones and enable multi-factor authentication (MFA) wherever possible.

4. Maintain an Updated Inventory of Assets: Keep a current list of all operational and IT equipment to facilitate monitoring and management.

5. Develop and Test Incident Response Plans: Create and regularly test plans for responding to and recovering from cyber incidents.

6. Regularly Back Up Critical Systems: Consistently back up key operational and IT systems to protect data integrity and support recovery efforts in the event of an attack.

Conclusion

As water facilities increasingly integrate digital technologies, the risks associated with cyberattacks grow. The potential consequences of such attacks extend far beyond the immediate disruption of services, threatening public health, economic stability, and community safety. By prioritizing cybersecurity measures and fostering a culture of awareness among operators, water utilities can better protect themselves against the evolving landscape of cyber threats. The time to act is now, as the safety and well-being of communities depend on it.