In an increasingly digital world, cybersecurity is a significant – and relevant – threat to individuals and companies alike. Cybercriminals are constantly devising new ways to steal information for personal gain through exploitation or ransom demands.
It’s become unfortunately commonplace to hear tales of drained checking accounts, leaked photos, and private documents being published to the masses. In this post-pandemic era, the move to hybrid and remote work dynamics has tempted nefarious actors even more. In 2021, the average instance of data breaches and cyberattacks rose more than 15% year over year.
Vulnerability and Attacks Targeting the Water System
It’s not uncommon to receive emails or notifications from banking institutions alerting customers of new security threats, particularly phishing tactics. What is unique is hearing from some of the most prominent government institutions – including the FBI, the NSA (National Security Agency), the EPA (Environmental Protection Agency), and the CISA (Cybersecurity and Infrastructure Security Agency) – with a very specific warning: the water and wastewater systems across the US are the target of criminals.
The catalyst for this was a 2021 incident you may not have even heard of. A water treatment plant in Oldsmar, Florida, had its systems breached, and hackers attempted to poison the water supply in this 15,000-person town. The hacker tried to make changes to the levels of sodium hydroxide (also known as lye or caustic soda), increasing the concentration to highly toxic levels.
Users access operational systems in the Oldsmar facility online through a software platform. While the platform should have been segregated from the internet-connected IT network, criminals were able to gain access and control an administrator’s mouse remotely to make changes to the settings. Thankfully, a user spotted the mouse movement and alerted authorities, saving the health and livelihood of those depending on the Oldsmar system’s water.
Unique Security Challenges
While cybersecurity challenges are present throughout the utility sector, the water industry is particularly vulnerable. Having long ago identified the need for a unified approach to security, FERC and NERC have developed a standardized set of rules for securing the electric grid. After the Colonial Pipeline attack last year, the oil and gas industry has also taken note, tightening security. A new set of regulations are rumored to be announced this year.
That leaves the water industry particularly vulnerable. The same level of regulation and unified authority doesn’t apply to water utilities, and the disparate nature of system implementation leaves many potential security gaps. Cybersecurity practices are antiquated in many parts of the country, with weaker identity monitoring and access management tools.
A 2019 report issued by the AWWA (American Water Works Association) dubbed cyberrisk a paramount risk facing critical infrastructure. They identified insufficient human, technological, and financial resources as top barriers to comprehensive security measures and robust defenses.
Given the potential impact on the population, hackers have the upper hand when breaching frontline security. As such, ransomware is a go-to tactic, exploiting these vulnerabilities in exchange for sizeable payments. Reports indicate that ransomware attacks on the water utility industry are increasing, putting individuals across the country at risk.