Recently the U.S. Cybersecurity and Infrastructure Security Agency (CISA), joined by six other federal agencies and counterparts in Canada and the UK, warned North American and European water treatment systems operators to shore up their defenses in the face of malicious cyber activity targeting water facilities. You could say it was a mayday call on their behalf; the five-page data sheet was issued on May 1.
The document cites repeated breaches by pro-Russia hacktivists who use rudimentary attack techniques to exploit vulnerabilities in outdated remote access software. Once in the network, they gain control of human machine interfaces (HMIs), such as touchscreens used to monitor or make changes to the system, and can compromise industrial control systems (ICSs) that operate critical processes within the facilities:
Pro-Russia hacktivists manipulated HMIs, causing water pumps and blower equipment to exceed their normal operating parameters. In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the water and wastewater systems operators.
Per CISA, the attacks have caused “little physical disruption” and resulted in only “nuisance-level” impacts, such as tank overflows that were fixed by reverting to manual controls. None has impacted drinking water – yet. That doesn’t mean they should be discounted. “These actors are capable of techniques that pose physical threats to insecure and misconfigured operational technology (OT) environments,” the agency warned.
Why Is the Water Sector So Attractive to Hacktivists?
Water and wastewater systems are ideal targets for hackers because they combine three ingredients: tight budgets, lax cybersecurity practices and almost guaranteed publicity, even for small attacks. With little effort and no need to cause actual harm, bad actors gain maximum notoriety.
1. Rate Increases Must Fund Aging Infrastructure, Not Security.
The current spate of attacks exposes the cybersecurity challenges facing the thousands of municipal water systems across the U.S. Many are small and operate with tight budgets. Community rate increases require approval by state public utilities commissions, and extra funds typically go toward replacing old water and sewer pipes and equipment that date back to post-World War II. Although some federal funding for cybersecurity is available, water districts typically can’t afford trained OT security staff to deal with cyber threats.
2. Poor Cyber Hygiene Is the Norm.
Given these resource constraints, it’s no surprise that cybersecurity practices are often poor in the water and wastewater sector. When CISA and FBI detectives investigated the most recently breached U.S. facilities, in each case they found outdated equipment connected to the internet, protected by weak passwords, making it relatively easy to breach critical infrastructure networks using simple techniques. Similarly, a March 2024 White House memorandum to state governors cited a widespread lack of “even basic cybersecurity precautions, such as resetting default passwords or updating software to address known vulnerabilities.”
3. There’s a High “Scare Factor” Tied to a Safe Water Supply.
Certainly, there are nation-state backed cybercriminal groups out there who use sophisticated tactics to penetrate IT and OT networks intending to cause real harm, both physical and financial. To date, that’s not what’s happening in the water sector. With nuisance attacks, stoking fear is the whole point. An attack on a water and wastewater plant?!? Traditional and social media can’t resist such news. “If they can control the HMI, imagine if they poisoned the water supply or caused a disease outbreak!” Coverage is sure to draw ratings and clicks.
Cybersecurity Best Practices for OT Operators on a Budget
The data sheet is one in a series of warnings issued over the last decade about the water and wastewater sector, all with similar findings and recommendations. There are multiple inter-agency working groups and dozens of resources with specific mitigation steps. This snapshot from a CISA infographic sums up what water facility owners and operators must do:
Owners and operators can lament the lack of funding, but when you’re talking about critical infrastructure that is actively being targeted, it’s not an excuse to do nothing. Basic cyber practices, including cyber awareness training for all employees, don’t have to be complex or costly to implement.
To formulate your cybersecurity plan on a dime, start with the three actions that CISA advises you take right away:
- Change all default passwords of OT devices (includes PLCs and HMIs) and use strong, unique passwords.
- Disconnect all HMIs and programmable logic controllers (PLCs) from the public-facing internet.
- Implement multi-factor authentication for all access to the OT network
If you believe your water and wastewater system may be targeted — although that’s hard to predict given the small, rural plants that have recently made headlines — it’s time to budget for stronger OT/ICS cyber defenses. Actions such as maintaining an accurate asset inventory, continuously monitoring for threats and anomalies, and assessing vulnerabilities are most effective when automated.
Nozomi Networks understands OT/ICS cybersecurity better than any other vendor. We also understand the constraints water and wastewater utilities operate under and can help you maintain resilience by doing more with less.
To learn more, visit https://www.nozominetworks.com/industries/water-wastewater-cybersecurity.
