Water infrastructure rife with cyber vulnerabilities, report says
Between financial constraints and decentralized regulatory control, many water companies lack the resources for the continuous hygiene required for enterprise IT networks that are linked operational technology.
When hackers exploited an outdated version of Windows in an apparent attempt to poison the water supply in Oldsmar, Fla., ThreatLocker co-founder and CEO Danny Jenkins said he wasn't just alarmed that the attackers had gained remote access to the plant's TeamViewer software to jack up levels of sodium hydroxide to a lethal dosage. It more concerning to the cybersecurity executive that a single operator could tamper with the chemical levels -- regardless of whether that person was a hacker or utility employee.
The legacy infrastructure common in local water treatment plants lacks even the most basic cybersecurity controls. "Why was an operator, a single person, able to turn a dial that could poison the water?" Jenkins said in a recent interview. "Water companies tend to live in the past because their technologies live in the past … Regardless of the IT parts of this and the controls we put in place, the limitations need to be put in place as well."
On Tuesday, ThreatLocker published a report titled Protecting water infrastructure against cyberattacks, which explores issues water utilities have faced when looking to improve their cybersecurity posture and detailed the severely limited IT and operational technology financial resources for water utilities across the country.
For example, at least 38% of systems nationwide have allocated less than 1% of their overall budgets to IT cybersecurity, according to Information Systems Audit and Control Association's (ISACA) "Cybersecurity 2021 State of the Industry." Another 22.1% of systems were allocating just 1% to 5% of their budgets towards addressing IT cybersecurity issues.
State and local infrastructure advocates have testified on Capitol Hill in recent weeks about the need for increased federal investments in cybersecurity resources around water infrastructure for rural and small communities.
The $1 trillion infrastructure bill currently being considered in the Senate also includes a section on cybersecurity support for public water systems as part of a planned $48.4 billion investment in water infrastructure. The bill tasks the Cybersecurity and Infrastructure Security Agency (CISA) to prioritize risks to public water systems and the sources of drinking water. Under the bill, federal officials will provide site vulnerability and risk assessments, along with additional support and consultation, for public water systems which CISA determines should be prioritized for cybersecurity support.
A federal auditing process for water utilities similar to the one detailed in the legislation may also help provide clearer, standardized regulations for any public water system hoping to improve its cyber posture, Jenkins said.
Experts at a Senate Environment and Public Works Committee hearing in July pointed to federal initiatives they said were currently underutilized, like the Rural Water Circuit Rider Program, which can provide technical assistance like cybersecurity training and other resources to water utilities and their employees.
The water industry has largely failed to establish clear, universal guidelines around cybersecurity on its own, the report noted, with water infrastructure management typically left up to local municipalities or private firms.
A recent Water Information Sharing and Analysis Center (Water-ISAC) survey showed a majority of water utilities have yet to fully assess risks to their own IT assets.
Though added financial resources can go a long way in improving cyber posture, Jenkins noted water utilities were in need of clear guidance on how to spend funds in order to adequately protect their infrastructure.
"I hope the government is putting together tangible guidance, which people can actually follow as opposed to vagueness," he said. "Everyone wants a list of ways to move forward. Nobody knows what to do right now."
This article was first posted to FCW, a sibling site to GCN.
NEXT STORY: Defending against attacks on vehicle networks