Blog Hero Icon
Simple Steps For Mitigating Cybersecurity Risk
Back to Blog
Water Quality

Simple Steps For Mitigating Cybersecurity Risk

Regardless of the industry, cybersecurity is at the top of priority lists for company leaders around the globe. After 50 years of innovation in technology, it will take a collaborative approach by government officials, industry leaders, and individuals to safely navigate the volatile cybersecurity landscape.

For utilities, repercussions of a cyber-attack can cost millions of dollars, a tarnished reputation, and even lives in the case of water resources. The good news is that there are simple yet essential steps that every utility can start taking right now to improve their safeguards against these threats.

According to Black & Veatch’s 2021 Strategic Directions: Water Report, utilities’ resilience concerns surrounding cyberattacks have increased from 34% in 2020 to 56.2% in 2021. 

The report theorizes that with the increase in remote work brought on by the pandemic, utilities are more vulnerable than ever to cyberattacks including ransomware, internal sabotage, and cyber terrorism. Underfunding is another contributing issue, as many utilities lack the funds to invest in cutting edge security systems or to regularly audit their processes.  

Cybersecurity Attacks Increasing in Frequency

On January 15, 2021, a hacker tried to poison a water treatment plant that served parts of the San Francisco Bay Area. Utilizing popular remote work platform TeamViewer, the hacker used a former employee’s username and password to gain access to the plant’s computers. While no harm was caused by the incident, the hacker was successful in deleting programs that the plant used to treat drinking water.  

A few weeks later, a hacker infiltrated the water treatment plant in Oldsmar Florida through the same remote work software in attempt to add dangerous levels of sodium hydroxide to the water. According to the FBI investigation, all the plant’s computers used the same password, and they were utilizing Windows 7, an operating system that Windows no longer supports. Each of these factors contributed to Oldsmar’s vulnerability and status as a potential target.  

Published in 2020 in the Journal of Environmental Engineering, A Review of Cybersecurity Incidents in the Water Sector finds that there has been “an increase in the frequency, diversity, and complexity of cyberthreats to the water sector.”.  

Reported in the review was an attack that took place in 2016. An undisclosed water utility in the US (presented under the pseudonym of Kemuri Water Company) hired Verizon Security Solutions to perform an assessment of its water supply and metering system. The assessment revealed numerous high-risk vulnerabilities, including a reliance on outdated operating systems and computers. Digging deeper, Verizon found that the utility’s internet payment application and outdated AS400 computer system were linked, granting hackers access to any information stored in the AS400.  

The forensic investigation unveiled an exfiltration of 2.5 million unique records and the hackers’ manipulation of chemicals and flow rates.  

Again, outdated software and processing systems was the culprit behind the utility’s vulnerability. A Review of Cybersecurity Incidents in the Water Sector, which explores 15 recent malicious cyberattacks, emphasizes “the need for an adaptive, cooperative, and comprehensive approach to water cyberdefense.”  

Understand that cybersecurity is a continuous process. Actively monitor and stay vigilant.

Eric Logo Testimonial Logo
Eric Dorgelo, Chief Technology Officer, Aquatic Informatics

How Can the Water Sector Strengthen Security Resilience

By looking at past cyber-attacks on water and wastewater plants, we can learn a lot about how to better steel our defenses against both internal and external infiltration.  

Below are the FBI’s and the 2020 water cybersecurity review’s recommendations for increasing one’s security resilience: 

• Use strong and diverse passwords and securely protect them;  
• Always use multi-factor authentication 
Updating passwords
• Immediately change access permissions and passwords after terminating an employee 
• Ensure anti-virus, spam filters, and firewalls are configured and secure  
Audit network configurations and isolate end-of-life computer systems 
Apply two-factor authentication whenever possible
Train users to identify and report attempts or unusual activity
• Keep all software updated
Separate SCADA systems from administrative networks
• Perform routine checks of systems such as email that contain confidential information
• Implement a monitoring mechanism to oversee data transfer for early detection and response

Continue Learning

For more practical tips, register for our upcoming cybersecurity webinar, or check out our ebook written in partnership with OTT Hydromet:

The Main Takeaway

Protecting our source water and valuable data associated with our critical infrastructure requires active participation from everyone in the industry. 

Have you assessed your company’s software or operating systems recently? How many are outdated, not in use, or no longer supported?  

While not every everyone has access to the same advanced security software, we can improve the sector’s resilience by always upgrading and updating software, staying on top of administrative access, and practicing secure password processes.  

Amber Jelly
Amber Jelly

Dec 15 | 2022
Subscribe today!
Keep reading: Related Articles