In the US, water treatment plants face severe cyber security challenges. Water industry experts report that facilities receive inadequate support from federal entities.
Operated by local municipalities, many drinking water, waste water and surface water treatment plants lack the resources to invest heavily in cyber security tools or staff. More federal funding and strict cyber security standard for water treatment facilities are needed in order to ensure that communities retain safe water resources and ecosystems.
Protecting processed water
A Washington-based think tank, The Foundation for Defense of Democracies, recently published a report calling for better funding of the Environmental Protection Agency’s (EPA’s) cyber security and disaster management system. A proposed budget includes as much as $45 million.
The EPA oversees water system management, and has been called upon to increase funding, staffing and training for utility plants. In 2021, the EPA worked with a budget of around $11.3 million, according to the Wall Street Journal, and requested $15.4 million for 2022.
Given the fact that more than 50,000 drinking water treatment plants and 15,000 wastewater treatment plants exist across the United States, initial budget estimates could easily prove inadequate. Water systems are uniquely vulnerable to cyber security threats.
Ongoing water treatment plant hacking
In mid-October, the EPA, CISA, the NSA, and the FBI jointly warned of ongoing hacking targeting surface water treatment facilities. In issuing this alert, CISA described five different attacks on water utilities in the past two years, four of which involved ransomware.
While the EPA states that it “works closely” with the water sector and other industry partners in order to protect utility plants, binding cyber security standards for water treatment plants do not exist. Treatment plants that serve communities of over 3,300 individuals must conduct their own cyber security risk assessments and draft their own incident response plans.
Biden administration’s new rules
Earlier this year, the Biden administration introduced a series of new cyber security regulations for critical infrastructure organizations. For example, pipeline operators must now inform the Transportation Security Administration in the event of a breach.
However, protocols for water treatment plants have not yet been devised. “This is a big vulnerability and the EPA is not doing enough. It’s not resourced or organized to address and support the water sector,” stated Representative Mike Gallagher (R-Wis), who co-chairs the Cyberspace Solarium Commission.
Says Gallagher, the 2021 National Defense Authorization Act has established the EPA as the sector risk-management agency responsible for overseeing water facilities. In turn, the EPA must offer technical assistance that prepares water operators to contend with cyber security vulnerabilities and to contend with security incidents.
Over the July 4th weekend, a ransomware attack on a water and sewer facility based in Maine disrupted the functionality of an office computer. Most alarms for the district’s sewer system remained dysfunctional for weeks. Hackers took advantage of the fact that the facility used an outdated version of Microsoft Windows software.
In February, a hacker managed to gain access to the Oldsmar water treatment plant, in Florida. The manipulated sodium hydroxide levels threatened to poison an entire community. A plant manager observed the issue and alerted a supervisor ahead of catastrophe.
Cyber attackers may see water treatment plants as an avenue through which to create multiple, cascading failures cross infrastructure sectors. This would result in serious issues concerning Americans’ public health and safety. Prevention of cyber attacks is the best mode of protection.
For more information about protecting surface water treatment, drinking water treatment and waste water treatment plants, see CyberTalk.org’s past coverage. Lastly, if you’re looking for more timely insights, analyses and resources, sign up for our newsletter here.