Your Water Supply is Under Cyber Attack

Water sector cyberattacks have become increasingly common over recent years, driven by a rise in cybercrime. The water industry is a particularly vulnerable target for hackers, home to valuable critical infrastructure yet lacking advanced cybersecurity measures. An analysis of key attacks over recent years shows a few significant trends. What is causing increasing water sector cyberattacks and what steps are being taken to resolve the issue?

Key Cyberattacks in the Water Sector

The global cost of cybercrime was over nine times higher in 2022 compared to 2018, estimated at $8.44 trillion USD. Everyone is at increased risk of a cyberattack today, including utility providers like water supply and treatment companies. The U.S. water sector has been hit with several major cyberattacks in recent years, posing a serious threat to public health and safety.

For example, in 2018, the Onslow Water and Sewer Activity Authority in North Carolina had to shut down its IT network after two back-to-back ransomware attacks. The organization in Jacksonville distributes water to over 100,000 North Carolina residents. Luckily, the ransomware attacks didn’t interrupt service to those residents, but they did jeopardize the safety of utilities data and infrastructure.

In 2019, a 22-year-old remotely hacked into the Ellsworth County Rural Water District’s network in Kansas. The hacker attempted to tamper with disinfectant levels in the water treatment facility, but the attack was stopped before causing harm. Officials later identified and indicted the perpetrator, who was found to be a former employee of the Ellsworth County facility.

Similarly, in 2021, twin cyberattacks hit water sector facilities in San Francisco, California, and Oldsmar, Florida. Both attacks involved the use of a remote access program called TeamViewer. This app is commonly used in the utility industry for tasks like remotely monitoring water treatment and supply data. However, hackers abuse it to manipulate water sector companies’ systems illegally. Luckily, both attacks were stopped before they caused any harm.

Hackers’ Tactics and Motives

What is motivating all these attacks on the water sector? There are a few factors causing hackers to shift to less conventional targets like water sector organizations.

Ransomware-as-a-Service makes it easier than ever for bad actors to engage in hacking. An amateur hacker can access a sophisticated ransomware program by paying a small fee to the malware’s creator. As a result, more hackers are actively participating in crime today than five or 10 years ago.

A higher population of hackers leads many to consider new types of targets. An ideal one for a hacker is an organization with little to no security resources alongside some kind of critical infrastructure. The water industry needs a centralized approach to security and many treatment and distribution facilities require more critical cyber awareness. They often have few safeguards against unauthorized network access, exposing valuable infrastructure.

For example, three of the four water sector cyberattacks described above involved exploiting remote access programs and employee credentials. Experts estimate that at least 25% of data breaches are caused by stolen credentials, such as those used in the twin 2021 water sector cyberattacks.

In the San Francisco and Oldsmar attacks, hackers used stolen credentials traded on the dark web. At Oldsmar, all the facility’s employees reportedly used the same password to access the TeamViewer app. In the 2019 Ellsworth County, Kansas attack, the hacker abused employee privileges from a former water sector job. In these cases, greater identity and access control measures may have prevented the hackers from accessing sensitive systems and data.

The motives for many water sector cyberattacks seem to be damage- or fear-based. Hackers attempted to poison public water supplies through various methods in numerous attacks. For instance, they might use remote access tools to change the amount of water treatment chemicals to toxic levels.

Financial gain is likely also a major incentive, as in the case of the two 2018 ransomware attacks at a Jacksonville, North Carolina facility. Water sector professionals and industry leaders should keep in mind that the FBI advises organizations never to pay ransoms in ransomware attacks. Paying encourages hackers to continue crime campaigns and there is no guarantee they will actually restore a victim’s data once paid.

How the U.S. is Stepping Up to Defend the Water Sector

The U.S. federal government is stepping up to improve security in response to rising cyber threats against the water sector. For example, in 2018, Congress passed America’s Water Infrastructure Act. It establishes risk assessment requirements for water facilities serving 3,300 or more people. The act also outlines the guidance and technical support the EPA is expected to provide for water sector organizations.

In 2023, the EPA released updated minimum cybersecurity requirements for public water facilities. The new requirements include mandatory cybersecurity audits to ensure facilities nationwide implement resilient defenses. The updated requirements follow six 2021 initiatives the Government Accountability Office suggested, including support from the National Initiative for Cybersecurity Education.

The EPA is also taking steps to help water sector organizations improve their security practices. For example, the Water and Wastewater Utility All-Hazards Bootcamp training program the EPA provides includes employee training on cyber awareness and emergency response. Employee training is a vital part of improving cybersecurity at any organization. Water sector companies can use strategies like gamification and simulations to maximize the impact of such programs.

Additionally, the Water Information Sharing and Analysis Center has experienced membership growth. The organization provides security data and guidance for water sector facilities nationwide. Connecting water sector professionals through organizations like this can increase cyber awareness and the development of industry-specific security solutions.

Protecting the Water Sector

Everyone relies on the water industry for health, safety and food, so defending it from digital threats is paramount. Water sector organizations must take proactive steps to protect their systems and data from attacks, primarily as hackers increasingly target the industry. The U.S. EPA and industry organizations provide guidance and aid to support water sector companies as they adapt to more advanced security needs.