Cyberattacks on water and wastewater utilities might not be quite as inevitable as death and taxes.
Still, they pose significant risks that operators in treatment facilities can play a critical role in mitigating. Attacks can come from various sources: agents for foreign governments, purveyors of malware and ransomware, disgruntled former employees and others, according to Kevin Morley, Ph.D., manager of federal relations with the AWWA.
Morley emphasizes that small utilities lacking security expertise are especially at risk. He cautions that cybersecurity is not just the province of IT professionals — it is everyone’s job. Measures as simple as managing passwords effectively and warning team members against clicking on links in suspect emails can help greatly in warding off attacks.
Morley works closely with U.S. government agencies and others to enhance the security of critical infrastructure. His work includes developing standards and guidance on cybersecurity, preparedness, and risk and resilience management for water and wastewater systems. He talked about cybersecurity threats and remedies in an interview with Treatment Plant Operator.
TPO: In the big picture, how would you assess the scope and nature of cybersecurity threats for water utilities?
Morley: Water utility operations face a number of threats, from natural disasters to typical water main breaks. Cybersecurity is a threat factor that has as close to 100% probability as anything else. Water systems are being targeted. Even very unsophisticated attacks have potential to seriously compromise utility services. Just because you’re small doesn’t mean you’re not a target. It may make you more of a target because bad actors know that smaller entities don’t necessarily have in-house cybersecurity expertise. They are easier targets than big cities.
TPO: Can you give an example of an attack on a smaller utility?
Morley: A few years ago in Kansas, an employee was released from a small utility, and nobody took away his sign-on credentials. Two months later he was out having beers with his buddies and said, “Watch what I can do.” He shut down the water plant from his phone. He was prosecuted by the Department of Justice. The point is, a really simple HR failure compromised the public health and safety of a community.
More recently, utilities have been targeted by Iranian nationals in relation to the war between Israel and Hamas. In Aliquippa, Pennsylvania, they defaced the HMI on the PLC in a booster pump station with a message that essentially said, “We’re attacking you because this is an Israeli-based technology — free Palestine.” They didn’t go through with turning anything off, but they could have. They had total control of the system.
TPO: How might the operators in that utility have prevented that incident?
Morley: The intruders took advantage of the utility being on the internet and not having changed the default password. Those are two super simple things that operators could have changed in terms of how access to that PLC was managed. These examples illustrate some simple, low-hanging-fruit actions that can be taken by operators to help manage the risks associated with cyber threats.
TPO: What are some of the kinds of vulnerabilities that utilities tend to have?
Morley: Sadly, it’s some really simple things, like not changing default passwords. Elements of their network are public-facing. People can go in and see it, and there’s no password control, and there’s no use of multifactor authentication or VPN to control access. I am not saying they shouldn’t do remote access, but if they’re doing that they need to put in some speed bumps to control who can get in and who can’t. It’s like at a physical plant: If you don’t have a fence, anybody can walk in. If you put up a fence, you keep most people out. And if somebody does jump the fence, you’re in a better position to say, “Hey, you’re not supposed to be here.”
TPO: How severe can the consequences be from cyberattacks?
Morley: It depends on the motivation of the bad actor and where they get into the system. They could literally turn the water system off, and that’s a real problem for fire safety, dialysis centers and hospitals. They could also compromise water quality. There are a lot of redundancies in water systems to help mitigate that, but depending on how the system is segmented and set up, those things can be overcome. On the wastewater side, they could shut the plant down, and now the utility is straight-piping waste out into the watershed, upstream of drinking water systems. A lot of environmental harm and downstream consequences could occur.
TPO: What specifically are intruders targeting?
Morley: They are targeting the things that actually run the pumps and the motors — operational technology. But the most common threat is ransomware because it’s about money. A Texas municipal district that serves 2 million people got hammered with ransomware. It didn’t impact operations, but it really messed up the business side. Customer and employee data was released. That costs real money.
TPO: How do ransomware and other malicious programs get into a system?
Morley: People click on things. Somebody sends an email containing malware. An employee clicks on it and now the malware is deployed. That’s how ransomware gets delivered 99% of the time. Or it could be an operator charging up a phone in the USB port on the computer in the control room. That operator just blew the firewall, so any garbage on that phone can get moved onto the control system.
TPO: How important is it to manage passwords?
Morley: It’s critical. If five people are working in a plant and there’s a single username and password, management has no operational understanding of who is in the system and when. You need unique usernames and passwords for personal staff, and if you have multifactor authentication, that’s one more safeguard to ensure only authorized users can access the system.
TPO: What kinds of resources are available to help utilities deal with cyber threats?
Morley: There is a free service from the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security. It’s a vulnerability scanning program. Think about window-shopping at Christmas time. You’re not in the stores, you’re not buying anything, but you can look in and I can see what they have. What this tool is doing is scanning the utility’s IP addresses from the outside, which is exactly what the bad guys do. If a utility implements this service, they would get a report that tells them, “You’ve got an open port to the internet at XYZ location, and you should close that.”
TPO: How effective has this scanning program been?
Morley: It’s really empowering, especially for small utilities that don’t have in-house security staff, but have a couple of operators in charge. They’re likely not cybersecurity experts, which is fine — I’m not knocking operators. But this is one tool that can help them understand what vulnerabilities may exist. CISA has observed that utilities enrolled in the program have reduced their vulnerability exposure by upwards of 40% within three months.
TPO: Is the scanning done on a one-time basis or over time?
Morley: They get a report from CISA on a periodic basis that essentially says: Here are the things about your network that, from the outside looking in, we see as vulnerabilities. Then, depending on what it the issue is, they can deal with it themselves or bring in a service provider. It allows them to make important decisions to manage cybersecurity risks.
TPO: What cybersecurity resources does AWWA offer?
Morley: At awww.org/cybersecurity, we have practical, step-by-step guidance for protecting process control systems from cyberattacks. We also have an assessment tool to help utilities tailor their review of the controls that are the most applicable to the technology used by the system. It includes a series of questions that basically say, “Do you do this or don’t you?” Based on the answers, we give prioritized recommendations for controls that should be implemented. There is also a getting-started guide to help small and rural utilities improve cybersecurity practices.
TPO: In summary, how important is it for utilities to make cybersecurity a priority?
Morley: Doing nothing is unacceptable. Cybersecurity is not an extra thing. It is a mission critical thing. It needs to be managed just as much as the distribution system. Water is a national critical infrastructure. It’s a national security risk. State actors including China, Iran and Russia are targeting it, along with more routine actors who are monetarily motivated, like purveyors of ransomware. We need to think in terms of the multibarrier approach we apply to water quality and expand it to cybersecurity for the assets that are critical to running the water system. Assume you’re going to be attacked. And then ask: Are we prepared to respond? And if the system is compromised, do we have a plan to bring things back online in a timely fashion?
