An era of cyberattacks on critical infrastructure has begun. Rural water utilities have vulnerabilities and advantages.
- The vast majority of water utilities in the country serve fewer than 10,000 people, and they tend to have less resources and tighter budgets than their larger counterparts.
- Many cybersecurity defenses won’t break the bank, even for systems on a tight budget. The challenge, experts say, is reaching the water utilities who could benefit from them.
- In the next few decades, as companies put more and more of their assets online, the threat of cyberattacks will only grow.
By Laura Gersony, Circle of Blue — July 13, 2021
Super Bowl weekend was the headline event last winter in Tampa, Florida, where the mood was giddier than usual, given that the hometown Bucs had advanced to the championship. But two days before the big game, an incident just a few miles west of Raymond James Stadium temporarily stole the show.
A hacker gained remote access to a water treatment plant in the town of Oldsmar. The intrusion on February 5 lasted only a few minutes — just long enough for the hacker to raise the concentration of lye in the water by a factor of 1,000. It was detected five and a half hours later, when an employee happened to glance at his screen and noticed an irregularity.
It was an outcome that cybersecurity experts had been warning of for ages. An era of cyberattacks on critical infrastructure has begun. Rural water utilities have vulnerabilities and advantages. Click To Tweet And Oldsmar, which serves just under 15,000 people, wasn’t an outlier; one in six water systems reported experiencing at least one IT-related incident in the past year, according to a survey by the Water Information Sharing and Analysis Center (WaterISAC) earlier this year.
The vast majority of water utilities in the country serve fewer than 10,000 people, and they tend to have less resources and tighter budgets than their larger counterparts. As a result, these utilities face unique challenges in defending themselves against cyberattacks.
For many, cybersecurity is the last item on a laundry list of more pressing issues.
“Elevating cybersecurity at the small city council, or the local governing board meeting, is really hard to do,” said Michael Preston, a legislative policy analyst with the National Rural Water Association. “It’s not top of mind, because the big pothole in town or the water main leak off Main Street is definitely going to lead to discussion.”
In some cases, the necessary defenses are just too expensive. While upgrading a system’s computer software—from Windows XP to Windows 10, for example—is often not pricey, the utility’s physical parts might not be compatible with newer software, requiring an overhaul of the old equipment. Some water systems simply can’t afford this cascade of expenses.
But many preventative measures won’t break the bank, even for systems on a tight budget. Jennifer Lyn Walker, the lead cyber threat analyst at WaterISAC, explained that simple, low-cost measures can drastically lower the risk of a cyberattack. These include strategies like changing passwords regularly, multi-factor authentication, and tracking who has access to what devices.
“Eventually, you reach a point where you need to invest a little bit more than just time, but there are a lot of things that the less-resourced utilities can do that go a long way without having to shell out millions of dollars,” she said.
Education can also go a long way. Kevin Morley from the American Water Works Association said that some water system employees simply aren’t aware that they are part of a system’s cybersecurity network. Letting employees know that they’re on the front lines, and advising them to take basic precautions like avoiding clicking on suspicious links, can make a big difference.
There’s no shortage of cheap solutions. The challenge, experts say, is awareness.
Many small water systems are located in areas with few IT specialists, and the systems may not be aware of the educational resources available via industry networks. What’s more, cybersecurity can feel alien to water specialists, creating a barrier to entry.
“There’s kind of a mythology and discomfort with cyber,” Morley said. “A big part of our efforts have been to demystify cybersecurity…to show that these are very doable things.”
Lyn Walker said that all it takes is for one larger system to “be a good neighbor” and share its expertise with nearby, smaller systems. Similarly, the National Rural Water Association hopes to expand its nationwide “circuit rider” program of roving, boots-on-the-ground consultants into cybersecurity education.
Responding to an Attack
In some ways, smaller systems are less vulnerable to cyberattacks to begin with. Every online component in a utility plant is a possible entry point for a hacker, meaning that a smaller utility can be easier to monitor and secure. “It’s like cleaning a condo versus cleaning a mansion,” said Morley from the American Water Works Association. “There’s just fewer parts.”
But in the event that they are targeted, the likelihood that they’ll be able to defend themselves is slim.
“If a state-sponsored actor is getting into [Defense Department] top-secret files, a lowly water utility is not going to stop them,” Morley said. “We’re not going to eliminate the bad cyber-actors any more than we’re going to stop a hurricane. So the question is: what are you doing to mitigate and recover from attacks?”
Here, too, the problem is communication. Currently, water utilities are not required by law to disclose when they have been hacked. Many, for various reasons, choose not to: they fear that their reputation will be damaged or that other bad actors will exploit their vulnerability. Sometimes they don’t know where to file a report.
Michael Arceneaux, the managing director of WaterISAC, said that this causes two main problems. First, if systems don’t report the hack, then they can’t get help from institutions in the water industry and government agencies. But it also means that the water sector as a whole is flying blind: there is little data or communication about the scale of the problem.
Sens. Marco Rubio, Susan Collins, and Mark Warner have introduced legislation that would require critical infrastructure companies, including water utilities, to alert the Department of Homeland Security when they’ve been hacked.
In the next few decades, as companies put more and more of their assets online, the threat of cyberattacks will only grow. It’s clear that, in the words of a National Rural Water Association brief, “the cyber pandemic for the industry has already begun.”
Laura Gersony covers water policy, infrastructure, and energy for Circle of Blue. She also writes FRESH, Circle of Blue’s biweekly digest of Great Lakes policy news, and HotSpots H2O, a monthly column about the regions and populations most at-risk for water-related hazards and conflict. She is an Environmental Studies and Political Science major at the University of Chicago and an avid Lake Michigan swimmer.