THE VULNERABILITY OF WATER TREATMENT PLANTS:
A LOOK INTO CYBER ATTACKS IN THE USA

THE VULNERABILITY OF WATER TREATMENT PLANTS:
A LOOK INTO CYBER ATTACKS IN THE USA

by J. A. Tiscareno

March 24, 2024

In the digital age, where technology pervades every aspect of modern life, the threat of cyber attacks on critical infrastructure looms large. Among these, water treatment plants stand as a vital yet vulnerable component of the nation’s infrastructure. The United States, with its extensive network of water treatment facilities, faces significant risks from cyber threats. As little as 4 days ago from this blog writing, there was a warning issued by our government.

“Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities,” Michael S. Regan, an administrator with the Environmental Protection Agency (EPA) and White House National Security Adviser Jake Sullivan, said in a letter to governors nationwide.”1

This article delves into the intricate landscape of cyber attacks against water treatment plants in the USA, exploring their potential consequences, vulnerabilities, and measures for prevention and mitigation.

Understanding Water Treatment Plants

Water treatment plants play a fundamental role in ensuring public health by providing clean and safe drinking water to communities across the nation. These facilities utilize a complex system of processes to purify water from various sources, removing contaminants and impurities before distribution. The critical nature of their function makes them a prime target for malicious actors seeking to disrupt essential services and inflict widespread harm.

The Threat Landscape

  1. Rise in Cyber Attacks – In recent years, the frequency and sophistication of cyber attacks targeting critical infrastructure, including water treatment plants, have escalated. These attacks encompass a range of tactics, techniques, and procedures employed by threat actors to compromise systems, disrupt operations, or steal sensitive information. The motivations behind such attacks vary, ranging from financial gain to espionage, sabotage, or ideological reasons.
  2. Notable Incidents – Several high-profile cyber attacks against water treatment plants in the USA have underscored the vulnerabilities inherent in these systems. One such incident occurred in Oldsmar, Florida, in February 2021, where a hacker gained unauthorized access to the plant’s computer system and attempted to increase the level of lye, a caustic substance, in the water supply to dangerous levels. Fortunately, plant operators detected the intrusion in time, thwarting a potential catastrophe. This incident highlighted the potential consequences of a successful cyber attack on critical infrastructure.

Vulnerabilities in Water Treatment Plants

  1. Legacy Systems – Many water treatment plants in the USA rely on outdated or legacy systems that lack robust cybersecurity measures. These legacy systems, often designed without consideration for modern cybersecurity threats, may contain vulnerabilities that are easily exploitable by determined attackers. The inability to patch or update these systems exacerbates the risk of exploitation.
  2. Connectivity – The increasing connectivity of water treatment plant systems to external networks and the internet expands the attack surface available to malicious actors. While connectivity offers benefits such as remote monitoring and control, it also introduces new avenues for cyber attacks. Inadequately secured connections or devices can serve as entry points for attackers to infiltrate critical systems and compromise their integrity.
  3. Human Factors – Human error and negligence represent significant vulnerabilities in the security posture of water treatment plants. Insider threats, whether intentional or inadvertent, pose a considerable risk to the integrity and confidentiality of plant operations. Poor cybersecurity practices among personnel, such as weak passwords, lack of awareness training, or susceptibility to social engineering tactics, can undermine efforts to protect against cyber threats.

Potential Consequences

  1. Public Health Risks – A successful cyber attack on a water treatment plant has the potential to inflict severe harm on public health and safety. Contaminating the water supply with harmful substances or pathogens can lead to widespread illness or even fatalities among affected populations. The disruption of essential services, including drinking water provision, could have cascading effects on public infrastructure, healthcare systems, and economic activities.
  2. Environmental Impact – In addition to the immediate risks to human health, a cyber attack on a water treatment plant can result in significant environmental damage. The release of untreated or contaminated water into natural ecosystems can harm aquatic life, disrupt ecosystems, and degrade water quality. Mitigating the environmental impact of such incidents requires extensive cleanup efforts and restoration measures, imposing substantial costs and long-term consequences.
  3. Economic Costs – The economic repercussions of a cyber attack on a water treatment plant can be profound, affecting both direct and indirect stakeholders. The costs associated with remediation, infrastructure repairs, legal liabilities, and regulatory compliance can amount to millions or even billions of dollars. Moreover, the loss of public trust in the reliability and security of water infrastructure may lead to reduced investment, increased insurance premiums, and diminished economic activity in affected regions.

Mitigation Strategies

  1. Enhanced Cybersecurity Measures – Implementing robust cybersecurity measures is paramount to safeguarding water treatment plants against cyber threats. This includes deploying intrusion detection and prevention systems, network segmentation, encryption, access controls, and regular security assessments. Upgrading outdated systems, applying security patches promptly, and adopting industry best practices can bolster the resilience of plant infrastructure against cyber attacks.
  2. Employee Training and Awareness – Educating plant personnel about cybersecurity risks and best practices is essential for mitigating human-related vulnerabilities. Training programs should cover topics such as identifying phishing attempts, practicing good password hygiene, recognizing suspicious activities, and responding to security incidents effectively. Fostering a culture of cybersecurity awareness and accountability among employees can significantly enhance the overall security posture of water treatment plants.
  3. Collaboration and Information Sharing – Collaboration among government agencies, industry stakeholders, cybersecurity experts, and researchers is critical for addressing cyber threats to water infrastructure effectively. Establishing information-sharing mechanisms, threat intelligence sharing platforms, and public-private partnerships can facilitate the timely exchange of information and insights regarding emerging cyber threats and defensive strategies. By pooling resources and expertise, stakeholders can better identify, assess, and mitigate cyber risks facing water treatment plants.
  4. Regulatory Frameworks – Regulatory frameworks play a vital role in setting standards and requirements for cybersecurity in critical infrastructure sectors, including water utilities. Government agencies such as the Environmental Protection Agency (EPA) and the Department of Homeland Security (DHS) oversee regulations and guidelines aimed at enhancing the resilience of water treatment plants against cyber threats. Compliance with regulatory requirements ensures that utilities implement necessary safeguards and practices to protect against cyber attacks and safeguard public health and safety.

Emergency Preparedness

With the potential threat against our precious drinking water, one should consider: “What can I do to protect myself, my family, and pets from this potential emergency?” The answer is simple “Be prepared. Take steps to protect yourself against the possibility.”

Sagan Life® offers a range of cutting-edge products designed to safeguard water quality and ensure resilience in the face of adversities such as cyber-attacks. Among these, the AquaBrick® Water Purification System stands out as a formidable defense mechanism. Equipped with advanced filtration technology, including a powerful filter capable of removing 99.9999% of viruses, bacteria, and protozoan cysts, it provides an independent and secure source of clean water. The container’s portability and ease of use make it an invaluable asset during emergencies or disruptions to municipal water supplies, including those resulting from cyber incidents. Additionally, the AquaBrick® Food and Water Storage Containers safely store water in them for up to one year before we recommend rotating the water supply. For those who may have need for larger water storage capacity, the AquaDrum™ Water Filtration System is the best answer. All of their filtration products meet or exceed the EPA requirements for safe drinking water. By integrating these innovative products into contingency plans and disaster response strategies, water treatment plants can enhance their resilience and ensure the continued delivery of clean and potable water to communities nationwide.

Conclusion

Cyber-attacks against water treatment plants in the USA pose significant risks to public health, safety, and environmental integrity. As these facilities become increasingly interconnected and reliant on digital technologies, the need for robust cybersecurity measures and proactive risk mitigation strategies becomes more imperative than ever. By addressing vulnerabilities, enhancing cybersecurity defenses, and fostering collaboration among stakeholders, water utilities can strengthen their resilience against cyber threats and safeguard the integrity of vital infrastructure for generations to come.

1 Warning About Drinking Water Issued Nationwide – https://www.msn.com/en-us/news/us/warning-about-drinking-water-issued-nationwide/ar-BB1kenLA?ocid=hpmsn&cvid=9fb6b709e13047ea990b47d3f3cb365f&ei=13

References:

  1. Buchanan, L. (2021). Cybersecurity Experts Warn of a Water Treatment Hack Similar to Oldsmar. The New York Times.
    https://www.nytimes.com/2021/02/08/us/oldsmar-florida-water-supply-hack.html
  2. Environmental Protection Agency. (2020). Water Security.
    https://www.epa.gov/emergency-response-research/water-security
  3. Menn, J. (2021). Oldsmar Water Treatment Plant Cyberattack: How Did It Happen? Reuters.
    https://www.reuters.com/article/idUSKBN2A82FU/
  4. National Institute of Standards and Technology. (2018). Framework for Improving Critical Infrastructure Cybersecurity.
    https://www.nist.gov/publications/framework-improving-critical-infrastructure-cybersecurity-version-11
  5. U.S. Department of Homeland Security. (2020). Cybersecurity and Infrastructure Security Agency.
    https://www.dhs.gov/keywords/cybersecurity-and-infrastructure-security-agency-cisa
  6. U.S. Government Accountability Office. (2020). Drinking Water and Wastewater Infrastructure: Information on Cybersecurity Practices at Selected Water Utilities.
    https://www.gao.gov/products/gao-17-559