Cyberattacks on water and wastewater systems (WWS) have been in the news lately, along with government action and guidance to improve cybersecurity across the WWS sector.

The WWS sector shares all the potential vulnerabilities that characterize other large infrastructure systems, where older operational technology (OT) and modern IoT/IT intersect, creating opportunities for cybercriminals and malicious state actors to penetrate and sabotage networks and systems.

But compared to other infrastructure systems, WWS pose unique and significant risks if a malicious actor should take control over them. Simply shutting down a major municipal water system would create a chaotic and dangerous situation, requiring a massive emergency response.

And if cyber-saboteurs were able to actually contaminate a local water supply — as was attempted in both Florida and San Francisco in 2021 — the consequences could be truly devastating.

Government action, reaction, retraction

In March 2023, in response to a growing number of cyberattacks on public and private infrastructure systems including WWS, the U.S. Environmental Protection Agency (EPA) issued a memorandum providing detailed requirements for public-water-system operators to conduct cybersecurity evaluations as part of the annual sanitary surveys of their systems.

Then came politics. Arkansas, Iowa, and Missouri responded to the memorandum by suing the EPA, accusing it of overstepping its authority. A federal appeals court suspended the rule, and the EPA issued a new memorandum in October 2023, withdrawing the previous memorandum.

New attacks, sharpened focus

Then, in November 2023, two very concerning attacks further focused attention on the threat to water systems. In quick succession, the Aliquippa Water and Sewer Authority in Pennsylvania and the North Texas Municipal Water District were struck.

The Aliquippa authority was struck by an Iran-based cybergang, called Cyber Av3ngers, which claimed to choose victims that use industrial components and software manufactured in Israel. A single pumping system was affected, and staff were able to take it offline without affecting service delivery.

By contrast, the North Texas district fell victim to a ransomware attack launched by cybergang Daixin Team, which claims to have stolen nearly 34,000 files including names, dates of birth, medical record numbers, and Social Security numbers. Again, delivery of services was not impacted in the attack.

New federal-agency guidance

Finally in January of this year, the Federal Bureau of Investigation (FBI), EPA, and the Cybersecurity and Infrastructure Security Agency (CISA) collaborated to produce a guide to cybersecurity best practices for the WWS sector.

The guidance provided is divided into four sections:

• Preparation — How to develop, implement, and practice an effective incident response plan
• Detection and analysis — Implementing technical measures to detect intrusions and analyze event logs to quickly understand the full extent and scope of a cybersecurity incident
• Containment, eradication, and recovery — Using technical means to isolate affected systems, eradicate malware, and restore systems to pre-incident status
• Post-incident activities — Retaining and using incident data to improve security efforts and remedy any shortcomings in the incident-response plan and/or its execution

The guide is quite high-level, non-technical, and does not mandate or require any actions at all — possibly in recognition of the political risk of imposing rules as the EPA attempted in March. So, it’s very useful at the level of administrative and organizational planning. But it doesn’t give you detailed guidance on specific solutions and technologies to use in achieving the best practices it describes.

The EPA provides a variety of other resources (summarized in this fact sheet) to assist WWS agencies in their cybersecurity efforts, which are well worth exploring.

Getting real

In the U.S. alone, there are approximately 50,000 independent water and wastewater systems, and they vary tremendously in size and in the resources available to them. Limited funding means they have to choose high-value cybersecurity investments. And a lack of trained IT staff means that there is a premium on systems that use automation and integration to keep things simple.

When it comes to preventing, detecting, and responding to network intrusions, a great place to start is a comprehensive, integrated network-security platform such as Barracuda Network Protection. Its modular structure is easy to build on over time as budgets allow.