Guest Column | January 12, 2022

Digital Protection: Lessons From 2021 For A More Secure 2022 (And Beyond)

By Rick Andrew


While the water industry continues to embrace the benefits of automation and digitalization, it is equally important to be cognizant and resistant to the inherent risks.

2021 was a growing year for most of us as we adapted and remained flexible through the ever-changing pandemic. As a global community, we have taken the obstacles from the past couple of years and have used them as learning tools to move forward with awareness and courage.

This past year has been no different for the water industry; it has provided learning opportunities for us to develop new solutions to manage water remotely as we continue to work in virtual environments. With the opportunity and convenience of working remotely, we rely heavily on this new digital environment we have created. Our new digital dependence opens us up to new challenges and potential threats for cybersecurity attacks.

Moving Forward

As we embrace the new virtual normal in our professional and personal lives, we have become vulnerable to different cybersecurity threats. Sophisticated online hackers make a living off companies and individuals entering personal and confidential information online and in various software programs. Some may wonder what this has to do with the water business. Our industry is no exception and faces an increased chance of cybersecurity threats and attacks on our water and wastewater systems.

Over the years, one of the standard digital tools used by the water industry has been supervisory control and data acquisition (SCADA) technology. Most large drinking water utilities automate essential water treatment functions and physical processes with this system. Additionally, many smaller utilities with less financial resources to invest in cybersecurity have also started adopting SCADA over the years. This makes them particularly vulnerable to a cybersecurity attack. Many utilities using digital systems such as SCADA are not digitally secure, regardless of size.

It is essential to be aware of the different risk drivers for a destructive cybersecurity attack on water and wastewater utility treatment plants to know where to start protecting your plant.

It’s safe to say that our top priority in the water industry is to provide clean and consumable water to our communities. We know that a slight adjustment to chemical levels during the water and wastewater treatment process can result in severe illness and even death to those who consume it. Because of this, it is crucial for water and wastewater utilities to implement systems that will block any hackers working to contaminate the water supply. An easy first step is education. Take time to learn the best online security system for your company that will add a layer of digital protection. In addition, it is important to be prepared with standard operating procedures to quickly and efficiently act in the case of a security breach to mitigate any potential impacts to the company, employees, and customers. We can use these two effective steps to protect our digital water treatment processes and help ensure that the water released to our communities is kept at proper consumption standards.

Risk Drivers

The importance of cybersecurity protection for our industry was made apparent last year when one of Florida’s water treatment plants was compromised. The cyberattack could have caused extreme harm to the city’s population of 15,000 people when the hacker raised sodium hydroxide levels in the water. Luckily, the plant worker who initially identified the critical issue moved quickly and efficiently to ensure the water delivered to the city was safe for consumption. It was fortunate that the Florida plant worker caught the dangerous issue right away, but we must remain vigilant and make sure our water utilities have strong cybersecurity capabilities to stop the potential threat of hackers.

It is essential to be aware of the different risk drivers for a destructive cybersecurity attack on water and wastewater utility treatment plants to know where to start protecting your plant. This includes ransomware attacks, phishing attacks, data leakage, hacking, and insider threats. Additionally, the following factors increase a water utility’s risk of being hacked and threatening the water supply:

  • Legacy/Outdated Infrastructure – 60 percent of breaches are successful due to an unpatched system with a patch available for the fix. Ensuring an organization’s infrastructure is up to date is an essential step in ramping up digital security.
  • Lack of Password Controls – Many companies use only single-use passwords and do not utilize multifactor authentication, making it easier for hackers to get into the company’s systems. Along with this, allowing simple passwords for logins creates a digital environment more conducive for hackers to be successful in breaching systems.
  • No Security Checks – Many companies rely on technical security tools but have neglected to create any assessment against a security baseline. Ensuring everyone in the company complies with a bare-minimum set of security measures can help bolster water utilities’ digital security.

Stepping Into The Future

As time moves forward, water and wastewater utilities will have to increase their digital protection and awareness of destructive attackers to keep our communities safe. As an industry, we will also have to increase our knowledge of cybersecurity attacks and create plans for countering attacks if the digital protection is breached. Our digital world is continuing to grow, and being able to quickly adapt is going to be crucial when dealing with commodities as precious as our drinking water.

About The Author

Rick Andrew is NSF’s director of global business development, water systems. Previously, he served as general manager of NSF’s Drinking Water Treatment Units (POU/POE), ERS (Protocols), and Biosafety Cabinetry Programs. Andrew has a bachelor’s degree in chemistry and an MBA from the University of Michigan. He can be reached at 1-800-NSF-MARK or by email at