Federal officials are urging water utilities to pay more attention to the rising threat of cyberattacks.
“This will become a greater issue in the future, as more water systems try to cut costs by moving toward full automation,” BNA Bloomberg reported, citing federal aides.
The U.S. EPA and the Department of Homeland Security (DHS) are trying to assist small water systems in this area. They are creating new training materials that could be especially useful for small, rural systems without adequate resources, according to the report.
Helen Jackson, who works with the DHS Office of Cybersecurity and Communications, provided insight on the threat utilities face today, per the report:
Jackson said the cyberthreats to water utilities can come in a number of different forms: there’s ransomware, in which hackers demand compensation to relinquish control of equipment they have hijacked, or insider threats, which involve a system being compromised by someone who was granted access by the utility. Jackson cited a 2015 IBM survey that found insider threats constitute more than half of all corporate cybersecurity incidents.
David Travers, director of the EPA’s water security division, stressed that water utilities must be vigilant on this issue.
“We’ve become increasingly vulnerable,” he said, per the report. “As we rely on a fully automated system, I think there’s a certain degree of expertise that’s lost. Now you have operators who may not know how to run the system” during an outage.
Travers suggested that water utilities try “in-person, tabletop simulation” exercises to prepare. Jackson pointed utilities to tools prepared by the National Institute of Standards and Technology focused on assessing cybersecurity risks.
The water industry has faced various cybersecurity attacks in the past. In 2006, a hacker breached security at a water filtering plant near Harrisburg, PA. “The hacker tried to covertly use the computer system as its own distribution system for emails or pirated software,” ABC News reported.
Special Agent Jerri Williams of the FBI’s Philadelphia field office reportedly said that the computer under attack controlled a key system, “and if, for some reason, [the attack] caused it to fail, it would have disrupted service."
Another high-profile attack came a year later, when "a former employee of a canal authority in Northern California was charged with damaging the computer used to divert river water to farmers’ fields," according to a report by Rockwell Automation.
Image credit: "Katowice, miasto otwarte," Sebastian Sikora © 2012, used under an Attribution 2.0 Generic license: https://creativecommons.org/licenses/by/2.0/