Balancing ICS business risks within critical water and wastewater sector

Rising digitalization and connectivity in the water and wastewater systems sector has exposed critical safety and operational systems to new cyber threats, leading to more significant ICS business risks. Cyber threats to the sector often stem from spearphishing attacks that deliver malicious payloads, including ransomware, exploitation of unsupported or outdated operating systems and software, and manipulation of control system devices with vulnerable firmware versions. 

As digital resilience is no longer an option, water utilities are faced with malicious cyber activity from known and unknown hackers, often affecting operational technology (OT) and IT networks, systems, and devices. One of the measures to address these risks includes adopting cybersecurity standards such as the NIST Cybersecurity Framework (NIST CSF). However, the cost of compliance and the required investments in cybersecurity and data privacy are increasing, adding pressure to existing installations, especially smaller companies or utilities.

The American Water Works Association (AWWA) ranked ‘cybersecurity’ as the No. 12 water challenge in its ‘State of the Water Industry 2021’ report, marking a significant move up from No. 16 in the previous year. U.S. government intelligence confirms that the water and wastewater sector is under a direct threat as individual hackers and groups threaten the security of the water and wastewater systems’ operations and data. 

The AWWA report identified that aging infrastructure and how to finance the much-needed renewal and/or replacement of infrastructure was once again the top two apprehensions on this year’s list of water sector concerns, followed by long-term water supply availability. However, utilities indicated that they see their access to capital has increased slightly, with 55 percent of utilities reporting their access to capital is as good as or better than at any time in the past five years.

Industrial Cyber contacted industry experts to assess the prevailing ICS business risks faced by the water and wastewater systems sector, and the preparation level of minor installations to address these risks. It also analyzed the various coping mechanisms adopted to cover increasing costs brought about by compliance and investments in cybersecurity in the water sector, when covering ICS business risks.

In the water sector, “we rely on ICS to control a wide range of operations, such as from adding chlorine to the water to controlling pumps that help move water from the plants to consumers,” Michael Arceneaux, managing director of the Water Information Sharing and Analysis Center (WaterISAC) and chief operating officer of the Association of Metropolitan Water Agencies (AMWA), told Industrial Cyber. “Many, many water systems do a terrific job of implementing best practices to reduce their ICS risks, but progress is slow, and less-resourced water systems have more challenges to overcome,” he added.

“In our 15 Fundamentals for Water and Wastewater Utilities, WaterISAC encourages water systems to conduct assessments, segment their systems, and practice access control, among other recommendations,” Arceneaux added.

The “lack of Asset Visibility & Control is the stand-out risk to the sector,” Kieran Caulfield, enterprise account director for OT at Renaissance, told Industrial Cyber. “This is by no means unique to this sector, but may be more pronounced and in some cases more difficult to resolve due to infrastructural challenges and aged equipment. Ransomware has focused attention on critical infrastructure and as a result, the lack of asset visibility, monitoring and control has been brought into clear sight for many organisations,” he added. 

According to Caulfield, the reality is that there are few solutions truly capable of solving the challenge. “Mitigating and planning for cyber-attacks against such systems is essential, but only serves genuine benefit when full visibility of every asset and where those assets are talking to is known and mapped,” he added.

Liability and exposure related to human safety within industrial control systems and operations technology represent the greatest severity and risk to the public and private entities in the water and wastewater systems sector, Paul Veeneman, an IT|OT|ICS| cybersecurity and risk management professional, told Industrial Cyber. “Those risks are predicated on Safety, Reliability, and Productivity, (SRP Triad) within operations technology, different from the information technology focus on Confidentiality, Integrity, and Availability, (CIA Triad) with some overlap in Reliability and Availability.”

Safety is the most critical aspect of any industrial control system, Veeneman said. “Safety-related to water and wastewater systems extends beyond the water sector itself.  Within the 16 critical infrastructure sectors, water is a primary sector that can significantly and severely impact others, most importantly Emergency Services, Food & Agriculture, Healthcare and Public Health,” he added.

Veeneman also pointed out that between 2006 and 2021, there have been 12 confirmed instances impacting water and wastewater systems and facilities involving data breach, data loss or exfiltration, data, and control system manipulation. “The most recent that most will recall is the Oldsmar Florida Facility, where malicious code on a website targeting water utilities was introduced into the environment via a browser, allowing threat actors to gain access systems at the plant, with the intent to increase the chemical treatment level to hazardous levels for city residents. Fortunately, the attack was identified before any impact to human safety,” he added. 

In November, the Foundation for Defense of Democracies (FDD) said that 60 percent of water companies surveyed spent less than five percent of their budget on IT security in 2021, while nearly two-thirds spent less than five percent on OT security. Moreover, the smaller the utility, the less it spends on cybersecurity as a percentage of its budget, leading to fewer employees focused on IT and OT security and infrequent conduct of risk assessments. Thus, as attacks on the water and wastewater systems sector rise, it is critical to evaluate the ICS business risks of such exploitations, especially on smaller water utilities that lack the internal resources/skills in IT and OT cybersecurity.

“We’ve seen a range of attacks across all infrastructures. Water is just one of them,” Arceneaux said. “The challenges facing smaller systems include access to dollars to make investments, a lack of know-how to implement protection measures and a shortage of cybersecurity professionals available for hire. That’s why the water sector associations support increased federal funding to help under-resourced water systems,” he added. 

Most of the expertise in water sector cybersecurity resides in the water sector itself, according to Arceneaux. “Federal funding to help the sector groups to develop special guidance and training and provide assistance would go a long way toward improving utility security,” he added.

“Cyber security IT and OT resources and skills are not the only challenges facing the Nation’s water and wastewater infrastructure,’ Veeneman said. “Reports as recent as 2020 to 2021 have identified that roughly 50,000 drinking water utilities in the United States face costs collectively more than $470 billion over the next 20 years to meet regulatory requirements to maintain, repair, or replace drinking water infrastructure,” he added.

Veeneman also highlighted that the number of successful attacks against critical infrastructure in the past ten years provides a very clear picture of the preparedness that currently exists. “The capability and capacity to identify threats, deter and repel vulnerabilities, and mitigate risks to water and wastewater systems currently fall short of where they need to be. But there is a significant level of visibility at the local, state, and federal levels,” he added. 

DHS, CISA, public-private partnerships, and the current administration have taken great strides toward leveraging the resources of the federal government and its agencies to set a path, support moving forward, and overcome the challenges, Veeneman added.

“Increasingly, we are seeing OT Cyber Security solutions being deployed to protect the critical systems in these organisations,” Caulfield said. “Depending upon the chosen solution and effectiveness of that solution’s integrations and reporting features, the project will enable management teams to plan, prepare and rehearse for such attacks. Mitigation is crucial, but in a planned and managed strategy ensuring the criticality and priority of every identified risk is used to determine the starting-point,” he added.

Determining the rising costs brought about by compliance and investments in cybersecurity and impact on ICS business risks in the water and wastewater systems sector, Arceneaux said that the “only federal security requirement today for the water sector is one requiring drinking water systems to conduct risk and resilience assessments and develop emergency response plans every five years. There is nothing similar for wastewater.” 

“To remedy the lack of federal regulations, the U.S. Environmental Protection Agency is considering regulating water and wastewater cybersecurity through two existing programs – sanitary surveys and discharge permits – by weaving in minimum practices in some fashion,” Arceneaux said. The agency has not yet shared any details, he added.

Meanwhile, the present public-private effort to boost water and wastewater systems is through threat awareness and education about best practices, according to Arceneaux. “There are many resources available to utilities in the water sector, from WaterISAC’s to those from the U.S. Environmental Protection Agency, the American Water Works Association, and the Cybersecurity and Infrastructure Security Agency,” he added.

Current federal funding sources for water sector cybersecurity are minimal, Arceneaux said. “If a utility has won a state revolving loan, for instance, to build a new plant, it can use some of that money to purchase security assets, too. And the massive bipartisan infrastructure package that passed last year authorized (but did not appropriate) $350 million over five years for a range of resilience efforts, including cyber resilience. Clearly, there will be an unmet need until we can convince Congress to appropriate further funding,” he added.

“Apply the cyber security and resilience investments, and the dollar amounts climb sharply,” Veeneman said. “Basic cyber awareness programs, cross-functional training for IT and OT personnel, and lessening the skills gap all represent significant monetary obstacles that will need to be overcome. There are opportunities for government funding at the state and federal levels that allow for distribution of funds allocated to non-profit public entities and for-profit private entities. The allocations are structured with smaller distributions going to private ownership versus public entities,” he added.

Additionally, both the public and private entities and organizations have the option to enlist the services of ICS OT and IT integrators and managed service providers, with the skills in ICS and OT cyber experience, that can fill the gaps, augment, and provide the necessary cyber security expertise and solutions, Veeneman pointed out. “Organizations will want to ensure that technicians, engineers, and security personnel demonstrate necessary ICS and OT cyber awareness and knowledge when reviewing qualifications of prospective integrators and managed service providers,” he added.

“Until relatively recently investment in ICS Business Risks was seen by some in the WWS sector as less than priority, but that has all changed since the well-publicised attack against the Florida plant and the potential impact upon the public consumers in that region,” Caulfield said.

There exists a need to drive situational awareness due to the high consequences of a cyberattack on the water and wastewater sector. A recent Fortinet survey found that responses to questions on cyberattack concerns, experiences, strategy, and preparedness show respondents lack awareness of a cyberattack’s potential for grave harm. 

“In a question about perceived changes in the number of cyberattacks over the last year, most respondents (62%) believed there was no change. Without detection methods, cyberattacks can be ‘invisible’ until it’s too late,” the survey revealed.

“It’s highly feasible to spread situational awareness about water sector cyber risks, but it will require a unified effort among the national water and wastewater trade associations and WaterISAC and a collaboration with the U.S. Environmental Protection Agency and the Cybersecurity and Infrastructure Security Agency,” Arceneaux said. “The problem is that there are tens of thousands of water and wastewater agencies, with varying degrees of understanding of the risks. Some of this outreach already takes place, but much more needs to occur,” he added.  

Arceneaux added that “with enough funding and coordination, the sector and the agencies can reach deep into the community of systems to help managers understand the risks, identify mitigation opportunities, and make investments now and as needed in the future. A lot of hand-holding will have to take place for the smaller systems, but if Congress supports the concept, we can do it.”

“Acknowledging the risks to safety, specifically human safety, and the extraordinary business risk and impact that represents, situational awareness of ICS and OT within the water and wastewater systems sector will simply need to evolve as the water and wastewater environments have evolved,” Veeneman said. If the intent is to deter and repel cyber attacks against the nation’s drinking water supply and ensure the safety of communities and environments, then the financial investment at various levels will need to take place,” he added.  

Additionally, the culture of cyber security and resilience needs to permeate the processes and activities within water and wastewater systems and operations environments, Veeneman said. “Senior management accountability and due diligence, training and cross-functional domain expertise for operators and engineers, and cyber resilience solutions and practices will be required to have the personnel available to meet the situational awareness requirements, understand and respond to alerts and events as they take place,” he added.

“In my opinion it is now very feasible and necessary to bring about the introduction and embedding of situational awareness in such critical infrastructure,” Caulfield said. “The potential fallout of an attack is too great for any organisation in the WWS sector to ignore and therefore all that can be meaningfully done, must be done to protect the public consumers,” he concluded.