Wastewater Treatment and Cybersecurity: Protecting Critical Infrastructure

The Vital Role of Water and Wastewater Systems

Imagine a world without access to safe, clean drinking water or a reliable sewage system. It’s a nightmarish scenario that would grind our modern society to a halt. The water and wastewater systems that service our communities are truly the lifeblood of our nation’s infrastructure, providing essential services we often take for granted.

As an American, I rely on the continuous supply of safe drinking water and proper wastewater treatment every single day – not just for personal use, but to support the critical operations of hospitals, firefighters, manufacturers, and countless other sectors that are vital to our economy and way of life. In fact, over 80% of the U.S. population receives their drinking water from these public systems, and around 75% have their sanitary sewerage treated by them.

These systems are undoubtedly critical infrastructure – functions so essential that their disruption or dysfunction would have a debilitating effect on our nation’s security, economy, and public health. And with the growing reliance on digital technology to monitor, control, and communicate across these water networks, a new vulnerability has emerged: the threat of cyberattacks.

The Rise of Cyber Threats Targeting Water Systems

The water and wastewater sector has become an increasingly attractive target for malicious cyber actors. According to the Environmental Protection Agency (EPA), cyberattacks against water utilities are becoming more frequent and more severe, putting the safety of our drinking water and the efficacy of wastewater treatment at serious risk.

Some of the most concerning cyber threats facing this critical infrastructure include:

• Contamination with Deadly Agents: Hackers could potentially tamper with the chemical levels in drinking water or wastewater, introducing deadly toxins or pathogens.
• Physical System Attacks: Cyber criminals could target and damage the physical pumps, valves, and other equipment that are essential for water distribution and treatment.
• Denial of Service Attacks: Disruptive cyberattacks could completely shut down water and wastewater services, depriving communities of these vital resources.

The impact of such attacks would be catastrophic – potentially leading to widespread illness, environmental damage, and crippling economic disruption. And the threat is very real, as evidenced by the 2021 attack on the municipal water system in Aliquippa, Pennsylvania, which was carried out by the Iranian-linked Cyber Av3ngers group.

Failures in Cybersecurity Hygiene

One of the most alarming revelations from the EPA is that over 70% of water systems inspected by federal officials do not fully comply with cybersecurity requirements outlined in the Safe Drinking Water Act. This means that critical cybersecurity vulnerabilities are present in the vast majority of our nation’s water infrastructure.

Some of the most common cybersecurity lapses identified include:

• Failure to Change Default Passwords: Many water treatment facilities are still using the original, easily-guessed passwords provided by software vendors, making them easy targets for hackers.
• Lack of Employee Access Controls: Former employees often maintain access to sensitive systems, even after leaving the organization.
• Outdated and Unpatched Software: Older, unsupported systems are rife with known vulnerabilities that can be exploited by cybercriminals.

These basic cybersecurity hygiene failures are leaving water systems across the country exposed and vulnerable to devastating attacks. And with state-sponsored hacking groups like Volt Typhoon – believed to be working on behalf of the Chinese government – actively infiltrating U.S. critical infrastructure, the threat has never been more real or more urgent.

A Call to Action for Water Utilities

Faced with this alarming reality, the EPA, the Cybersecurity and Infrastructure Security Agency (CISA), and the FBI have all issued strong warnings and recommendations to water utilities across the country. The message is clear: it’s time to prioritize cybersecurity and take immediate action to protect our critical water infrastructure.

Some of the key steps these agencies advise water systems to take include:

1. Implementing Robust Access Controls: Regularly review and update access privileges, ensure multifactor authentication is enabled, and promptly remove access for former employees.
2. Keeping Software Up-to-Date: Maintain a rigorous patching and update schedule to address known vulnerabilities in operational technology and IT systems.
3. Conducting Regular Vulnerability Assessments: Leverage free scanning services from CISA to identify security weaknesses and prioritize remediation efforts.
4. Enhancing Incident Response Capabilities: Develop comprehensive plans for responding to and recovering from cyber incidents, and test them regularly through exercises.
5. Fostering Information Sharing: Actively report suspicious activity and cyber incidents to CISA and other authorities, so the broader threat landscape can be better understood and mitigated.

Importantly, the EPA has also stressed the urgency of collaboration between federal, state, and local partners to develop comprehensive strategies for bolstering the cyber resilience of the nation’s water systems. This includes the development of state-specific action plans to address the most significant vulnerabilities.

Securing the Future of Water Infrastructure

As the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) demonstrates, strengthening the cybersecurity of critical infrastructure like water and wastewater systems is a growing national priority. This landmark legislation, enacted in 2022, requires certain organizations to report cyber incidents and ransomware payments to the government, helping to identify and address vulnerabilities more quickly.

But government action alone won’t be enough. Water utilities themselves must take proactive steps to enhance their cyber defenses and become more resilient in the face of evolving threats. This includes leveraging the countless resources and services available from agencies like CISA and the EPA, which can provide everything from free vulnerability scanning to comprehensive cybersecurity assessments and planning assistance.

By working together – across all levels of government and with the private sector – we can safeguard the future of our critical water infrastructure and ensure that the lifeblood of our nation continues to flow uninterrupted. It’s a daunting challenge, to be sure, but one that is absolutely essential for the health, safety, and prosperity of all Americans.

And who knows? Perhaps someday, Alpha Wastewater – or a company like it – will play a pivotal role in this vital mission, helping water utilities across the country shore up their defenses and protect this most precious of resources. But for now, the focus must remain on raising awareness, driving action, and securing our water systems against the looming cybersecurity threats that put our very way of life at risk.