A survey conducted by the Water Information Sharing and Analysis Center (Water-ISAC) and the Water Sector Coordinating Council included responses from more than 606 water and wastewater utilities, representing the approximately 52,000 community water systems and 16,000 wastewater systems in the U.S.
The survey showed that many of the utilities are subject to economic disadvantages typical of rural and urban communities. Others do not have access to a cybersecurity workforce. Operating in the background is that these utilities are struggling to maintain and replace infrastructure, maintain revenues while addressing issues of affordability, and comply with safe and clean water regulations.
Regarding specific cybersecurity challenges, more than half of water utilities say they have not fully identified IT-networked assets in their networks, and only a little more than 21% of those utilities said they are working to do so. Further, almost two-thirds said they have not fully identified all operational technology networked assets and fewer than a quarter are working to do so.
Less than a quarter of utilities reported conducting annual cybersecurity risk assessments. Quarterly assessments were performed by 7.6% of respondents, and 5% were conducting weekly cybersecurity risk assessments, the survey showed.
The respondents reported their top challenges for securing drinking water and wastewater systems were minimising control system exposure, assessing risks and identifying hardware or software vulnerabilities. Additionally, about 64% of respondents said their utility does not employ a chief information security officer.
The results of the survey show a range of cybersecurity preparedness levels across the sector, with many excelling in their efforts with current resources but with others demonstrating room for improvement and a need for greater support.
A breach in a San Francisco Bay Area water treatment plant is one of the instances of lack of cybersecurity in water utilities. In this case, the hacker was using a former employee’s credentials for a popular remote work software program. Another water treatment plant in Florida was also breached through an outdated operating system and vulnerable remote work software.
Of the hundreds of treatment plants that responded to the Water ISAC survey, only four organisations confirmed a breach of their Information Technology (IT) or Operational Technology (OT) systems in the past year, while dozens responded they were “not sure” if they had experienced an incident.
According to data compiled by Cybersecurity and Infrastructure Security Agency about the water industry, roughly 10% of water utilities have reported a critical vulnerability and 40% reported a high vulnerability. Most vulnerabilities water plants have reported more than 80% were common vulnerabilities and exposures (CVEs) published before 2017.
The Water-ISAC published a list of six older CVEs for its members on June 17, saying it was aware of several reports of threat actors leveraging multiple vulnerabilities to exploit unpatched systems in the water and wastewater sector. Members are encouraged to review and address the following vulnerability advisories and updates for products used within their environments.
As critical infrastructures, water and sewage systems are susceptible to cyberattacks, US researchers have created a cybersecurity technology designed to lure hackers into an artificial world to protect these infrastructures. As reported by OpenGov Asia, the cyber tech is based on honeypots, which attract hackers by providing what appears to be an easy target so cybersecurity researchers can study the attackers’ methods.
While most honeypots are used to lure attackers and study their methods, this cyber tech instead uses artificial intelligence to deploy elaborate deception to keep attackers engaged in a pretend world that mirrors the real world. The decoy interacts with users in real-time, responding in realistic ways to commands.
The development of this technology is an example of how U.S. scientists are focused on protecting the nation’s critical assets and infrastructure. This cybersecurity tool has far-reaching applications in government and private sectors—from city municipalities to utilities, to banking institutions, manufacturing, and even health providers.