Cybersecurity Tips for Water and Wastewater Utilities

October is Cybersecurity Awareness Month! The water sector can protect its infrastructure, maintain public trust, and ensure the safety and reliability of its services by prioritizing cybersecurity. U.S. EPA has provided some tips on how to avoid cybersecurity threats and keep your utility secure. These tips are outlined below:

​Passwords

Passwords should be at least 12 characters long, unique for each account, and complex. To make a secure password you should incorporate a mix of uppercase & lowercase letters, numbers, and special characters. 

If your passwords meet these criteria, they generally only need to be changed if they are compromised. It can be challenging to remember multiple passwords, so use a password manager to help.

Multi-factor Authentication (MFA)

MFA involves using multiple methods to verify a user’s identity, going beyond a simple login. Verification methods can include something you know, such as a password or PIN; something you are, like a fingerprint or facial scan; and something you have, like a key card or security token.

Phishing

Phishing occurs when criminals use fake emails or social media posts to trick users into clicking on malicious links, which can then install malware onto the system. 

To identify phishing attempts, ask yourself: Is it too good to be true? Does it request personal information? Does the sender’s email address match who they claim to represent? Are there any spelling or grammar errors?

If you detect a phishing attempt, report it to your IT manager or security team as quickly as possible. Do not click on any links, delete the email, and use the “Report Phishing” function in your email (if available.)

Update Software

Updating software, or patching, involves installing updates released by the manufacturer to close known vulnerabilities and provide the latest features. Enabling automatic updates ensures updates are installed as soon as they are released, though a system restart is usually required. If automatic updates aren’t possible, regularly check for updates manually and create a schedule to make this a habit.

Be cautious of fake update pop-ups that urgently demand downloads, as these can lead to malware. If you encounter such pop-ups, run a scan to check for malware.

By implementing these cybersecurity tips, you can significantly enhance your protection against cyber threats. Remember, staying informed and vigilant is key to safeguarding your utility.

Cybersecurity Threats: Lessons Learned from WaterISAC

In July of 2024, WaterISAC sent out an advisory to its members advising them to take caution when opening emails from seemingly "trusted" sources. This was sent after WaterISAC was made aware of a second phishing attempt against Maine water operators and well drillers that was disguised as an information verification form from Maine.gov. 

A screenshot of the attempted phishing email is shown below:

Now that phishing attempts are so common across the water sector, it is important to be vigilant when opening emails and clicking any links within. WaterISAC provided a list of lessons that can be learned from incidents like this, as well as resources to help water and wastewater systems get guidance on how to strengthen cybersecurity measures. These lessons and resources are shared below:

Lessons Learned

• Share Information on Threats. In these cases, state agencies quickly sent out a broadcast alert to targeted audiences warning of the phishing attempt.
• Open-Source Intelligence (OSINT).  There is a lot of information on the internet about our water systems. It is useful to know what public information is available. In some cases, detailed and sensitive information can be removed. In other cases, the information is intentionally part of the public record. Therefore, we need to be aware of this class of data so we are not fooled into trusting whoever has it because we believe only privileged sources have access to it.
• Practice Phishing Drills. Part of every utility’s cybersecurity awareness training should include regular phishing drills for staff. CISA has free resources to assist, such as, Teach Employees to Avoid Phishing.
• Not Sure, Call. If you are not sure that the source of an email is legitimate, call the supposed sender through previously established phone numbers to confirm the request’s validity.
• Fall for a Phish, Contact Your IT Department. If you realize after the fact that you fell for a phishing email, or you think you might have, call your information technology group to find out what to do. Everyone except the attacker, will be glad you did.

Additional Water and Wastewater Systems Sector Guidance Resources:

• Recognize and Report Phishing | CISA
• Cybersecurity Fundamentals for Water and Wastewater Utilities | WaterISAC
• Top Cyber Actions for Securing Water Systems | CISA
• Water and Wastewater Sector - Incident Response Guide | CISA
• CISA's Free Cyber Vulnerability Scanning for Water Utilities | CISA
• Water and Wastewater Cybersecurity | CISA

Webinar Recording: Cybersecurity for Wastewater Operators

Watch this webinar recording to discover some of the most helpful cybersecurity resources and to learn how to use our search tools at WaterOperator.org to find additional resources and training events. This is the first webinar in our new series for wastewater operators!

The webinar answers questions such as:

• What is WaterOperator.org and how is it a useful tool for wastewater professionals?
• What are the best resources we have relating to cybersecurity in the water and wastewater sector?
• How can you find more cybersecurity resources and other similar resources on WaterOperator.org?

This free series will cover topics relevant to wastewater operators, including funding, asset management, compliance, and water quality. Upcoming events in the series include:

• Source Water Protection for Communities with Decentralized Wastewater (April 23)
• Funding Wastewater Infrastructure Projects (June 25)

Certificates of attendance for each session will be delivered upon request. Check with your certification body for acceptance criteria.

Here is the recording of the first webinar, held in February 2024. We cannot provide certificates of attendance for watching the webinar recording.

EPA Mandates Cybersecurity Reporting for the Water Sector

Public water systems are increasingly at risk from cyberattacks that threaten public health. U.S. EPA has issued new guidance that states are required to evaluate and report on cybersecurity threats for systems that use industrial control systems or other operational technology.

“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable," said EPA Assistant Administrator Radhika Fox. “Cyberattacks have the potential to contaminate drinking water.”

This expectation is outlined in a memo that interprets sanitary survey requirements, accompanied by a detailed guidance document aimed at state programs and technical assistance providers. It was released as part of the Biden administration's updated National Cybersecurity Strategy. 

U.S. EPA offers resources that can help water systems understand and address cyber vulnerabilities including this video on basic cybersecurity concepts that can be used by water systems as a part of an annual cybersecurity training program. Our database on WaterOperator.org also has resources on this topic, including this 56-page guide from WaterISAC on cybersecurity best practices to reduce exploitable weaknesses and attacks.

Florida Security Incident Highlights Need for Cybersecurity Precautions

Oldsmar, Florida made national headlines after experiencing a remote breach of their chemical control system earlier this year.

The hacker, whose identity and intent has not yet been identified, increased the sodium hydroxide feed by more than 100-fold, but the change was quickly overridden by the operator who saw the breach occur. The operator then disabled remote access and contacted local authorities.

This technical brief from the U.S. Department of Homeland Security (shared via Michigan WEA) provides an in-depth overview of incident as well as potential broader impacts, including attacks inspired by the methods used in Oldsmar.

This is just the most recent example of hackers exploiting utility cybersecurity vulnerabilities and undoubtedly you may be wondering if your system is doing enough to prevent this type of intrusion or has the safeguards in place to respond in the event of a breach.

The U.S. EPA released a new Cybersecurity Best Practices page and we recommend the Cybersecurity Incident Action Checklist as the best place to begin your own self-assessment.

Data Protection and Cybersecurity for Small and Medium Systems

Many water utilities rely on online technology and computer systems to increase their working efficiency. In the office space, data management software, pay roll systems, customer billing programs, utility websites, and social media improve customer services and provide an organized method to retain and access utility information. On the operational side, employees may rely on remote access control systems such as SCADA or smart metering to monitor or control systems while performing maintenance in the field. These control systems allow for improved response times and monitoring.

Yet as we all learned from Spiderman, with great power comes great responsibility. Without sufficient cybersecurity measures, systems risk the health and security of their customers. Successful attackers can steal customer personal data such as credit cards, social security numbers, and contact information. They may attempt to deface utility websites compromising customer confidence. If your system uses online process control systems, hackers could lock out utility access, alter treatment processes, damage equipment, and override alarms. The American Water Works Association (AWWA) has listed a variety of cyberattacks and their consequences in its 2018 Cybersecurity Risk & Responsibility in the Water Sector Report. These attacks resulted in leaked customer information, considerable financial losses, altered chemical dosing, and even source water contamination. Just recently staring in May of 2019 the City of Baltimore has been held hostage by an ongoing three week cyberattack that demands $100,000 in Bitcoin to free city files and water billing data.

There are many types of cyberattacks including password hacking, the exploitation of software vulnerabilities, denial of service, and malware. Common malware includes ransomware, spyware, trojan horse, viruses, and key loggers. Attacks can even happen through opportunity theft, improper disposal of computer equipment, or phishing attempts where thieves pose as legitimate organizations requesting confidential information.

To prevent cyberattacks, start by identifying vulnerabilities, developing a multi-tier security plan, and actively enforcing that plan. The EPA has developed a guide explaining 10 key components for a cybersecurity plan that includes planning worksheets and information on how to respond in the event of an attack. Systems should plan to update software regularly and require strong passwords that are different for each account. Installing anti-virus software and firewalls is also effective. A security plan should include measures to educate employees on cybersecurity awareness and limit access to security information based on job function.

For an in-depth list of security practices, read through WaterISAC’s 2019 guide to reduce exploitable weaknesses or the EPA’s Incident Action Checklist. The AWWA’s guide on Process Control System Security Guidance for the Water Sector can aid systems using smart technology. To improve social media and website security, start with Hootsuite’s social media security tips and Sucuri’s website security tips.

If a data breech does occur, utilities will want to have and established protocol to resolve and mitigate potential damage. The Cyber Security Adviser Program with the Department of Homeland Security (DHS) offers regional affiliates that will assist systems in vulnerability assessments, plan development, and informational support. While the costs associated with response, forensics, and legal fees can be expensive, waiting to take action can incur an even greater cost. Remember to keep an active cybersecurity plan and, if incidents should occur, report them to local law enforcement, the DHS, and WaterISAC.