Cyber threats to our water systems are real. Here’s what can be done.

Water security is no longer just about scarcity and stress. As more facilities embrace smart systems, they can learn from the hackers who try to disrupt them.

The first signs of an attack on Maroochy Water Services were easily overlooked back in 2001: a faulty pump here, some erratic alarms there. Then it was too late. A rogue ex-employee released 265,000 gallons of sewage across the Australian region over a 3-month period, turning rivers black and killing scores of fish and wildlife.

It was one of the first cyber attacks against a water facility; 20 years later the problem is a global issue. In 2021, four US government agencies were even moved to jointly warn of impending attacks on American water and wastewater systems.

Today, the question isn’t whether there will be further hacks on water facilities but when – and whether they’ll prove deadly.

Why water is a weak link

Smart systems are transforming water services. Some span entire regions, such as in Valencia in Spain. Elsewhere, they bring water to remote or rural communities or support farmers in water-stressed regions.

Digital tools boost sustainable water management. However, in many places, water companies have been slow to address their vulnerabilities, including outdated software, weak passwords and phishing attempts. Lack of budgets, knowledge, and cyber-aware staff exacerbate the issue – and the risks are considerable.

Ransomware cost one American city USD$2.6m in 2018. Water facilities additionally face health crises and loss of service (not to mention loss of consumer trust), which could impact wider regional economic stability in turn. As the US Department of Energy notes, “water and power systems are often physically interconnected”. In other words, national infrastructure is only as secure as its weakest link.

What cyber hacking looks like

San Francisco and Florida, USA

Remote access makes smart water systems sing: it allows oversight of underground and remote infrastructure, vastly extending the reach of smaller organisations in particular. The trade-off is that, at the same time, it increases the number of ways a network can be attacked.

In June 2021, a hacker was able to log into a water San Francisco treatment plant and delete system programs. Thankfully, the attack was spotted before any real damage was done.

Just weeks later, however, the same remote access software gave an attacker access to a water treatment plant in Oldsmar, Florida. The hacker attempted to raise Sodium Hydroxide in drinking water to poisonous levels. Fortunately an employee spotted the tampering before anyone was hurt.

Israel

If events in America illustrate the need for strong firewalls and two factor authentication, cyber attacks in Israel show that monitoring networks for security issues is as crucial as scanning for leaks.

Six water authorities in the country were targeted in April 2020, this time with a view to increasing chlorine in the water supply to dangerously high levels.

Once again the hack was spotted in time; nonetheless, authorities in Israel have adopted more stringent measures as a result. These include using a third-party cyber defence system that tracks underlying electrical signals in the water network to spot anomalies before they can cause damage.

Cyber security in the water industry

It’s possible to draw some positives from malicious cyber attacks. If nothing else, they pinpoint weak points that can then be patched locally and across the industry.

Experts and government agencies largely agree on a number of additional defence mechanisms, including:

  • Establishing joint government and water industry oversight in places where it’s missing
  • Finding and funding better tech knowledge across the industry or access to specialist staff for facilities that need support
  • Encouraging transparency and information sharing when water facilities find vulnerabilities or experience an attack.

As well as the software and security pointers mentioned above, facilities should also:

  • Regularly run risk assessments to identify weak points and action them, and create a rapid response strategy
  • Reduce the attack surface area, for instance by removing unused logins and outdated or vulnerable software.

Of course, challenges remain. According to a US survey, 60% of water companies spent less than 5% of their budget on IT security in 2021. Plugging these gaps is partly a question of budget, but also of spreading awareness about the scale of the problem, and its solutions.

Related blog posts: