Better decisions impacting water

Cyber threats to our water systems are real. Here’s what can be done.

The first signs of an attack on Maroochy Water Services were easily overlooked back in 2001: a faulty pump here, some erratic alarms there. Then it was too late. A rogue ex-employee released 265,000 gallons of sewage across the Australian region over a 3-month period, turning rivers black and killing scores of fish and wildlife.

It was one of the first cyber attacks against a water facility; 20 years later the problem is a global issue. In 2021, four US government agencies were even moved to jointly warn of impending attacks on American water and wastewater systems.

Today, the question isn’t whether there will be further hacks on water facilities but when – and whether they’ll prove deadly.

Smart systems are transforming water services. Some span entire regions, such as in Valencia in Spain. Elsewhere, they bring water to remote or rural communities or support farmers in water-stressed regions.

Digital tools boost sustainable water management. However, in many places, water companies have been slow to address their vulnerabilities, including outdated software, weak passwords and phishing attempts. Lack of budgets, knowledge, and cyber-aware staff exacerbate the issue – and the risks are considerable.

Ransomware cost one American city USD$2.6m in 2018. Water facilities additionally face health crises and loss of service (not to mention loss of consumer trust), which could impact wider regional economic stability in turn. As the US Department of Energy notes, “water and power systems are often physically interconnected”. In other words, national infrastructure is only as secure as its weakest link.

San Francisco and Florida, USA

Remote access makes smart water systems sing: it allows oversight of underground and remote infrastructure, vastly extending the reach of smaller organisations in particular. The trade-off is that, at the same time, it increases the number of ways a network can be attacked.

In June 2021, a hacker was able to log into a water San Francisco treatment plant and delete system programs. Thankfully, the attack was spotted before any real damage was done.

Just weeks later, however, the same remote access software gave an attacker access to a water treatment plant in Oldsmar, Florida. The hacker attempted to raise Sodium Hydroxide in drinking water to poisonous levels. Fortunately an employee spotted the tampering before anyone was hurt.

Israel

If events in America illustrate the need for strong firewalls and two factor authentication, cyber attacks in Israel show that monitoring networks for security issues is as crucial as scanning for leaks.

Six water authorities in the country were targeted in April 2020, this time with a view to increasing chlorine in the water supply to dangerously high levels.

Once again the hack was spotted in time; nonetheless, authorities in Israel have adopted more stringent measures as a result. These include using a third-party cyber defence system that tracks underlying electrical signals in the water network to spot anomalies before they can cause damage.

It’s possible to draw some positives from malicious cyber attacks. If nothing else, they pinpoint weak points that can then be patched locally and across the industry.

Experts and government agencies largely agree on a number of additional defence mechanisms, including:

As well as the software and security pointers mentioned above, facilities should also:

Of course, challenges remain. According to a US survey, 60% of water companies spent less than 5% of their budget on IT security in 2021. Plugging these gaps is partly a question of budget, but also of spreading awareness about the scale of the problem, and its solutions.