Water Utilities and Cyber Security: Overview
The US Department of Homeland Security, the Federal Bureau of Investigation, US Environmental Protection Agency, and the American Water Works Association are some entities and infrastructure in place to protect the US water utility industry from cyber threats. The top three concerns identified by the US government threatening the cyber security of the industry are spearphishing emails, watering hole domain attacks, and credential gathering, or identity theft.
Top Cyber Concerns
- According to the American Water Works Association and the US Department of Homeland Security, the top concerns faced by the water utility industry when it comes to cybersecurity are spearphishing emails, credential gathering, and watering hole domains, which can lead to other concerns like having the industrial control system (ICS) targeted, reconnaissance of network and opensource, and host-based exploitation.
- Spearphishing is a cyberattack targeted towards an individual in specific, through emails that seem legitimate, and from a valid account, usually inviting the person to open a link to inject malware in the network.
- The spearphishing email attack is one of the most common forms of cyberthreat, it affects 84% of the organizations in the US, and each attack implicated loses of up to $1.6 million in 2015, and only continues to grow.
- Watering hole domain attacks: In this method, the attacker targets a group pf users identifying the websites they use more often, like information databases and websites of the organization.
- The attacker adds malware to the website, so the group becomes infected when they use it or login, affecting the network, stealing their credentials, or other confidential information.
- Credential gathering: This is one of the riskiest forms of cyberattacks that threatens the water utility industry. By getting access to internal credentials, attackers can obtain internal information, navigate the network, manipulate the system, alter various operations, and cause other issues.
Impact of Cyber Threats
- A cyberattack in the US water utility industry can implicate negative consequences like manipulation and blocking of the ICS, affect the operations of flow and valve, malware attacks towards confidential information, manipulation of chemical treatment, attempts to destroy other operations, etc.
- It can also implicate harm to public safety and health, loss of budget for recovery efforts, impact national security, and data loss.
- There are also some cyber attacks dedicated to contaminate the water, create service outages, and cause operational malfunctions, which at the same time can lead to other casualties, illnesses, affect the response capacity of firefighters, food supply, health workers, and transportation systems.
Actions Taken to Protect from Cyber Threats
- Due to the risk and costly consequences a cyberattack can have in the industry and the country, all water utility entities need to take responsibility and adopt measures that protect their networks and systems from attacks.
- Based on the information provided by the DHS and the FBI, one of the first steps all water utility companies must take is adopting multi-factor authentication, as it requires an additional piece of information to access the system.
- The DHS also requested all water utility companies to protect the public-facing network devices, and the ones accessed through residential connections, and by small businesses, increasing access security, and antivirus protection, keeping vendor accesses and software updated and removing any equipment that is no longer being monitored by vendors or manufacturers.
- Additionally, to ensure all companies are creating cybersecurity plans and taking the necessary measures to respond, detect, and prevent cyber threats, the government can apply penalties of millions of dollars.
- EPA has also assigned a committee of experts from private companies, federal, and state agencies in the water industry to develop and evaluate cybersecurity equipment to protect the infrastructure.
- Other actions taken include the creation of regulations like the Bioterrorism Act of 2002, and official government tools to check cybersecurity, like the Blast Vulnerability Assessment (BVA) tool, the Threat Ensemble Vulnerability Assessment (TEVA), the Sensor Placement Optimization (TEVA-SPOT) tool, and the Water Network Tool for Resilience (WNTR).
- The US Department of Homeland Security and the Federal Bureau of Investigation are the government entities and part of the infrastructure in charge of monitoring cybersecurity compliance in the water utility industry and protect it from terrorism, political and financial attacks.
- At the same time, the Department of Homeland Security works with the US Environmental Protection Agency to define the infrastructure of cybersecurity.
- The government has also given authorization to many state and federal entities to monitor security concerns in the water utility industry.
- The EPA Water Security Test Bed (WSTB) will be in charge of researching methods to improve the cybersecurity of the industry.
A report was presented by the American Water Works Association, the US Department of Homeland Security, and the Federal Bureau of Investigation, government entities in charge of cybersecurity in the US and in the water utility industry, with details of the top concerns and official threats, as well as security actions taken and expected from companies in this industry. With this in mind, we used the official top concerns identified by the government as the top three cyber concerns for the industry.