Survey shows many water utilities struggle with cybersecurity
- By Justin Katz
- Jun 18, 2021
The water industry, like most critical infrastructure sectors, shows a range of cybersecurity preparedness levels, even as threats grow.
A June survey conducted by the Water Information Sharing and Analysis Center (Water-ISAC) and the Water Sector Coordinating Council includes responses from more than 606 water and wastewater utilities, representing the approximately 52,000 community water systems and 16,000 wastewater systems in the U.S.
Many of the utilities are “subject to economic disadvantages typical of rural and urban communities. Others do not have access to a cybersecurity workforce. Operating in the background is that these utilities are struggling to maintain and replace infrastructure, maintain revenues while addressing issues of affordability, and comply with safe and clean water regulations,” the survey said.
When it comes to specific cybersecurity challenges, more than 60% of water utilities say they have not fully identified IT-networked assets in their networks, and only a little more than 21% of those utilities said they are working to do so. Further, roughly 70% said they have not fully identified all operational technology networked assets and fewer than a quarter are working to do so.
Only 23% of utilities reported conducting annual cybersecurity risk assessments. Quarterly assessments were performed by 7.6% of respondents, and 5% were conducting weekly cybersecurity risk assessments, the survey showed.
The respondents reported their top challenges for securing drinking water and wastewater systems were minimizing control system exposure, assessing risks and identifying hardware or software vulnerabilities. Additionally, 64% of respondents said their utility does not employ a chief information security officer.
The survey results were announced the same day that NBC News reported a hacker in January breached a San Francisco Bay Area water treatment plant using a former employee's credentials for a popular remote work software program. That incident, which was previously unreported, came just weeks before a water treatment plant in Florida made national headlines when it too was breached through an outdated operating system and vulnerable remote work software.
Of the hundreds of treatment plants that responded to the Water ISAC survey, only four organizations confirmed a breach of their IT or OT systems in the past year, while dozens responded they were "not sure" if they had experienced an incident.
According to data compiled by Cybersecurity and Infrastructure Security Agency about the water industry, roughly 10% of water utilities have reported a critical vulnerability and 40% reported a high vulnerability. Most vulnerabilities water plants have reported -- more than 80% -- were common vulnerabilities and exposures (CVEs) published prior to 2017. (The CISA data was first published in the NBC News story.)
The Water-ISAC published a list of six older CVEs for its members on June 17, saying it was "aware of several reports of threat actors leveraging multiple vulnerabilities to exploit unpatched systems in the water and wastewater sector."
This article was first posted to FCW, a sibling site to GCN.
Justin Katz is a former staff writer at FCW.