One of the miracles of the 20th century is clean, drinkable affordable water available from the tap. Who would want to return to the days of hauling water from the well? For centuries Cholera, Typhoid and Giardiasis were everyday risks of drinking water. Today this risk is virtually eliminated, and 1000 gallons of water can be had for about the cost of about a dozen eggs.
What is required to maintain this public trust into the 21st century? In the United States approximately 85% of all water systems are owned and run by the government. These local governments require hydro-technical expertise to keep the water flowing to the taps, but often lack the cyber expertise to protect them from hostile actors. But really, what are the risks to the water supply?
- In 2019, Ellsworth County in Kansas had a disgruntled former employee shut down the water treatment remotely.
- In 2021, Oldsmar Florida’s water treatment plant was compromised by hostile actors who subsequently increased the sodium hydroxide level to unsafe levels. Fortunately, this was detected and quickly thwarted.
- In 2023, the municipal water authority of Aliquippa in Pennsylvania had their PLC compromised by attackers linked to Iran, requiring the utility to revert to manual control.
In addition to directly threatening the equipment that manages the water supply on Operational Technology (OT) networks, there are also many attacks on the billing and customer environments on the Information technology (IT) networks.
- A cyber-attack on American Water Works, which serves more than 14 million people across 14 states, disrupted customer access to account and bill payment portals.
- Veolia North America, which operates water facilities across the US, disclosed that in January 2024 a ransomware attack impacted their bill payment systems, forcing them to temporarily take some systems offline.
- Last August, a ransomware attack on phone systems at Cucamonga Valley (CA) Water District prevented customer payment by phones. It took two weeks to get the payment system back online.
Last November, the EPA’s Office of the Inspector General issued a report on the risks to drinking water systems after an assessment found critical or high-risk vulnerabilities in 97 drinking water systems serving a combined 26 million people.
Small City Water Systems an Easy Target for Hackers
Municipal water supply systems are considered an easier point of entry for hackers. Most are small: 97% are considered small systems under the Safe Drinking Water Act, serving 10,000 or fewer people. The risks to these systems are just as high as with larger systems, but the resources are low. Many run legacy, difficult to patch infrastructure, in both IT and OT systems, making them easier to exploit. While the IoT sensors that monitor consumption, leaks, and other data points for larger water systems offer a greater attack surface for hackers, smaller city water systems that don’t use these technologies are also at risk. Budget shortfalls and lack of training can result in overextended staff accessing systems using default or shared passwords instead of following cybersecurity best practices. In fact, it was via a default password that hackers were able to access the Aliquippa system last November.
These vulnerabilities have led the EPA and the Cybersecurity & Infrastructure Security Agency (CISA) to warn water facilities of the dangers of cyber-attack and recommended they harden access to their HMI–based systems.
Can Small City Water Systems Mitigate These Risks?
TLDR: Yes, of course, like all risk, it can be mitigated with attention and resources.
Many of the attacks in 2024 targeted payment systems, whether because hackers were attempting to monetize their activities, or the systems just offered easier access. However, there’s no doubt that attacks will become more sophisticated. In the words of one industry expert, “these attacks will grow increasingly more destructive, from nation-states prepositioning assets for future disruption of basic services to bad actors seeking financial gain through ransomware attacks. In 2025, it would not be a surprise to see a top 20 US city lose one of its critical services, whether telecommunications or water utilities, to a ransomware attack.”
It is also entirely possible that rogue nation states have compromised water system OT networks waiting for an event when it will cause the most political damage to negatively impact these systems.
Industry groups have been working to provide resources and education to reduce the risk for new OT systems. While new sensors and software will help larger, better funded cities, this is unlikely to help municipalities that need to dedicate their smaller budgets to keeping current systems running.
Support for small systems is still available. For example, the Water Information Sharing and Analysis Center (WaterISAC) provides alerts, training, and briefings on cyber security to hundreds of water utilities. Annual membership currently costs $320 for a system with under 20,000 users. A pilot program, DEFCON Franklin, has created a volunteer task force to help underfunded organizations, including small water systems, reduce the risk of cyberattacks. The CISA also publishes an EPA guide to water security with many other resources. These are all good starting points for water utilities that want to reduce the risks to their city’s water system.
Your city’s water system is critical. Ensure its safety with a comprehensive IT security assessment. Speak with our government cybersecurity experts to get started.