Last month The American Council on Science and Health released an article, Protecting Our Water Systems in the Age of Cyber Threats. The piece outlined the very real threats that face water and wastewater systems in our country, and abroad, citing the large gaps in protection that various systems face, usually based on size.
For instance, larger systems may have whole teams dedicated to cybersecurity, whereas smaller systems serving small populations may have just one or two people running the entirety of the plant, with private companies adding more nuance into the mix.
Between the EPA’s approach and the American Water Work Association’s (AWWA) approach, we are finding that a call for a more streamlined, and certainly more collaborative approach, is what is important to minimize risks.
The Reality of Threats
Cyberthreats against clean and safe drinking water can have severe, even catastrophic consequences. Criminals can use ransomware to encrypt system drives preventing access to ICS systems used for making drinking water available.
Water can be intentionally, or unintentionally, poisoned if control systems that filter and treat water raise chemical levels to unhealthy levels. Preventing the safe treatment of a community’s water source can lead to water scarcity, illness, or loss of life.
Many times, underserved communities are hit the hardest with water system crises. Jackson, Mississippi suffered a major crisis during 2022 when a treatment plant failure left over 150,000 residents without clean water. Today, those same residents will be faced with higher rates to ensure their water remains safe.
Likewise, Cybersecurity threats are just as valid and have similar consequences as physical threats to infrastructure failure, lack of investment and natural causes.
Current Cybersecurity Limitations are a People Problem
One of the main issues is that nobody owns the problem. When outlining the best approach for cybersecurity, accountability is crucial, but implementing any type of approach is going to be challenging as long as roles remain muddled.
The EPA pushes requirements without collaboration with states or utilities to understand what challenges or impacts are created with regulations. Those impacted push back because they lack the resources to address new requirements.
Moreover, many installed ICS systems are outdated, proprietary and/or custom. Product companies have a responsibility to build security into their products like other features. Documented practices for updating patches, for example, is also a step in the right direction.
AWWA has highlighted that collaboration and cooperation is critical. However, it shouldn’t be limited to water utilities and the EPA. Partnership with engineering firms, product companies and community leaders are also critical to effectively protect water and wastewater systems.
Final Take
Cybersecurity must be made a priority to maintain safe water and wastewater systems. Too much arguing and no specific organization taking ownership has led to vulnerabilities in our nation’s water and wastewater systems. By using open communication and collaboration, a straightforward outline for who takes the lead, and which processes, agencies and companies run support, can help to achieve the objective of keeping our water safe.
At Luminary Automation, Cybersecurity and Engineering, we understand that technology is a supplement meant to enable real people to perform their job to the best of their ability. If you’d like more information on how Luminary can help your organization with reliable, secure, cost-effective solutions, please be in touch.