OT Cyber Challenges for U.S. Water and Wastewater Facilities

In the United States, a vast network of over 153,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment facilities underpins our national health and safety. These critical infrastructures deliver potable water to 90% of the American population and manage the wastewater for about 75%, according to the Environmental Protection Agency (EPA) and data from the Cybersecurity and Infrastructure Security Agency (CISA). This extensive network not only ensures the daily functioning of society but also safeguards public health.

Recent Cyberattacks to U.S. Water and Wastewater Facilities

Aliquippa Water Authority, Pennsylvania (November 2023):

  • Affected Population: Approximately 22,000 residents
  • Attack Details: Iranian-backed hackers compromised a remotely controlled device made by an Israeli company, which monitors and regulates water pressure at a pumping station.
  • Consequences: Prompt switch to manual operations prevented a major disruption in water supply, highlighting vulnerabilities in smaller, underfunded utilities. This incident has influenced U.S. legislative efforts for enhanced cybersecurity measures across the sector.
  • Broader Impact: Exposed the critical challenges smaller water utilities face in safeguarding their infrastructure against sophisticated cyber threats.

North Texas Municipal Water District (November 2023):

  • Affected Population: Over 2.2 million people
  • Attack Details: A ransomware attack by the Daixin Team, known for targeting public health organizations, exploited vulnerabilities in VPN servers through phishing.
  • Consequences:
    • Compromised personal data including names, dates of birth, and Social Security numbers.
    • Disrupted the district’s communication systems but core services remained uninterrupted.
    • Engaged forensic specialists for investigation and law enforcement coordination.
    • Ongoing negotiations with attackers raise concerns about potential threats to billing software.
  • Broader Impact: Adds to a growing list of cyber incidents in the Dallas area, emphasizing the persistent security challenges faced by large-scale water facilities.

Main Cyber Challenges of Water Treatment Facilities

According to the Cybersecurity and Infrastructure Security Agency (CISA), water and wastewater systems face sophisticated cyber threats that target both their IT and operational technology (OT) networks, systems, and devices. These challenges significantly jeopardize the facilities’ ability to provide clean water and manage wastewater. Key challenges include:

  • Spearphishing Attacks: Attackers frequently utilize malicious emails to infiltrate networks, using harmful links or attachments to gain unauthorized access.
  • Exploitation of Remote Access Technologies: Increased use of remote operations has exposed vulnerabilities in technologies like Remote Desktop Protocol (RDP), which attackers exploit to gain unauthorized access, impacting both IT and OT environments.
  • Use of Unsupported or Outdated Software: Many facilities run outdated software due to limited resources, making them susceptible to attacks that exploit known vulnerabilities.
  • Vulnerable Control System Devices: Outdated or compromised firmware in control system devices can lead to unauthorized access and disrupt operations.
  • Insider Threats and Ransomware: The risk from insiders and various forms of ransomware can severely cripple operational capabilities, demanding swift resolution.

Enhanced cybersecurity measures and robust infrastructure practices are crucial to counter these threats and ensure the resilience and safety of these critical infrastructures.

Get expert cybersecurity recommendations for water and wastewater threats

Download our expert analysis for practical cybersecurity recommendations tailored to address threats to water and wastewater systems. Protect your operational technology infrastructure effectively.

Get your copy here!