Threats on the Horizon: The Challenges of Securing the Nation’s Water Utilities and the Strategies to Overcome Them
As I sat down to write this article, the town of Flint, Michigan, popped into my head. For anybody who works in the water sector, the mere mention of Flint is likely to spark mental images of a water crisis, national news coverage, footage of angry citizens, and a glimpse into what the fallout from a water crisis looks like. And while Flint’s 2014 water management fiasco was not borne from the impacts of a security breach, it certainly does forecast what could happen should a water utility suffer an attack that impairs its ability to deliver potable drinking water to its communities.
To paraphrase a line from the hit Broadway production “Hamilton,” the question of a future attack on a water utility that leads to a Flint-like crisis is not a question of if but rather of which one. There are more than 152,000 public water systems in the United States, and any one of them could be the target of a domestic extremist group, a foreign entity, a bored basement-dwelling hacker or any other adversary looking to disrupt, destroy or cause chaos.
So, how do water utilities move forward and prepare themselves for a future that is trending toward an increase in both cyber and physical threats? We sat down with Dr. David Mussington, who serves as the executive assistant director for infrastructure security at the Cybersecurity and Infrastructure Agency Security (CISA), a federal agency that was formed in 2018 to identify threats, share information and assist with incident response in defense of the nation’s critical infrastructure segment.
We talked about a great number of things, including what blind spots water utilities may have, the threats that can come from domestic and foreign actors, and the guidance and resources that water utilities have at their disposal to improve security—even when their budgets may be limited.
UTILITY SECURITY MAGAZINE:
So, let’s get right into it. What are the biggest weaknesses that water utilities need to address when it comes to physical security or cybersecurity?
MUSSINGTON:
Attention to the basics is important. And when the basics are ignored, people can take advantage. For example, if you’re going to be connected to the public internet, you need to first do basic cyber hygiene. And that means things like strong passwords, two-factor or multifactor authentication, and so on.
It also means that when you purchase security products and services, you need to know where they are from and how they work. If something is designed without attention to security, you’re likely to be inviting vulnerabilities that may be exploited. Knowing the details and where the products or services are coming from will go a long way in helping you establish common-sense measures to protect your organization.
Like many others, water utilities are struggling to stay up to date with their cybersecurity. They’re not tech companies, so it’s a reasonable assumption to say that they’re not going to be on the latest cutting edge of cybersecurity technology. That said, any entity that connects to the public internet is going to be exposing itself to threatening actors who are looking to take advantage of weaknesses. So, they need to take that threat seriously.
UTILITY SECURITY MAGAZINE:
What are some best practices or advice that you would give to those water utilities that may be struggling with security, either cyber or physical?
MUSSINGTON:
On the cyber side, the best first step for water utilities is to position themselves to be aware of the technology that could be deployed within their perimeter by their partners. In doing so, they can have a much better sense of how they might be vulnerable. And they can do that with a risk assessment. It’s vital that water utilities understand the assets that are at risk, how they might be exploited and what some best-practice protections are.
And second, water utilities should avail themselves to services like vulnerability scanning, which offers a path to greater cybersecurity success. CISA provides this service at no cost to the water utilities, and this service helps them know what aspects of their cybersecurity are at a higher risk for adversaries to exploit.
I think for devices that are connected and that require a human interface—such as access control and multifactor authentication logins to gain access to data data systems—water utilities should reference the best practices that are out there. CISA has published these best practices, and they are ready and available to water utilities.
For physical security, there is a continuing concern about vandalism. Often, physical attacks come as a result of people who exploit weaknesses in physical security systems that are eroded by how old they are. Many water systems are quite old, and they may have backlogs in maintenance. It’s important that water utilities find ways to first address the things that make the system more fragile and exploitable by a potential threat.
UTILITY SECURITY MAGAZINE:
You’ve referenced some resources that CISA offers to help water utilities that are free of charge. Can you talk more about some of the key resources that water utilities can take advantage of to help shore up their physical and cyber security efforts?
MUSSINGTON:
Absolutely. In January 2024, CISA and the Environmental Protection Agency (EPA) published a Water and Wastewater Toolkit at www.cisa.gov/water that features key resources for water systems. Please visit that site to find tools and services that can help improve cyber hygiene and physical security.
I think the most exciting one for me is vulnerability scanning for utilities, which checks systems that are exposed to the public internet. There are more than 240 water utilities already using CISA’s vulnerability scanning service. There are obviously many, many more systems in the country that could be using it.
Often, many organizations underestimate how vulnerable they are from a cybersecurity perspective. And when that happens, they often overestimate how prepared they are. Phishing and spear phishing are impacting business and government across the entire country. Water systems aren’t immune to those things, but they can become less vulnerable with anti-phishing training. In late 2023, water and wastewater systems across multiple states experienced hacks into their programmable logic controls (PLCs) that were internet facing and utilizing the default passwords. Basic cyber hygiene practices could have prevented those hacks.
Second, we’ve got advisories that we issue to the water sector to provide best practice knowledge of what to do. We serve water utilities through our 140-person protective security advisory teams and 100-plus cybersecurity advisors, all of whom are available to provide technical assistance on an in-person basis in many cases. Should an event occur, CISA and the FBI are a one-stop shop to provide immediate information and support to a utility.
UTILITY SECURITY MAGAZINE:
Artificial intelligence is a technology being used by cybersecurity solution-makers to stop bad actors. But on the flipside, it’s also being used by bad actors to do nefarious things. What are your thoughts about the impact of AI on cybersecurity for water utilities?
MUSSINGTON:
With generative AI—things like ChatGPT that we are seeing in the news lately—there are all sorts of challenges. One concern is that these tools can write malware code. So, this puts water systems and all critical infrastructure at risk of being victimized by AI-generated malware. Luckily, right now, we haven’t seen it happen yet, but should that breakthrough happen, it could be very threatening.
On the other hand, we should also look at how AI can have a positive impact, and it can do so through better detection of threats. So, we could also see advances made in defense. It’s too soon to tell whether that revolutionary impact on attack is going to be more powerful than the evolutionary impact on defense—because they don’t move at the same rate. There’s a generalization in cybersecurity that says that cyberspace is an offense-dominant environment; in other words, it’s easier to attack than defend.
But maybe AI will make defense more powerful. And wouldn’t that be a wonderful thing to the world? But we only get there if we apply really good risk data to train AI solutions. You know, one thing about the critical infrastructure business—and I’ve been doing this since Y2K—is we tend to emphasize the negatives that could flow from technology adoption. but really, the technologies are adopted in the first place because of the positives they deliver. It doesn’t mean that water utilities should adopt every technology, but when they do, it’s vital that they are secure by design.
UTILITY SECURITY MAGAZINE:
Some water utility organizations have limited resources to invest in security. What sort of strategies might you offer to organizations that don’t have budgets that match their security needs?
MUSSINGTON:
I think first, they have to focus on preventing a critical loss of function. When it comes to water utilities, this is important because water is fundamental to life. So, protecting the potability of water is very critical. I think the next is to look at any standards and best practices out there that are specific to your industry. Look to the American Water Works Association, the EPA and others that issue publications with best practices for prioritizing protection.
And many of these publications are available for free. Avail yourself of broadly available guidance on how to close vulnerabilities and how to minimize the attack surface. Look to CISA’s list of cybersecurity performance goals, which is also free and was issued to provide broad guidance on how to secure domain-specific water systems as well as tell you what to do if you should be victimized.
It’s not all about left-of-boom prevention. It’s great if you can do it, but if you are unlucky and do experience an attack, there is a recovery and resilience element to guidance that is there as well. CISA has security advisors who can show up at your organization and help you deploy our tools to help make you more risk-protected.
UTILITY SECURITY MAGAZINE:
Watching the Russia-Ukraine war, we have seen the strategy of weakening a nation by attacking its utilities play out in real time. Additionally, data shows that a large number of cyberattacks are coming from nations abroad. What sort of lessons can we learn from warfare abroad, and what are the motivations for these international cyberattacks that go beyond ransomware money demands?
MUSSINGTON:
First, we have to accept that we actually don’t know all of the reasons because we actually don’t always know who all the bad actors are. The countries we focus on at CISA as ones that pose threats to all critical infrastructures are North Korea, Iran, Russia and China. On the other hand, if one of those states uses a cutout or a proxy—someone they hire to disrupt a particular system—we might not be able to hook the threat back to the attributed actor.
When we think about the “why,” one of the biggest reasons is they do it for reputation and for fun. Of course, doing it for money is one of the oldest rationales. Additionally, bad actors may attack water utilities because of what that utility supports. Water obviously is an input into supply chains and production chains. Everything from power generation to the cooling of data centers can be disrupted by disabling a water system.
Think about the impact on cloud computing where non-potable water is used to cool servers. It might not be front of mind to think about how knocking out a water facility would have these knock-on effects in other sectors. So, the objective of the attacker might be something downstream from the attacked entity, and that’s something we here at CISA try to keep in mind.
This is the reason why protecting water systems is a team sport. Water utilities are a vital service, which is why it’s important to have the government, their customers, private-sector partners and others collaborating to make sure that water systems get the support that they need.
UTILITY SECURITY MAGAZINE:
Blind spots are something we all experience in life. When it comes to security, however, blind spots can result in some unintended consequences. What sort of blind spots might some water utilities have that they should be made aware of?
MUSSINGTON:
I think a big one is the view by some that they are too small to be of any interest to attackers. They might just feel that they aren’t the target because they’re small and they’re perhaps far from an urban center or other important areas. The reality is that no water utility is too small or unimportant to potential adversaries. So, take yourself seriously. You can be targeted.
I think that the next big blind spot is that some view security with too narrow of a scope. You’ve got to have a more holistic view of security, not just cyber. It’s not physical, it’s cyber physical.
So, think about that cyber-physical convergence, such as how physical systems, valves and even gravity-fed water systems likely have some internet connectivity to them—and that the connectivity might be managed by a service provider who might not be in your city or your state. That means that if physical systems can be disrupted through cyber means, it also means vice versa.
Take that seriously as an integrated way of thinking about security. I would never separate cybersecurity from physical security in a water environment. It also means that you think systematically about recovery and resilience so that if you suffer a cyber-induced disruption to your service, you have thought about recovery scenarios that will help you restore services. And those recovery strategies are something CISA can help you with.
If it’s a physical disruption, that recovery scenario is different—a different recovery point, recovery timeline and input impact on your customers. When you combine those two together, you’ve got a more complex vulnerability space to manage, and vulnerability management is the key thing. You have to make judgments about what vulnerabilities you need to focus on, especially if you’re a small utility. And if you’re small, it might be a good idea to think about getting assistance from a different level of government or from an external contractor in order to understand what some economical, high-productivity security procedures might be.
One last blind spot I want to mention is that, as we move forward into the Internet of Things, there is a growth in the use of small wireless devices that may be connected to the water sector in various ways. For example, devices that provide control over valves and pressure and so on. Those devices need to be secure by design and secure by default.
As I stated earlier, you need to know where they come from. You need to know what software is running on them. You need to understand who is installing them. If you hire an external contractor to come onto your premises and start installing things, that means you are inviting someone in—hopefully someone whose background you have checked or who you trust to come into your physical facility—to do things which you may only partially understand.
So, know your suppliers and make sure that you try to stay up to date on what the recommended best practices are for maintaining security. One challenge you can have is that this can be exhausting because again, you’re a water utility. You’re not a security company, and the threat can seem overwhelming. But if you go out and get assistance, you can overcome that feeling of being overwhelmed and find a path to success.
UTILITY SECURITY MAGAZINE:
Final question: Using your crystal ball, can you look into the future and tell me what makes you feel more confident about the future of security for water utilities?
MUSSINGTON:
First of all, we’re better organized than we have ever been to provide security to water utilities. Because water is on everybody’s list as being a fundamental service to society and to American economic security goals, it is getting heightened prioritization. As recently as 10 years ago, we would have had to make a significant cyber and physical risk argument to get people’s attention. Thankfully, people today are more inclined to take action on security concerns because the risk is more present.
And second, there is more reporting, and that provides us with a better database against which we can check to see which best practices work. Because incidents have occurred, it gives people more insight into the implication of not addressing risks and makes them more incentivized to adopt proper preparedness.
We are also seeing much stronger network defense practices in infrastructure that we hadn’t seen before. The technology is better, it’s faster, and it’s a lot cheaper than it used to be.
That means that there are defensive possibilities that can be reinforced with the information from services that CISA and other governmental partners can provide, so that, at the end of the day, water systems have more options for their protection and more ability to be risk aware.
The last thing I’d like to mention is that CISA didn’t exist more than five years ago. Now, a dedicated federal agency is there to reinforce the work of Sector Risk Management Agencies (SRMAs)—and that has really upped our game quite considerably, especially for the nation’s water systems.
Water Utility Security Tools, Information, Assistance and Resources Offered by CISA
CISA offers a number of security resources that are tailored to the water and wastewater sector, including:
- An Incident Response Guide for Water and Wastewater Systems Sector Created by CISA, the FBI and EPA
- Free Cyber Vulnerability Scanning for Water Utilities
- Guidance on the Exploitation of Unitronics PLCs Used in Water and Wastewater Systems
- Secure by Design Alerts
- Regional offices that provide risk and risk mitigation advice, outreach, assessments and inspections, trainings, support and more
- Driven to Protect
- Threats on the Horizon: The Challenges of Securing the Nation’s Water Utilities and the Strategies to Overcome Them
- Are Assumptions Compromising Your Substation Security?
- The Emerging Cybersecurity Threats and Solutions of Artificial Intelligence (And Some Resources to Help Ready You for Both)
- Are You Prepared for the Next Attack?
- 5 Questions with Bomb Threat Expert Sean Haglund
- Are You Ready for a Drone Attack on Your Infrastructure?
- The Safety and Security Paradox
- From the Battle of Fallujah to Helping Utilities Respond to Active Shooter Incidents
- What is More Critical than Utilities?