WATER
When the water sector runs as it should, wastewater is properly treated to avoid spread of disease; drinking water is safe for residents; and water is available for needs like firefighting, hospitals, and heating and cooling processes, per the Cybersecurity and Infrastructure Security Agency (CISA).
David Travers, director of the Water Infrastructure and Cyber Resilience Division of the Environmental Protection Agency (EPA), said some estimates find a three- to sevenfold increase in the number of cyber attacks against critical infrastructure, most of it ransomware. Some attacks have disrupted operations.
Water is an attractive target for attackers seeking attention, such as when Iran-linked Cyber Av3ngers sent a message by compromising water utilities that used a particular Israel-made device, said Tom Dobbins, CEO of the Association of Metropolitan Water Agencies (AMWA) and executive director of WaterISAC. Such attacks are likely to make headlines, both because they threaten a vital service and “because we’re more public, there’s more disclosure,” Dobbins said.
Targeting critical infrastructure could also be intended to divert attention: Russia-affiliated hackers, for example, could hypothetically aim to disrupt U.S. electric grids or water supply to redirect America’s focus and resources inward, away from Russia’s activities in Ukraine, suggested TJ Sayers, director of intelligence and incident response at the Center for Internet Security. Other hacks are part of long-term strategies: China-backed Volt Typhoon, for one, has reportedly sought footholds in U.S. water utilities’ IT systems that would let hackers cause disruption later, should geopolitical tensions rise.
From 2021 to 2023, water and wastewater systems saw a 300 percent increase in ransomware attacks.
Source: FBI Internet Crime Reports 2021-2023
And while some water systems can switch to entirely manual operations, others cannot. Rural utilities with limited budgets and staffing often rely on remote monitoring and controls that let one person supervise several water systems at once. Meanwhile, large, complicated systems may have an algorithm or one or two operators in a control room overseeing thousands of programmable logic controllers that constantly monitor and adjust water treatment and distribution. Switching to run such a system manually instead would take an “enormous increase in human presence,” Travers said.
“In a perfect world,” operational technology like industrial control systems wouldn’t directly connect to the Internet, Sayers said. He urged utilities to segment their operational technology from their IT networks to make it harder for hackers who penetrate IT systems to move over to affect operational technology and physical processes. Segmentation is especially important because a lot of operational technology runs old, customized software that may be difficult to patch or may no longer receive patches at all, making it vulnerable.
Some utilities struggle with cybersecurity. A 2021 Water Sector Coordinating Council survey found 40 percent of water and wastewater respondents did not address cybersecurity in their “overall risk assessments.” Just 31 percent had identified all their networked operational technology and just shy of 23 percent had implemented “cyber protection efforts” for identified networked IT and operational technology assets. Among respondents, 59 percent either did not conduct cybersecurity risk assessments, didn’t know if they conducted them or conducted them less than annually.
The EPA recently raised concerns, too. The agency requires community water systems serving more than 3,300 people to conduct risk and resilience assessments and maintain emergency response plans. But, in May 2024, the EPA announced that more than 70 percent of the drinking water systems it had inspected since September 2023 were failing to keep up with requirements. In some cases, they had “alarming cybersecurity vulnerabilities,” like leaving default passwords unchanged or letting former employees maintain access.
Some utilities assume they’re too small to be hit, not realizing that many ransomware attackers send out mass phishing attacks to net any victims they can, Dobbins said. Other times, regulations may push utilities to prioritize other matters first, like repairing physical infrastructure, said Jennifer Lyn Walker, director of infrastructure cyber defense at WaterISAC. Challenges ranging from natural disasters to aging infrastructure can distract from focusing on cybersecurity, and the workforce in the water sector is not traditionally trained on the subject, Travers said.
The 2021 survey found respondents’ most common needs were water sector-specific training and education, technical assistance and advice, cybersecurity threat information, and federal cybersecurity grants and loans. Larger systems — those serving more than 100,000 people — said their top challenge was “creating a cybersecurity culture,” while those serving 3,300 to 50,000 people said they most struggled with learning about threats and best practices.
But cyber improvements don’t have to be complicated or costly. Simple measures can prevent or mitigate even nation-state-affiliated attacks, Travers said, such as changing default passwords and removing former employees’ remote access credentials. Sayers urged utilities to also monitor for unusual activities, as well as follow other cyber hygiene steps like logging, patching and implementing administrative privilege controls.
There are no national cybersecurity requirements for the water sector, Travers said. However, some want this to change, and an April bill proposed having the EPA certify a separate organization that would develop and enforce cybersecurity requirements for water.
A few states like New Jersey and Minnesota require water systems to conduct cybersecurity assessments, Travers said, but most rely on a voluntary approach. This summer, the National Security Council urged each state to submit an action plan explaining their strategies for mitigating the most significant cybersecurity vulnerabilities in their water and wastewater systems. At time of writing, those plans were just coming in. Travers said insights from the plans will help the EPA, CISA and others determine what kinds of supports to provide.
The EPA also said in May that it’s working with the Water Sector Coordinating Council and Water Government Coordinating Council to create a task force to find near-term strategies for reducing cyber risk. And federal agencies offer supports like trainings, guidance and technical assistance, while the Center for Internet Security offers resources like free cybersecurity advising and security control implementation guidance. Technical assistance can be essential to enabling small utilities to implement some of the advice, Walker said. And awareness is important: For example, many of the organizations hit by Cyber Av3ngers didn’t know they needed to change the default device password that the hackers ultimately exploited, she said. And while grant money is helpful, utilities can struggle to apply or may be unaware that the money can be used for cyber.
“We need help to spread the word, we need help to potentially get the money, we need help to implement,” Walker said.
While cyber concerns are important to address, Dobbins said there’s no need for panic.
“We haven’t had a major, major incident. We’ve had disruptions,” Dobbins said. “People’s water is safe, and we’re continuing to work to make sure that it’s safe.”
Adobe Stock
ENERGY
“Without a stable energy supply, health and welfare are threatened and the U.S. economy cannot function,” CISA notes. But a cyber attack doesn’t even need to significantly disrupt capabilities to generate mass fear, said Mara Winn, deputy director of Preparedness, Policy and Risk Analysis at the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER). For example, the ransomware attack on Colonial Pipeline affected an administrative system — not the actual operating technology systems — but still spurred panic buying.
“If our population in the U.S. became anxious and uncertain about something that they take for granted right now, that can cause that societal panic, even if the physical ramifications or outcomes are maybe not highly consequential,” Winn said.
Ransomware is a major concern for electric utilities, and the federal government increasingly warns about nation-state actors, said Thomas Edgar, a cybersecurity research scientist at the Pacific Northwest National Laboratory. China-backed hacking group Volt Typhoon, for example, has reportedly installed malware on energy systems, seemingly seeking the ability to disrupt critical infrastructure should it get into a significant conflict with the U.S.
Traditional energy infrastructure can struggle with legacy systems and operators are often wary of upgrading, lest doing so cause disruptions, Daniel G. Cole, assistant professor in the University of Pittsburgh’s Department of Mechanical Engineering and Materials Science, previously told Government Technology. Meanwhile, modernizing to a distributed, greener energy grid expands the attack surface, in part because it introduces more players that all need to attend to security to keep the grid safe. Renewable energy systems also use remote monitoring and access controls, such as smart grids, to manage supply and demand. These tools make energy systems efficient, but any Internet connection is a potential access point for hackers. The nation’s demand for energy is growing, Edgar said, and so it’s important to adopt the cybersecurity necessary to enable the grid to become more efficient, with minimal risks.
The renewable energy grid’s distributed nature does bring some security and resiliency benefits: It allows for segmenting parts of the grid so an attack doesn’t spread and using microgrids to maintain local operations. Sayers, of the Center for Internet Security, noted that the sector’s decentralization is protective, too: Parts of it are owned by private companies, parts by local government and “a lot of the environments themselves are all different.” As such, there’s no single point of failure that could take down everything. Still, Winn said, the maturity of entities’ cyber postures varies.
Basic cyber hygiene, like careful password practices, can help defend against opportunistic ransomware attacks, Winn said. And shifting from a castle-and-moat mentality toward zero-trust approaches can help limit a hypothetical attackers’ impact, Edgar said. Utilities often lack the resources to just replace all their legacy equipment and so need to be targeted. Inventorying their software and its components will help utilities know what to prioritize for replacement and to quickly respond to any newly discovered software component vulnerabilities, Edgar said.
The White House is taking energy cybersecurity seriously, and its updated National Cybersecurity Strategy directs the Department of Energy to expand participation in the Energy Threat Analysis Center, a public-private program that shares threat analysis and insights. It also instructs the department to work with state and federal regulators, private industry, and other stakeholders on improving cybersecurity. CESER and a partner published minimum cyber baselines for electric distribution systems and distributed energy resources, and in June, the White House announced an international collaboration aimed at making a more cyber secure energy sector operational technology supply chain.
The sector is primarily in the hands of private owners and operators, but states and local governments have roles to play. Some local governments own utilities, and state public utility commissions usually regulate utilities’ rates, planning and terms of service.
CESER recently worked with state and territorial energy offices to help them update their energy security plans in light of current threats, Winn said. The division also connects states that are struggling in a cyber area with states from which they can learn or with others facing common challenges, to share ideas. Some states have cyber experts within their energy and regulation systems, but most don’t. CESER helps inform state utility commissioners about cybersecurity concerns, so they can weigh not just the price but also the potential cybersecurity costs when setting rates.
Efforts are also underway to help train up professionals with both cyber and operational technology specialties, who can best serve the sector. And researchers like those at the Pacific Northwest National Laboratory and various universities are working to develop new technologies to help in energy-sector cyber defense.
Adobe Stock
SPACE
Securing in-orbit satellites, ground systems and the communications between them is important for supporting everything from GPS navigation and weather forecasting to credit card processing, satellite Internet and cloud-based communications. Hackers could aim to disrupt these capabilities, force them to deliver falsified data, or even, theoretically, hack satellites in ways that cause them to overheat and explode.
The Space ISAC said in June that space systems face a “high” level of cyber and physical threat.
Nation-states may see cyber attacks as a less provocative alternative to physical attacks because there is little clear international policy on acceptable cyber behaviors in space. It also may be easier for perpetrators to get away with cyber attacks on in-orbit objects, because one cannot physically inspect the devices to see whether a failure was due to a deliberate attack or a more innocuous cause.
Cyber threats are evolving, but it’s difficult to upgrade deployed satellites’ software accordingly. Satellites may remain in orbit for a decade or more, and the legacy hardware limits how far their software can be remotely updated. Some modern satellites, too, are being designed without any cybersecurity components, to keep their size and costs low.
The government often turns to vendors for space technologies and so needs to manage third-party risks. The U.S. currently lacks consistent, baseline cybersecurity requirements to guide space companies. Still, efforts to improve are underway. As of May, a federal committee was working on developing minimum requirements for national security civil space systems procured by the federal government.
CISA launched the public-private Space Systems Critical Infrastructure Working Group in 2021 to develop cybersecurity recommendations.
In June, the group released recommendations for space system operators and a publication on opportunities to apply zero-trust principles in the sector. On the international stage, the Space ISAC shares information and threat alerts with its global members.
This summer also saw the U.S. working on an implementation plan for the principles detailed in the Space Policy Directive-5, the nation’s “first comprehensive cybersecurity policy for space systems.” This policy underlines the importance of operating securely in space, given the role of space-based technologies in powering terrestrial infrastructure like water and energy systems. It specifies from the outset that “it is essential to protect space systems from cyber incidents in order to prevent disruptions to their ability to provide reliable and efficient contributions to the operations of the nation’s critical infrastructure.”
This story originally appeared in the September/October 2024 issue of Government Technology magazine. Click here to view the full digital edition online.
