Cybersecurity at U.S. Water Systems Is at Risk
Disrupting water treatment and storage, damaging pumps and valves, and increasing chemicals to dangerous levels. These were the goals of just three of the recent cybersecurity attacks on U.S. water systems, attempts by nation-state and cybercrime groups from Russia, China, and Iran to undermine critical infrastructure for financial or political gain—or just to show the havoc they can wreak.
Threats have hit systems of all sizes, not just larger suppliers, according to the U.S. Environmental Protection Agency (EPA). But targets are changing from information technology (IT) to operational technology (OT). In other words, hackers aren't simply upending water suppliers' computer networks by sending phishing emails or taking down websites—now, they're aiming directly at wastewater treatment and drinking water distribution.
That's a major concern for the EPA and the Cybersecurity and Infrastructure Security Agency (CISA). On May 20, 2024, the EPA issued an enforcement alert for drinking and wastewater systems to ensure they're prepared to address cyber threats. All systems serving 3,300 or more individuals must assess cyber vulnerabilities and revise their response plans every five years under Section 1433 of the Safe Drinking Water Act. The EPA will be increasing oversight of the requirements, conducting water infrastructure inspections, and taking civil and criminal enforcement actions.
Unfortunately, water testing labs are also subject to cyberattacks. Here's a look at the threats, the systems particularly at risk, and the measures you can take to lower risk and improve resilience.
Small Water Systems May Be Most Vulnerable to Cyberattacks
"Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices," the EPA and National Security Council said in a letter to state governors in March 2024.
The country has about 150,000 public water systems and 16,000 publicly owned wastewater systems, according to the EPA. Around 50,000 are community water systems, supplying the same population year-round, mostly in small towns. Others supply schools, office buildings, and health care facilities that have their own water systems, and some provide water on a transient basis.
Many public water systems serve fewer than 10,000 customers and struggle to provide clean water and manage changing regulations with only a few employees and small budgets. It's rare for systems to also have the technical expertise to deal with cybersecurity issues. That may help explain why 70% of the systems inspected by the EPA since September 2023 violated basic SDWA 1433 requirements, including missing sections of risk and resilience assessments and emergency response plans. Failure to take these steps to safeguard operations leaves water systems open to imminent danger from cyber threats.
In addition to comprehensively evaluating cyber practices to identify vulnerabilities, governments need to implement other safeguards to stop hackers. Water testing labs continue to play a critical role in ensuring water safety and public health.
Cyber Hygiene Also Applies to Water Labs
Many water labs still test samples and report results in lab notebooks or spreadsheets. Most use computers, of course, and many now use a laboratory information management system (LIMS) as well to improve workflow and efficiency and ensure data traceability and integrity. However, all labs handle sensitive information and need to take measures to address cyber threats. Improving cyber hygiene can help. Basic cyber hygiene includes scanning files regularly with antivirus software, choosing strong, unique passwords to confound hackers, and keeping software and hardware updated.
For instance, some LIMS use an on-premise server with the software installed there, meaning they need to manage all software changes, patches, and bugs in-house. Web-based LIMS eliminate the need to manage software locally but still require close attention to data security since they're connected to the internet. Staff members need to make backups, scan for viruses, and record all activities to detect unauthorized data access or alteration.
Many of the measures that the EPA and CISA recommend water systems take to reduce cyber risk and improve resilience also apply to water labs. Here are the key recommendations, many of which are basic cyber hygiene:
- Conduct cybersecurity awareness training: Make sure all employees understand the importance of staying alert to cyber risks and preventing and responding to cyberattacks.
- Develop and exercise cybersecurity incident response and recovery plans: Before an incident occurs, make sure everyone knows how your water lab and employees should respond.
- Change default passwords immediately: Use unique, strong, and complex passwords for all devices, along with multifactor authentication that requires at least two steps to log into a platform.
- Reduce exposure to public-facing internet: Check the vulnerability of any device connected to the internet.
- Reduce exposure to vulnerabilities: Keep your systems, including LIMS, updated with patches and security updates.
- Conduct an inventory of assets and assess vulnerabilities: Inventory your software and hardware assets to understand what you need to protect any existing vulnerabilities, then make a plan to address them.
- Back up your systems: Regularly back up all systems to ensure you can recover to a known, safe state if your lab is compromised. The National Institute of Standards Technology has a 3-2-1 rule for backups: 3) Keep three copies: a primary and two backups; 2) Keep backups on two different media types; 1) Store one copy off-site.
All water testing labs have been entrusted with a huge responsibility to preserve public health. A vital element of that is taking cybersecurity seriously. Hackers can sabotage your operation with malicious emails and corrupted websites, stolen customer data and financial information, ransomware and malware attacks, and compromised test results. With a plan encompassing every step from awareness to action, you have the best chance of keeping your lab and customers safe.