Cybersecurity in Water Labs and Utilities Requires Constant Vigilance

In November 2024, the Environmental Protection Agency (EPA) released its Management Implication Report detailing cybersecurity concerns related to drinking water systems. The agency assessed vulnerabilities in 1,062 drinking water systems serving 193 million people. The report identified routes an attacker could exploit to disrupt system function, cause loss or denial of service, and enable the theft of proprietary information.

Let's explore threats to cybersecurity in water labs and utilities and actionable steps to improve defenses.

Cyber Attackers Employ a Range of Tactics Against the Water Sector

Cybersecurity refers to the practices and technologies designed to protect systems, networks, and data from cyber attackers. For water utilities, this involves safeguarding operational technology (OT) systems—such as Supervisory Control and Data Acquisition (SCADA) systems—that monitor and control water treatment and distribution processes. In addition, utilities and test labs must protect information technology (IT) systems that manage water quality testing, customer information, and billing data.

Water utilities and labs are vulnerable to a range of cyberthreats from both outside and inside the organization:

• Unauthorized access to control systems: Attackers can exploit SCADA systems to change water and wastewater treatment processes, potentially impairing water quality and public health. Unsecured Human Machine Interface devices are a common vulnerability, which could allow unauthorized users to alter system settings.
• Ransomware attacks: Cybercriminals use ransomware to encrypt critical data, making systems unreadable until victims pay a ransom. These attacks can interrupt service and disrupt billing systems, data analysis, and operational controls.
• Phishing and social engineering: Attackers use deceptive language, especially in emails, to trick employees into revealing sensitive information or enabling access to IT networks. These tactics can also serve as entry points into the OT network for a more damaging attack.
• Insider threats: Unhappy or inattentive employees with access to critical systems can cause significant harm, whether intended or not, including data breaches or system disruptions.
• Supply chain vulnerabilities: Third-party vendors for software and hardware that lack robust cybersecurity can introduce attack points into your systems.

Strengthening Cyber Defense Requires a Multilayered Approach

To guard against cyberthreats, water utilities and testing laboratories can implement the following measures:

• Conduct comprehensive risk assessments. Evaluate both physical and cyber vulnerabilities regularly. EPA provides resources like the "Baseline Information on Malevolent Acts for Community Water Systems" to help identify potential attacks.
• Develop and update emergency response plans (ERPs). Plans should address procedures for detecting, responding, and recovering from cyber incidents. America's Water Infrastructure Act (AWIA) requires community water systems serving more than 3,300 people to maintain ERPs that incorporate findings from risk and resilience assessments, including cybersecurity considerations.
• Implement network segmentation. Separating IT and OT networks can limit the spread of cyberthreats. This approach ensures that a compromise in one network does not directly affect the other.
• Adopt strong access controls. Use multi-factor authentication and access based on employee roles to ensure only authorized personnel can work in protected systems.
• Provide regular staff training. Educate employees about cybersecurity best practices, including recognizing phishing attempts and following security protocols. EPA's Water Laboratory Alliance offers resources to enhance lab preparedness and response.
• Monitor continuously. Establish real-time network monitoring and develop clear incident response plans. EPA's Water Quality Surveillance and Response System helps utilities detect and respond to water quality issues, including those arising from cyber incidents.
• Collaborate with industry and government partners. Participating in organizations like the Water Information Sharing and Analysis Center can provide timely threat intelligence and best practices. EPA and Cybersecurity and Infrastructure Security Agency (CISA) also offer technical assistance and resources tailored to the water sector.

Cybersecurity Depends on Continuous Vigilance

As cyberthreats escalate, so does the need for robust cybersecurity at water labs and utilities. Be vigilant about conducting risk assessments, enforcing robust access controls, continuously monitoring systems, and collaborating with industry and government partners to protect against cyber threats and ensure water services remain safe and reliable.