Protecting America’s Water Infrastructure from Cyber Attacks

Water infrastructure is among the most critical sectors of national security, supporting public health, industry, and agriculture. However, as systems become increasingly connected through the Internet of Things (IoT) and other technologies, they also become vulnerable to cyberattacks. Recent incidents involving state and non-state actors have highlighted the need for robust cybersecurity measures to protect America’s water systems. This report outlines the threats, challenges, and recommendations for local, regional, and federal entities to prepare for and mitigate these risks. It also provides actionable strategies for municipalities to strengthen their internet-connected water systems.

Understanding the Threat Landscape

State and Non-state Actors

State-sponsored hackers and independent cybercriminals have both targeted water systems in the United States. In 2021, a high-profile cyberattack in Oldsmar, Florida, attempted to manipulate chemical levels in a water treatment plant, underscoring the vulnerabilities of these systems. Non-state actors, including ransomware groups, have also disrupted operations by locking operators out of their systems until payments were made.

Vulnerabilities in Internet-Connected Systems

Many water utilities have adopted Supervisory Control and Data Acquisition (SCADA) systems and IoT devices to enhance efficiency. While these systems provide critical data and remote control capabilities, they are also susceptible to attacks due to weak passwords, outdated software, and unprotected networks. In many cases, legacy systems were not designed with cybersecurity in mind, creating significant challenges.

Strategies for Local, Regional, and Federal Action

Local Level: Strengthening Municipal Systems

1. Conduct Risk Assessments Municipalities must conduct comprehensive cybersecurity risk assessments to identify vulnerabilities in their water infrastructure. This includes evaluating SCADA systems, network configurations, and access controls.
2. Implement Multi-Factor Authentication (MFA) Multi-factor authentication can prevent unauthorized access to critical systems. Municipalities should enforce MFA for all personnel accessing SCADA systems or sensitive data.
3. Upgrade Legacy Systems Outdated technology is a significant liability. Municipalities should allocate funding to replace legacy systems with modern, secure alternatives designed with cybersecurity in mind.
4. Employee Training and Awareness A well-informed workforce is critical. Training programs should focus on recognizing phishing attempts, understanding cyber hygiene, and responding to potential incidents.

Regional Level: Coordinating Resources and Expertise

1. Establish Regional Cybersecurity Centers Regional hubs can provide municipalities with access to shared resources, including cybersecurity expertise, threat intelligence, and incident response teams.
2. Facilitate Information Sharing Encouraging collaboration between neighboring utilities can improve awareness of emerging threats. Regional partnerships can foster the sharing of best practices and lessons learned from previous incidents.
3. Develop Mutual Aid Agreements Mutual aid agreements enable utilities to support each other during cyber incidents by sharing personnel, equipment, and expertise.

Federal Level: Setting Standards and Providing Support

1. Develop National Cybersecurity Standards for Water Systems The federal government should establish clear cybersecurity guidelines tailored to the water sector. This includes standards for encryption, network segmentation, and incident reporting.
2. Increase Funding for Cybersecurity Upgrades Federal grant programs can help underfunded municipalities improve their cybersecurity posture. The Water Infrastructure Improvements for the Nation (WIIN) Act and similar initiatives can be expanded to include specific cybersecurity funding.
3. Enhance Federal-Local Collaboration Agencies such as the Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) should work closely with local utilities to conduct audits, provide training, and develop incident response plans.

Strengthening Municipal Internet-Connected Water Systems

Network Security Measures

1. Implement Network Segmentation By separating operational technology (OT) networks from information technology (IT) networks, municipalities can reduce the risk of lateral movement during an attack.
2. Use Firewalls and Intrusion Detection Systems Advanced firewalls and intrusion detection systems can identify and block malicious traffic in real-time. Municipalities should deploy these tools to monitor network activity continuously.
3. Conduct Regular Penetration Testing Simulated attacks by cybersecurity professionals can identify vulnerabilities and weaknesses in water systems, allowing municipalities to address them proactively.

Data Protection

1. Encrypt Sensitive Data All data, both in transit and at rest, should be encrypted to protect it from unauthorized access.
2. Establish Robust Backup Procedures Regularly backing up critical data and systems ensures that municipalities can recover quickly in the event of a ransomware attack or other disruption.

Incident Response Preparedness

1. Develop and Test Incident Response Plans Municipalities should create detailed response plans for various cyberattack scenarios. Regular tabletop exercises and simulations can ensure readiness.
2. Establish Communication Protocols Clear communication protocols are essential during a cyber incident. These should include steps for notifying affected stakeholders, law enforcement, and federal agencies.

Vendor Management

1. Vet Third-Party Vendors Many cyberattacks exploit vulnerabilities in third-party software or hardware. Municipalities must ensure that vendors adhere to stringent cybersecurity standards.
2. Monitor Supply Chains Supply chain attacks are a growing threat. Regular audits and monitoring can reduce the risk of compromised equipment or software entering critical systems.

The Role of Emerging Technologies

Artificial Intelligence (AI) and Machine Learning

AI and machine learning can enhance threat detection by identifying anomalies and potential intrusions faster than traditional methods. These technologies can also automate routine security tasks, freeing up resources for more complex challenges.

Blockchain for Data Integrity

Blockchain technology offers a secure method for logging and verifying changes to water systems, ensuring data integrity and transparency.

Quantum-Resistant Cryptography

As quantum computing advances, municipalities must adopt encryption methods resistant to quantum-based attacks to future-proof their systems.

Conclusion: A Call to Action

Protecting America’s water infrastructure from cyber threats is a shared responsibility that requires collaboration across all levels of government and industry. Local municipalities must take proactive steps to secure their systems, while regional and federal entities provide the necessary support, resources, and regulations.

The stakes are high—cyberattacks on water systems can compromise public health, disrupt economies, and erode trust in essential services. By implementing the strategies outlined in this report, cybersecurity and water security professionals can work together to safeguard these vital systems for future generations.