Water & Wastewater Utilities: Potential for Cyber Attacks
In keeping with last month’s theme of being prepared for emergencies, operators of water and wastewater processing facilities must keep in mind that Nature isn’t the only potential source of disasters. As we’ve seen all too often recently, humans can—and do now, on a regular basis—cause all kinds of mayhem. Most often, it’s not through anything more malignant than a missed deadline, a poor decision, or simple ignorance.
But more frequently, there is a disturbing trend toward intentional infliction of damage and disruption through terror attacks. Though the first thing to spring to mind when hearing that phrase, “terror attacks,” is something physical along the lines of a bombing or plane hijacking, lately the trend is in favor of cyber attacks.
Though these may be less deadly (but not necessarily) than direct physical violence, attacks on any organization’s digital network can have far more costly and long-ranging effects. In just the past couple weeks, networks from the Wall Street Journal to the New York Stock Exchange to the federal government’s internal human resources database itself have been unceremoniously hacked. In the past, hacking has been admitted by the Pentagon and major retail stores in America.
The bad news: No network is safe.
If these organizations can’t keep hackers out, it’s clear that everyone is vulnerable. You may think that no one would be interested in hacking water or wastewater plants, but you’d be wrong. All one need do is consider the kind of disruption that could occur if someone were able to breach operations of either of these types of networks, and it’s not hard to imagine the attraction to such an act by any number of ill-intentioned groups.
In fact, a recent article in Water Online says straight out that “cyberattacks pose a greater threat to water and wastewater utilities than most other industrial sectors.” The article is based on 159 reports issued last year by the Department of Homeland Security involving vulnerabilities in control systems components. The reports indicated that the “majority of vulnerabilities that were coordinated involved systems most commonly used in the Energy Sector, followed by Critical Manufacturing and Water and Wastewater.”
Another May 6 guest column in Water Online revealed the top six water infrastructure control system vulnerabilities, not making us feel any more secure.
The good news: Help is available.
Fortunately, the industry’s trade associations and concerned individuals have stepped up to help operators stay ahead of the threat. The American Water Works Association (AWWA) has hosted events such as their 2008 webcast, “Cyber Security: Roadmap for the Water Sector,” in 2008, and continues to drive awareness of and offer solutions to the challenge of cyber security.
Just days ago, Darian Slywka of eWON, S.A. encouraged proactivity in locking down Windows-based industrial control systems to combat the known threats in cyber espionage. He also authored an excellent piece titled “Water Cybersecurity: Alarming, Autodialers, And The Resistance To Change,” back in February of last year.
The latter directly addresses a built-in vulnerability that we create by not taking the initiative to understand the threats and their available preventive measures, and properly resourcing to make cyber security a priority. And he’s right: If ever there was a time when an ounce of prevention was worth a pound of cure, this is it.
Now is the time for action.
We at Sprayroq take a great deal of pride in helping you maintain your physical infrastructure, but we’re concerned about the very real potential damage to and disruption of your virtual networks, as well. It’s time for everyone in a position of authority to sit down with operators and take a long, hard look at their systems’ potential weak spots. It’s annoying, costly, even scary to think of employee privacy being invaded by a hack such as that in the federal government. But it’s truly terrifying to imagine the potentially deadly effects of the same thing happening to our nation’s water and wastewater control systems.
If “extortionware” can hold people’s local hard drives hostage for ransom payments (and it can and does, every day), then what kind of havoc could similar malware wreak on the collection and delivery systems that bring clean, fresh water to America’s homes and businesses, and take away and treat the used water? We don’t want to find out the hard way: The time to act is now.