Water system attacks spark calls for cybersecurity regulation

The bigger story: Water infrastructure is poorly protected

Although the water system exploitations generated the most attention, the attacks appeared scattershot and aimed at a wide variety of targets, including at least one brewery. “The threat actor did not target US-based wastewater and water systems,” Fabela said. “They targeted anything that was listening on this particular TCP port, and that’s it. These are targets of opportunity, and this is just the latest example where the bar is exceedingly low.”

“I don’t know that they were explicitly targeting water systems,” Kevin Morley, manager of federal relations at the American Water Works Association, tells CSO. “This was an opportunist attack on a fairly inexpensive device that is used across multiple sectors. If you’re in rail or transportation or something else, you’re like, ‘Oh, well, that’s a water thing. I don’t have to worry about it.’ No, no, no. This isn’t a water thing. This is a PLC control thing.”

Chronically underfunded water utilities, which lack the money or personnel to handle cybersecurity properly, are ripe for exploitation. The “bigger story is how poorly protected our water infrastructure is,” Hamilton says. “It says super bad things about our water sector and our ability to fend off this kind of stuff at a time when the population of threats is just getting out of control.”

“I feel bad for those mom-and-pop or small public utilities because they don’t have the money, they don’t have the resources,” Interim-President of InfraGard Houston Marco Ayala tells CSO. Miller agrees. “My biggest thought is water utilities are terribly underfunded for cybersecurity.”

Part of the problem is the sheer number of water utilities in the US, most of whom are small and barely break even. According to CISA, there are approximately 153,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment systems in the United States. According to the EPA, 92% of public water systems serve 10,000 or fewer customers.

“The water sector is a local ratepayer-funded operation,” Morley says. “There is no capital federal subsidy in the water sector. This isn’t like highways.”

“Just get your crap off the internet”

The most important thing that organizations can do to ward off these kinds of attacks, aside from exercising proper cybersecurity hygiene, such as changing default passwords, is to ensure that their devices are not sitting unprotected on the internet. “Changing default passwords, I get it,” Miller says. “A lot of utilities don’t because maybe they’ve got a high level of churn in their environment, and they don’t want to go out and change passwords all the time. There are a lot of operational reasons why they may not want to change those things.” But, the most crucial thing “to minimize the need to do that is just get your crap off the internet.”

“What this is really about is how we’ve normalized connecting systems to the internet,” Ayala says. He advises that organization should “ensure your system is not traversing the internet and is not public facing” by going through a defined remote access connection point such as a VPN that’s been hardened and has protection such as multifactor authentication. “There are people that grow on trees nowadays that could come implement this for you for a reasonable cost, and the technology isn’t that expensive to purchase or maintain.”

A clarion call for new security regulations for the water industry

If any good comes from these recent attacks, it might be a renewed call to regulate the water industry’s cybersecurity practices. Water utilities lag behind the other top critical infrastructure sectors in terms of regulatory rules that might boost their cybersecurity hardiness. In March, under the US Environmental Protection Agency (EPA), the Biden administration established a new requirement for states to inspect water utilities’ cyber defenses but was forced to abandon that effort in October following a lawsuit by the Republican state attorneys general of Arkansas, Iowa, and Missouri.

“We’ve got to get the EPA re-engaged,” Hamilton says. “There’s no reason that the EPA can’t do this. And that was kind of a [bad] move by those states. The other sector-specific agencies are doing what they’re supposed to do, but the EPA got shouted down, and here’s what happened. They’re getting hacked.”

“I mean, if I were a regulator trying to regulate, I would seize that opportunity.,” Miller said. “I would use it as a poster event for why regulation should be put in. And I’m not saying that I’m a big fan of regulation. But, as a former regulator, this is the type of catalytic event that will almost always be used as a springboard or shim in the door to get the regulatory discussion moving again.”

Moreover, new regulations might help the water sector devote more funds to cybersecurity. “They don’t have the money,” Miller says. “Then they complain, well, we don’t have the money to meet the regulation, but you don’t get the money without it. It’s a chicken and egg situation, and it does come with some initial pain, handwringing, and heartburn. Still, we need minimums for critical infrastructure operators to be ‘this tall to ride’ from a security perspective. And the only way they’re going to get the money is if we put some regulatory minimums in place. I mean, that’s just a reality. It’s terrible, but it’s a reality.”